RE: Email server+network architecture

["Robert Buel" <rbuel () asd-web com>]

How about implementing a front-end/back-end server arhitecture with a
SMTP server in your DMZ which accepts incoming mail for your domains,
and then forwards to your internal mail server (which actually contains
the mailboxes for your users) SMTP would be the only protocol enabled
from the DMZ mailserver to the internal mailserver.
The restricted users would point to the internal server for both pop and
smtp, only receive incoming mail, local and internet, but not
successfully send to the world (block outbound smtp for the internal
smtp server at the firewall). The unlimited mail users would have an
identical configuration, only configure their smtp to point to the SMTP
server in the DMZ. They can relay off that server to send to the
internet.

Thoughts?

+Bob 




-----Original Message-----
From: Burton M. Strauss III [mailto:BStrauss () acm org] 
Sent: Wednesday, January 15, 2003 6:40 PM
To: security-basics () securityfocus com
Cc: dataclaus1 () hushmail com
Subject: RE: Email server+network architecture


Thoughts ...

There doesn't have to be ONE DMZ.  You can create as many DMZes as you
want, provided you have sufficient external IP addresses and put the
right firewalls in place.

Or, you can create a split architecture - use one mail server, exposed
in the DMZ to deliver all inbound mail to a work directory and use a
daemon to filter those messages, injecting permitted in-bound mail into
a second "internal" mail server.

You can use a mail server - any of the *nix ones can do things like this
- which implement filters to control access.  If you have an LDAP (or
AD) directory, it's just a property in the directory that ids who is
allowed to send mail.

Set the mail server to dump anything incoming that's not to an
authorized user (whether you bounce or bit bucket it is your own
choice).

You can create your own DNS server for setting up whitelists/blacklists
- model it after one of the anti-spam lists.

Doing something like this means that you have only ONE email server
visible to users, so only one account...

-----Burton


-----Original Message-----
From: dataclaus1 () hushmail com [mailto:dataclaus1 () hushmail com]
Sent: Monday, January 13, 2003 1:49 PM
To: security-basics () securityfocus com
Subject: Email server+network architecture



-----BEGIN PGP SIGNED MESSAGE-----

Fellow list folk:

Situation:  My company is very restrictive on internet and email use.
Only select users are allowed external use, and fewer still have
unrestricted net access.  Communications (email) with 'customer data'
are not permitted outside the corporate perimter, including the DMZ.  We
do not wish to have all of our users able to pop3/smtp outside our
corporate perimeter, even to the DMZ.  We want an email schema as listed
below:

Inside<->Inside:      all users
Inside<->Outside:     Only those designated by management

Currently external mail is hosted by our ISP but saving that money would
be nice.

Thinking about a topology-based solution presents the following:

I can set up a 'corporate' mail server Inside (and no external
linkage)without much trouble.  But then the external-permitted people
have to manage two accounts, one for inside and one for external mail
(since those having external mail are some of the least computer savvy,
this is not the best answer).

Research indicates that putting a mail server Inside and then
configuring a conduit through our firewall is the least preferable
option, as compromise would allow Inside access.

We don't want to place the server in the DMZ because then we'd have to
permit smtp/POP3 to all users outside, and this does not meet the 'no
customer data Outside' criteria.

It seems I'm between a rock and a hard place.  Have I missed something?
Encryption may be an option, but is not implemented currently and we
would still reqire a policy change (read slow Board proposal/approval
process) before this would be a solution for a DMZ mail server.

Any suggestions as to a topology or other creative solution that would
work would be greatly appreciated.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl8EARECAB8FAj4jF4YYHGRhdGFjbGF1czFAaHVzaG1haWwuY29tAAoJEMX8YnuPyP0P
y+wAnjEdzxS5cU76zQvHH22xhxv9JV0aAJ4zLBIJTQyaNscrlpSRKzId947SMw==
=VmcP
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427