Re: Mail server security - best practices?

jKILLSPAM.schipper@xxxxxxxxxx wrote:

It's not really possible to have a mail store that is not, at least
indirectly, accessible from the wide internet (save in special cases).

That was my feeling as well, hence the quandry.

FWIW, IMHO it's most important to separate the web scripts from anything
important. Both BIND and qmail are pretty secure, and while Apache
itself is quite secure, PHP for instance isn't.

I've since acquired a separate machine to run Apache and PHP on. I'll
have two servers in the DMZ then, one running Qmail and BIND, the other
running Apache and BIND.

You could put a mail forwarder in the DMZ ('public servers'), if so
inclined, but I'd recommend setting up the webserver in it's own private
DMZ, and mail on a server that's 'half-internal' in that you seem not to
need stored mail being accessible from the outside.

I can access the stored mail from the outside using OpenVPN. How wise
is it to trust that? I still employ IMAP-SSL on the private server,
though.

For maximum protection, configure a mail forwarder in the DMZ - MTAs are
pretty secure, but spam and virus scans often use weird programs that
are not quite as well-tested.

Let me see if I understand. The machine running Qmail in the DMZ would
be set to forward incoming mail to my private server, also running
Qmail, behind the firewall. The former would simply act as a conduit
to the latter, which would deliver mail to the user's home directories.
This would involve punching a hole in the firewall to allow
connections to port 25 on the private server, but that can be locked
down fairly tightly with pf rules. The main thing is for stuff I want
kept private to not be widely available.

DNS could be kept where you want it, though the risk of a nasty DoS is
less if you put it on a separate machine.

(Having visions of my wallet getting lighter and lighter and lighter .
.. . ) Seriously, thank dog I'm running OpenBSD. There's no way I
could afford the big iron and licenses requried to run 'Doze.

.

Relevant Pages

  • Re: Mail server security - best practices?
    ... Both BIND and qmail are pretty secure, ... and mail on a server that's 'half-internal' in that you seem not to ... I still employ IMAP-SSL on the private server, ...
    (comp.unix.bsd.openbsd.misc)
  • Re: Newb questions
    ... I know BIND ... > and sendmail are there but I keep hearing about potential security problems. ... If you look at qmail you'll see that the ... Patches are required to compile it on just about any modern ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Newb questions
    ... I know BIND ... >> and sendmail are there but I keep hearing about potential security problems. ... >> It was suggested to me that I use djbdns and qmail. ...
    (comp.unix.bsd.freebsd.misc)