RE: Email and DMZs (iptables)?

From: John Walker (john@jsw4.net)
Date: 09/08/01 

Message-ID: <E1A7D4B021C4D21196C000201828BA641F81C6@ATSU>
From: John Walker <john@jsw4.net>
To: 'Brian Cervenka' <brian@zerobelow.org>, "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com>
Subject: RE: Email and DMZs (iptables)?
Date: Fri, 7 Sep 2001 18:53:22 -0400

> -----Original Message-----
> From: Brian Cervenka [mailto:brian@zerobelow.org]
> Sent: Friday, September 07, 2001 4:35 PM
> To: focus-linux@securityfocus.com
> Subject: Re: Email and DMZs (iptables)?
>
>
> > 2. Server inside _FETCHES_ emails from server outside DMZ.
>
> This would be wonderful to implement. Short of using something like
> fetchmail or whatever, and running a pop server in the server
> outside, how
> do you implement this?
>
> I guess you could also use uucp? (haven't used that, but it
> looks like it
> can do that).

Disclaimer: I haven't done this in a while. If I have missed something, I'm
sure someone will point it out.

Take look at the SMTP command "ETRN". (rfc1985)

Basically the inside server, (which can never be reached) is the primary MX,
but mail always gets delivered from the outside world to the second priority
MX, which is the server in the DMZ.

The inside SMTP server periodically sends an ETRN to the DMZ SMTP server to
process the queue. Since the DMZ server can't do anything with the mail, it
just holds it until the inside server says "hello, I'll take that now."
(ETRN)

(... it can't do anything with the mail because, among other reasons, there
are few or no accounts on that box, right? ;) ...)

Setup the inside server to relay OUT over the DMZ server.

All inside clients get POP3 and SMTP from inside server. (Actually you can
do an Exchange server relatively safely here...)

John Walker

Relevant Pages

  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • Re: Man gets nine years for spamming
    ... > I don't think we've ever had web access. ... > connect to an inner server where you logged in and actually did stuff. ... We have 12 DMZ interfaces. ... the DMZs and in between the Internet routers and the first ...
    (alt.computer.security)
  • RE: [fw-wiz] Backup exec agent in dmz
    ... named.conf file and the zonefiles off the the NT box in the DMZ. ... on the Apache server, ... backup tape library in this DMZ and backup all your servers to the new DMZ. ... what do you really need to back up on the DNS and web servers? ...
    (Firewall-Wizards)
  • RE: [fw-wiz] Single Exchange/OWA on LAN with Internet Access - a good
    ... The ISA acting as a proxy in the DMZ is a good option I think ... because ISA is designed to work with OWA or is it the other way round. ... in the DMZ or an ISA Server. ...
    (Firewall-Wizards)