Security Basics mailing list archives
DMZ to LAN SMTP connections
From: "ыфзкфт" <sapran () gmail com>
Date: Fri, 14 Mar 2008 13:07:57 +0200
Hi list. I would appreciate any response on my email system security configuration. I mean it would be great to know your opinion on how secure it is and what best practises are. I have an Exchange 2003 server. It resides on dedicated server VLAN and serves local users' Outlooks and OWA logins using integrated authentication. Of course, all this is the AD domain. I have settled two Postfix MTAs on DMZ and allowed Internet to connect them to 25/tcp and vice versa. Also I have allowed MTAs to request DNS servers anywhere on the Internet. Exchange may connect MTAs and uses them as smart hosts for outgoing mail. MTAs may only connect Exchange to send it emails addressed to my mail domain. I administer those MTAs from LAN using SSH. So, the firewall policy looks like below. Consider DMZ-based hots are provided with public IPs and all other traffic is denied by default. Internet:any/tcp ---> DMZ-based MTA:25/tcp Internet:25/tcp <--- DMZ-based MTA:any/tcp Internet:53/udp <--- DMZ-based MTA:any/udp DMZ-based MTA:22/tcp <--- LAN-based admin host:any/tcp DMZ-based MTA:25/tcp <--- LAN-based Exchange:any/tcp DMZ-based MTA:any/tcp ---> LAN-based Exchange:25/tcp And I wonder is that rule allowing MTAs to connect Exchange ESMTP correct. I mean I heard a lot about denying connections from the networks with lower security level into secured networks, LAN in this case. Is this restriction to SMTP traffic only enough, or should I choose some other design: NAT Exchange:25/tcp outside to DMZ, use fetchmail, or something like that? Thanks in advance for all your response. -- sapran
Current thread:
- DMZ to LAN SMTP connections ыфзкфт (Mar 14)
- Re: DMZ to LAN SMTP connections Ansgar -59cobalt- Wiechers (Mar 14)
- Re: DMZ to LAN SMTP connections Kurt Buff (Mar 14)