Best Practise
in [Postfix]
|
Prev: deferred mail
Next: Rewrite non FQDN Domains
From: "Jonathan Tripathy" on 16 Jul 2010 04:10 Hi Everyone, I have set up a mail server (on a VM) as per this article: http://workaround.org/ispmail/lenny I wish to host this server for a customer. However, I don't think it's "best practise" to simply place the whole VM in a DMZ and port forward to it. My question is, what should I do and what should I "split up"? The networks I have available to me are: - Public Subnet (Has external IPs) - DMZ Subnets (Highly secure subnet with limited access to other hosts. Ports are fordwarded to DMZ servers for incoming services, and outbound access from these DMZ server is strictly limited to a "need-to" basis) - LAN Subnet (Speaks for itself) I do believe that by putting the email server VM in the DMZ, if it were to get compramised, I feel that the DMZ firewall rules would give the rest of my network protection. However, it's game over for my customers' emails though! Any help or advise on how I could "split" things up would be appreciated. Thanks
From: Jonathan Tripathy on 19 Jul 2010 16:04 On 19/07/10 18:07, Angelo Amoruso wrote: > On 16/07/2010 10.10, Jonathan Tripathy wrote: >> Hi Everyone, >> I have set up a mail server (on a VM) as per this article: >> http://workaround.org/ispmail/lenny >> I wish to host this server for a customer. However, I don't think >> it's "best practise" to simply place the whole VM in a DMZ and port >> forward to it. My question is, what should I do and what should I >> "split up"? The networks I have available to me are: > > DMZ allows you to restrict which traffic goes where, e.g. you can say > that such mail host can only receive SMTP connections from outside > (Internet) and generate outbound SMTP traffic only. This helps > restricting what an attacker can do with such machine if it gets "owned". > > The innermost security guard is of course given by regular machine > maintaince, ie updating software when patches and security fixes are > available. > > My .2c ;-) > > Best regards, > Angelo 'Archie' Amoruso > Regarding the DMZ, I am fairly confident that if the mail server in the DMZ were to get compramised, my DMZ rules would prevent any attack on other network computers. So do you feel that it is safe enough, provided I keep the machine up-to-date, to place the whole mail server (Postfix, Dovecot + user databases + email storage) in a DMZ, and just open the ports for SMTP and IMAP? Thanks
From: Simone Caruso on 19 Jul 2010 17:12 Il 19/07/2010 22:04, Jonathan Tripathy ha scritto: > > On 19/07/10 18:07, Angelo Amoruso wrote: >> On 16/07/2010 10.10, Jonathan Tripathy wrote: >>> Hi Everyone, >>> I have set up a mail server (on a VM) as per this article: >>> http://workaround.org/ispmail/lenny >>> I wish to host this server for a customer. However, I don't think >>> it's "best practise" to simply place the whole VM in a DMZ and port >>> forward to it. My question is, what should I do and what should I >>> "split up"? The networks I have available to me are: >> >> DMZ allows you to restrict which traffic goes where, e.g. you can say >> that such mail host can only receive SMTP connections from outside >> (Internet) and generate outbound SMTP traffic only. This helps >> restricting what an attacker can do with such machine if it gets "owned". >> >> The innermost security guard is of course given by regular machine >> maintaince, ie updating software when patches and security fixes are >> available. >> >> My .2c ;-) >> >> Best regards, >> Angelo 'Archie' Amoruso >> > > Regarding the DMZ, I am fairly confident that if the mail server in the > DMZ were to get compramised, my DMZ rules would prevent any attack on > other network computers. > > So do you feel that it is safe enough, provided I keep the machine > up-to-date, to place the whole mail server (Postfix, Dovecot + user > databases + email storage) in a DMZ, and just open the ports for SMTP > and IMAP? > > Thanks > A typical environment: 2 (or more) smtp servers and 2 (or more) imap/pop proxies front-ends (VLAN1, public ips, behind firewall and balancers), 2 AVAS servers (sophos, or anything else) in VLAN2 plus mail storage and RDBMS in VLAN3 -- Simone Caruso IT Consultant
From: mouss on 19 Jul 2010 17:49 Simone Caruso a �crit : > Il 19/07/2010 22:04, Jonathan Tripathy ha scritto: >> >> On 19/07/10 18:07, Angelo Amoruso wrote: >>> On 16/07/2010 10.10, Jonathan Tripathy wrote: >>>> Hi Everyone, >>>> I have set up a mail server (on a VM) as per this article: >>>> http://workaround.org/ispmail/lenny >>>> I wish to host this server for a customer. However, I don't think >>>> it's "best practise" to simply place the whole VM in a DMZ and port >>>> forward to it. My question is, what should I do and what should I >>>> "split up"? The networks I have available to me are: >>> If using BSD or Linux, you can also enable the "local" packet filter (pf under BSD, netfilter/iptables under Linux) to only allow explicitely authorized traffic. if you are familiar with these tools, then you don't even need a firewall (pf and netfilter/iptables are firewalls, so you get a self protected box. but this is only true if "you are familiar..." ). <off topic> while I am in, the term "DMZ" means a lot of things. in old setups, it almost always meant a zone connected to a "3d port" of "the" firewall. I perefer a "double firewall" setup, where you avoid having traffic go twice through the same firewall. This means you need smaller firewalls. the additional cost (2 small FW - 1 large FW) is justified by the simplification of your setup and by the higher (to some extent, but higher anyway) security level. </off topic> >>> DMZ allows you to restrict which traffic goes where, e.g. you can say >>> that such mail host can only receive SMTP connections from outside >>> (Internet) and generate outbound SMTP traffic only. This helps >>> restricting what an attacker can do with such machine if it gets >>> "owned". >>> >>> The innermost security guard is of course given by regular machine >>> maintaince, ie updating software when patches and security fixes are >>> available. >>> >>> My .2c ;-) >>> >>> Best regards, >>> Angelo 'Archie' Amoruso >>> >> >> Regarding the DMZ, I am fairly confident that if the mail server in the >> DMZ were to get compramised, my DMZ rules would prevent any attack on >> other network computers. >> >> So do you feel that it is safe enough, provided I keep the machine >> up-to-date, to place the whole mail server (Postfix, Dovecot + user >> databases + email storage) in a DMZ, and just open the ports for SMTP >> and IMAP? >> >> Thanks >> > A typical environment: 2 (or more) smtp servers and 2 (or more) imap/pop > proxies front-ends (VLAN1, public ips, behind firewall and balancers), 2 > AVAS servers (sophos, or anything else) in VLAN2 plus mail storage and > RDBMS in VLAN3 >
From: Jonathan Tripathy on 19 Jul 2010 18:36
> I am not a Xen expert, but AFAICT, you can configure iptables in the VM > and in the host. > > note that I am not saying you should do that. it really depends on your > setup. if you can script the work to implement "centralized" admin, then > it may be worth the pain. > Yeah, I'm using to scripting iptables upon VM boot and shutdown for customers, so setting this up for iptables should be ok. Xen makes life so much easier by giving each VM an interface, so you can filter based on that. > >> So you think given this, that placing the mail sever in the DMZ is ok then? >> >> > sure it is. as already recommended, you can use VLAN to implement > logical segmentation inside a zone (provided your VLAN implementation > can't be circumvented. remember, this is only logical...). > Think it would be ok if I didn't use VLAN segmentation, but just used iptables between hosts? I think this would nearly achieve the same thing... |