Re: Mail server security - best practices?

sealinux@xxxxxxxxx wrote:
Okay, here's what I have:

A four-legged firewall with public interface (fxp0), private client
interface (fxp1), private server interface (sis0), and public server
interface (sis1). I am going to be running qmail, apache, and BIND on
the public server. The private server is running courier-imap and
fetchmail and is also where all of my private files are kept. It is
only accessible from the outside via chrooted OpenVPN.

The question is, how to divvy up the public services? Right now, the
plan is to run mail and DNS on one machine and web and DNS on the
other. Ideally, I'd like for the incoming mail to not "live" on the
public server but to be delivered to the private one, but that, to me,
defeats the purpose of having public/private servers. The only way I
can think to do it would be to have the private server export the home
directories via NFS so that the email server could deliver the messages
to the user's home directories.

It's not really possible to have a mail store that is not, at least
indirectly, accessible from the wide internet (save in special cases).

FWIW, IMHO it's most important to separate the web scripts from anything
important. Both BIND and qmail are pretty secure, and while Apache
itself is quite secure, PHP for instance isn't.

You could put a mail forwarder in the DMZ ('public servers'), if so
inclined, but I'd recommend setting up the webserver in it's own private
DMZ, and mail on a server that's 'half-internal' in that you seem not to
need stored mail being accessible from the outside.

For maximum protection, configure a mail forwarder in the DMZ - MTAs are
pretty secure, but spam and virus scans often use weird programs that
are not quite as well-tested.

DNS could be kept where you want it, though the risk of a nasty DoS is
less if you put it on a separate machine.

Joachim
.

Relevant Pages

  • Re: NAT without DHCP? (w2k3)
    ... My guess is that you have not configured the public interface correctly. ... How does your server connect to the Internet? ... set to the private address of the NAT machine? ...
    (microsoft.public.windows.server.networking)
  • Route Web Request and VPN to Different Interfaces
    ... I have an ISA 2004 server on a network with two Internet gateways. ... Our backup gateway will be used in emergencies, ... routed via our 'private' 10.x interface, and our VPN traffic returning the ... the outside world via our 'public' interface. ...
    (microsoft.public.isa.configuration)
  • Re: NAT without DHCP? (w2k3)
    ... the private address of the NAT machine? ... I also enabled NAT tracing - may be this can help? ... right-click on my public interface, I see "Address pool" tab but it ... server, just leave the area for IP addresses blank", what do you ...
    (microsoft.public.windows.server.networking)
  • Re: it is time to retire non-MIME MUAs
    ... Of of these days I'd have hack a private mailing list gateway into ... my news server). ... newsgroup with very restricted readership on a private news server has ... the interface which delivers it doesn't matter. ...
    (comp.mail.misc)
  • Re: What doesnt lend itself to OO?
    ... The whole idea that a subsystem is just ... > The first line exists in the server. ... objects between client and server i.e. as far as the client code is ... > external interface is the traditional input interface whose ...
    (comp.object)