Re: Mail server security - best practices?


jKILLSPAM.schipper@xxxxxxxxxx wrote:

OpenVPN is not that bad, security-wise, and has an option to require
each message to be stamped with a certain key (not at the appropriate
computer now - see tls-auth.

Stock IPsec or OpenSSH is better, but tls-auth makes exploiting problems
very difficult.

I'm running tls-auth on the OpenVPN gateway. I'm also using
passphrase-protected unique keys for each client and 2048 bit
keylengths. Am I paranoid or what?!?

How long would a brute force attack on a 2048-bit key take?

For maximum protection, configure a mail forwarder in the DMZ - MTAs are
pretty secure, but spam and virus scans often use weird programs that
are not quite as well-tested.

I'm not running any of those. The gateway will only be running Qmail
and BIND on OpenBSD with everything chrooted. I fully appreciate the
idea that nothing is 100% secure. The whole idea is to make it more
trouble to hack than the data on the machine is worth.

Under these circumstances, I don't really see the need for a mail
gateway. Some find it useful, though.

So you think it best for the incoming mail to "live" on the server on
the DMZ then?

However, I would personally not mind sharing the mail gateway and the
BIND daemon - sure, separating them would be better, but your cost
argument is sound.

I can snag a few more white boxes from Re-PC. I'm going to take your
advice and run the webserver on a separate DMZ, this one with no access
behind the firewall. The mail gateway will have only port 25 access to
the one machine behind the firewall. I think PF can be set to look at
Ethernet addresses?

OTOH, you might want to run a DNS daemon on both DMZ'ed servers if said
DNS is required for the proper functioning of a/your domain. Then again,
a free ZoneEdit.com account (or similar) is likely to provide a more
valuable backup.

I'm not familiar with ZoneEdit.

Thanks a whole lot for your help. You mind if I contact you directly
by email?

.