From owner-freebsd-security@FreeBSD.ORG Mon May 17 22:57:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E98916A4CE for ; Mon, 17 May 2004 22:57:36 -0700 (PDT) Received: from amaunetsgothique.com (31.amaunetsgothique.com [69.17.34.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23DC343D5D for ; Mon, 17 May 2004 22:57:33 -0700 (PDT) (envelope-from chort@amaunetsgothique.com) Received: from ([10.8.1.3]) by phalanx.amaunetsgothique.com with ESMTP ; Mon, 17 May 2004 22:57:05 -0700 Received: from [10.8.1.3] (abydos.amaunetsgothique.com [10.8.1.3]) by abydos.amaunetsgothique.com (Postfix) with ESMTP id C22031A479 for ; Mon, 17 May 2004 22:57:04 -0700 (PDT) From: Brian Keefer To: freebsd-security@freebsd.org In-Reply-To: <200405171639.08701.metrol@metrol.net> References: <200405171639.08701.metrol@metrol.net> Content-Type: text/plain Organization: Message-Id: <1084859824.28107.680.camel@abydos.amaunetsgothique.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 17 May 2004 22:57:04 -0700 Content-Transfer-Encoding: 7bit Subject: Re: Mail Server in the DMZ question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 05:57:36 -0000 On Mon, 2004-05-17 at 16:39, Michael Collette wrote: > Been trying to puzzle through a firewall layout here involving E-Mail. Would > have thought this was a more common kind of scenario, but I haven't been able > to Google me up an answer to this one. > > At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing > mail into my secure network. This is a less than optimal setup simply due to > having to allow traffic from the DMZ into my secure network without a > proceeding request for that data. > > I want to have all the mail held on the server in the DMZ, then have it be > pulled into the secure network for all my users by some means. > > Originally I thought I could just setup a multi-drop box, pull in the mail > with Fetchmail, then have it delivered to my internal server for processing. > Seems that there are way too many pitfalls for this setup to reasonably > support all my users. > > I then looked into configuring the DMZ server to hold all mail, then release > on an ETRN request. From what I've read on this I'm really no better off, as > I still have to allow port 25 requests into my secure network. > > Thanks, I've seen one site implement UUCP for exactly this reason, but I think the potential problems with a flaw in UUCP outweigh just using an SMTP push. As long as you've locked down your firewall to only allow the mail gateway to open a connection through to your trusted net on port 25 (i.e. no other DMZ hosts are allow through in this manner) that's about as good as you can do. Look at it this way, what are you protecting against? If you're protecting against mail being sent in, well clearly that will happen either way. If you're protecting against an attacker that would hijack the DMZ host and try to attack your internal machine via port 25, well yes it will stop that, but if the attacker manages to hijack the machine they're going to be able to do a lot worse things (snoop on all your mail, possibly capture passwords, etc). Really, the possibility that an attack would be able to make a successful attack using only port 25 of your internal host is very remote, and the possibility that they couldn't do anything else malicious even though they had hijacked a host is even more remote. Make sure you're not over architecting your environment and introducing unnecessary complications for very minimal potential benefit. -- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com