RE: Email server+network architecture

From: Burton M. Strauss III (BStrauss@acm.org)
Date: 01/16/03

  • Next message: Doug McFarland: "RE: Potetial Outpost Conflicts?"
    From: "Burton M. Strauss III" <BStrauss@acm.org>
    To: <security-basics@securityfocus.com>
    Date: Wed, 15 Jan 2003 18:40:14 -0600
    
    

    Thoughts ...

    There doesn't have to be ONE DMZ. You can create as many DMZes as you want,
    provided you have sufficient external IP addresses and put the right
    firewalls in place.

    Or, you can create a split architecture - use one mail server, exposed in
    the DMZ to deliver all inbound mail to a work directory and use a daemon to
    filter those messages, injecting permitted in-bound mail into a second
    "internal" mail server.

    You can use a mail server - any of the *nix ones can do things like this -
    which implement filters to control access. If you have an LDAP (or AD)
    directory, it's just a property in the directory that ids who is allowed to
    send mail.

    Set the mail server to dump anything incoming that's not to an authorized
    user (whether you bounce or bit bucket it is your own choice).

    You can create your own DNS server for setting up whitelists/blacklists -
    model it after one of the anti-spam lists.

    Doing something like this means that you have only ONE email server visible
    to users, so only one account...

    -----Burton

    -----Original Message-----
    From: dataclaus1@hushmail.com [mailto:dataclaus1@hushmail.com]
    Sent: Monday, January 13, 2003 1:49 PM
    To: security-basics@securityfocus.com
    Subject: Email server+network architecture

    -----BEGIN PGP SIGNED MESSAGE-----

    Fellow list folk:

    Situation: My company is very restrictive on internet and email use. Only
    select users are allowed external use, and fewer still have unrestricted net
    access. Communications (email) with 'customer data' are not permitted
    outside the corporate perimter, including the DMZ. We do not wish to have
    all of our users able to pop3/smtp outside our corporate perimeter, even to
    the DMZ. We want an email schema as listed below:

    Inside<->Inside: all users
    Inside<->Outside: Only those designated by management

    Currently external mail is hosted by our ISP but saving that money would be
    nice.

    Thinking about a topology-based solution presents the following:

    I can set up a 'corporate' mail server Inside (and no external
    linkage)without much trouble. But then the external-permitted people have
    to manage two accounts, one for inside and one for external mail (since
    those having external mail are some of the least computer savvy, this is not
    the best answer).

    Research indicates that putting a mail server Inside and then configuring a
    conduit through our firewall is the least preferable option, as compromise
    would allow Inside access.

    We don't want to place the server in the DMZ because then we'd have to
    permit smtp/POP3 to all users outside, and this does not meet the 'no
    customer data Outside' criteria.

    It seems I'm between a rock and a hard place. Have I missed something?
    Encryption may be an option, but is not implemented currently and we would
    still reqire a policy change (read slow Board proposal/approval process)
    before this would be a solution for a DMZ mail server.

    Any suggestions as to a topology or other creative solution that would work
    would be greatly appreciated.

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify

    wl8EARECAB8FAj4jF4YYHGRhdGFjbGF1czFAaHVzaG1haWwuY29tAAoJEMX8YnuPyP0P
    y+wAnjEdzxS5cU76zQvHH22xhxv9JV0aAJ4zLBIJTQyaNscrlpSRKzId947SMw==
    =VmcP
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427



    Relevant Pages

    • Re: Firewall and DMZ topology
      ... If the MAIL server is in the DMZ. ... >able to sniff all the traffic on the internal side of the firewall, ... >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Firewall and DMZ topology
      ... Tha basic idea is that the firewall will ... So the LAN will be isolated ... from the DMZ ... ... > If the MAIL server is in the DMZ. ...
      (Security-Basics)
    • Re: Mail server security - best practices?
      ... The mail server in the DMZ does not need to have access to port 25 on ... As a stateful firewall, pf can be ... Is it because email is "quantified" when moved to the internal network? ...
      (comp.unix.bsd.openbsd.misc)
    • Re: Mail server security - best practices?
      ... the one machine behind the firewall. ... The mail server in the DMZ does not need to have access to port 25 on ... configured to not allow connections from the bastion host in the DMZ ...
      (comp.unix.bsd.openbsd.misc)
    • Re: can i synchronise outlook on multiple computers?
      ... Do they permit roaming profiles? ... Exchange as their e-mail server? ... Does your company permit external access to their Exchange or other type of ... are their network when connecting to their mail server? ...
      (microsoft.public.outlook.general)