From: Glenn English on

On Apr 1, 2010, at 7:33 PM, Stan Hoeppner wrote:

> If you want all the edge security managed by one device

I don't. There's a border router with ACLs, and everybody has a reasonably intelligent packet filter. I'm just trying for this one fairly fancy box in the middle for inspection and routing around the site (3 nets). It really isn't all that complicated, I don't think. I was just told I needed to do some stuff I'd never heard of, and I'm working on deciding on whether I believe it or not.

> If you actually know enough about what you're doing, just punch a TCP 25
> pub/priv PAT hole through your current F/W to your Postfix server and beef
> up your AS/AV countermeasures.

Actually, I'm thinking that Wietse and his buds know what they're doing, and I can poke that TCP 25 hole to Postfix, and Postfix can pretty much take care of itself, as long as I keep massive trash off it.

> We've talked about a plethora of such
> methods both here and on spam-l that you've seen.

Yup.

> Using an SMTP proxy/relay
> on the F/W box and sticking your Postfix server in the DNZ is a useless,
> fruitless, labor hogging effort, complicating your network architecture and
> introducing new troubleshooting headaches, for _zero_ security gain.

Thanks, Stan. I'll keep your gently worded advice in mind :-)

It's actually pretty much the conclusion I was coming to anyway, except that I like having the Internet servers in the DMZ.

> Proxies and DMZs look neat on paper and in theory, but in the real world,
> for 95%+ or more of deployed applications, including SMTP mail, they create
> far more problems than they could ever hope to solve. Any seasoned sysop
> shuns unneeded complexity.

Certainly, although I'm far from seasoned. The hard part is defining "unneeded". I'm running a small system, but the DMZ model's never given me much trouble. I don't have a problem managing it, and it's useful in segmenting functions of the hosts (physically and mentally).

--
Glenn English
ghe(a)slsware.com

From: Glenn English on

On Apr 1, 2010, at 5:36 PM, Wietse Venema wrote:

> So why must this be a Postfix-as-proxy, instead of a complete
> Postfix-with-queue instance?

Like I said, I'm not at all sure it does. But I'm told that there should be an SMTP reverse proxy running on the firewall to protect the full server from "delivery attempts
to never-existed addresses (with a subclass for never-existed addresses
that match the format(s) of your generated Message-IDs), attempts to use
VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
spam-supporting abusers doing external SAV), and so on".

Just trying to decide whether I want to do it, and I think I've been convinced on this list that I don't.

Thanks all...

--
Glenn English
ghe(a)slsware.com

From: Wietse Venema on
Glenn English:
>
> On Apr 1, 2010, at 5:36 PM, Wietse Venema wrote:
>
> > So why must this be a Postfix-as-proxy, instead of a complete
> > Postfix-with-queue instance?
>
> Like I said, I'm not at all sure it does. But I'm told that there
> should be an SMTP reverse proxy running on the firewall to protect
> the full server from "delivery attempts
> to never-existed addresses (with a subclass for never-existed addresses
> that match the format(s) of your generated Message-IDs), attempts to use
> VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
> spam-supporting abusers doing external SAV), and so on".

Postfix can take care of that just fine, including overload-adaptive
behavior. You can turn on chroot (use a *BSD machine to avoid chroot
jail bloat) for an additional safety net.

Wietse

> Just trying to decide whether I want to do it, and I think I've been convinced on this list that I don't.
>
> Thanks all...
>
> --
> Glenn English
> ghe(a)slsware.com
>
>
>
>
>

From: Victor Duchovni on
On Thu, Apr 01, 2010 at 08:15:29PM -0600, Glenn English wrote:

> > So why must this be a Postfix-as-proxy, instead of a complete
> > Postfix-with-queue instance?
>
> Like I said, I'm not at all sure it does. But I'm told that there
> should be an SMTP reverse proxy running on the firewall to protect the
> full server from "delivery attempts to never-existed addresses (with a
> subclass for never-existed addresses that match the format(s) of your
> generated Message-IDs), attempts to use
> VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
> spam-supporting abusers doing external SAV), and so on".

Not everything you hear on the Internet is true, kind or wise.

This said, many folks operate perimeter Postfix servers with a full queue
(not reverse proxies) in the DMZ. There is nothing wrong with DMZ Postfix
servers, if your network architecture is more conducive to a deployment
of this type.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Glenn English on

On Apr 2, 2010, at 12:33 PM, Victor Duchovni wrote:

> Not everything you hear on the Internet is true, kind or wise.

But I'm assuming you are all three :-)

> This said, many folks operate perimeter Postfix servers with a full queue
> (not reverse proxies) in the DMZ. There is nothing wrong with DMZ Postfix
> servers, if your network architecture is more conducive to a deployment
> of this type.

Yeah. That's what I've had for a long time. Works fine, and I'd never allow an Internet connection to anything on the LAN. That's the whole purpose of the DMZ, as I understand it.

This suggestion was to run an SMTP reverse proxy on the firewall. I'm thinking about maybe doing that for HTTP because it'd be pretty easy to filter based on what would be legit HTML requests, but not for much else.

Thanks for the info...

--
Glenn English
ghe(a)slsware.com