Re: Mail server security - best practices?
- From: jKILLSPAM.schipper@xxxxxxxxxx
- Date: 28 Apr 2006 08:30:53 GMT
sealinux@xxxxxxxxx wrote:
jKILLSPAM.schipper@xxxxxxxxxx wrote:
OpenVPN is not that bad, security-wise, and has an option to require
each message to be stamped with a certain key (not at the appropriate
computer now - see tls-auth.
Stock IPsec or OpenSSH is better, but tls-auth makes exploiting problems
very difficult.
I'm running tls-auth on the OpenVPN gateway. I'm also using
passphrase-protected unique keys for each client and 2048 bit
keylengths. Am I paranoid or what?!?
How long would a brute force attack on a 2048-bit key take?
For all practical purposes, infinitely long if you chose the key in a
vaguely competent fashion (i.e., not just typed 2048 null bytes or
somesuch).
Good crypto is almost undeafatable; however, implementation errors
abound, and social engineering is likely to be succesful if enough
(nontechnical) people have access.
And breaking the administrator's fingers almost always works.
For maximum protection, configure a mail forwarder in the DMZ - MTAs are
pretty secure, but spam and virus scans often use weird programs that
are not quite as well-tested.
I'm not running any of those. The gateway will only be running Qmail
and BIND on OpenBSD with everything chrooted. I fully appreciate the
idea that nothing is 100% secure. The whole idea is to make it more
trouble to hack than the data on the machine is worth.
Under these circumstances, I don't really see the need for a mail
gateway. Some find it useful, though.
So you think it best for the incoming mail to "live" on the server on
the DMZ then?
Well, security-wise, 'best' is of course the forwarding scheme. I don't
see sufficient benefit to it that I would personally use it, though.
That would be a different matter if the backend mailer was not as
secure, for instance, Exchange.
However, I would personally not mind sharing the mail gateway and the
BIND daemon - sure, separating them would be better, but your cost
argument is sound.
I can snag a few more white boxes from Re-PC. I'm going to take your
advice and run the webserver on a separate DMZ, this one with no access
behind the firewall. The mail gateway will have only port 25 access to
the one machine behind the firewall. I think PF can be set to look at
Ethernet addresses?
Mmm, maybe, but it might be better just to hardcode the MAC addresses.
See arp(8).
OTOH, you might want to run a DNS daemon on both DMZ'ed servers if said
DNS is required for the proper functioning of a/your domain. Then again,
a free ZoneEdit.com account (or similar) is likely to provide a more
valuable backup.
I'm not familiar with ZoneEdit.
Thanks a whole lot for your help. You mind if I contact you directly
by email?
No, not at all. The address in the header is valid, save the obvious.
Joachim
.
- Follow-Ups:
- Re: Mail server security - best practices?
- From: Igor Sobrado
- Re: Mail server security - best practices?
- References:
- Mail server security - best practices?
- From: sealinux
- Re: Mail server security - best practices?
- From: jKILLSPAM . schipper
- Re: Mail server security - best practices?
- From: sealinux
- Re: Mail server security - best practices?
- From: jKILLSPAM . schipper
- Re: Mail server security - best practices?
- From: sealinux
- Mail server security - best practices?
- Prev by Date: Re: openBSD 3.8 firewall using 3com 3C509B nic speed problem
- Next by Date: Re: Mail server security - best practices?
- Previous by thread: Re: Mail server security - best practices?
- Next by thread: Re: Mail server security - best practices?
- Index(es):
Relevant Pages
|
