Security Basics mailing list archives
RE: Email server+network architecture
From: "Robert Buel" <rbuel () asd-web com>
Date: Thu, 16 Jan 2003 15:23:56 -0600
How about implementing a front-end/back-end server arhitecture with a SMTP server in your DMZ which accepts incoming mail for your domains, and then forwards to your internal mail server (which actually contains the mailboxes for your users) SMTP would be the only protocol enabled from the DMZ mailserver to the internal mailserver. The restricted users would point to the internal server for both pop and smtp, only receive incoming mail, local and internet, but not successfully send to the world (block outbound smtp for the internal smtp server at the firewall). The unlimited mail users would have an identical configuration, only configure their smtp to point to the SMTP server in the DMZ. They can relay off that server to send to the internet. Thoughts? +Bob -----Original Message----- From: Burton M. Strauss III [mailto:BStrauss () acm org] Sent: Wednesday, January 15, 2003 6:40 PM To: security-basics () securityfocus com Cc: dataclaus1 () hushmail com Subject: RE: Email server+network architecture Thoughts ... There doesn't have to be ONE DMZ. You can create as many DMZes as you want, provided you have sufficient external IP addresses and put the right firewalls in place. Or, you can create a split architecture - use one mail server, exposed in the DMZ to deliver all inbound mail to a work directory and use a daemon to filter those messages, injecting permitted in-bound mail into a second "internal" mail server. You can use a mail server - any of the *nix ones can do things like this - which implement filters to control access. If you have an LDAP (or AD) directory, it's just a property in the directory that ids who is allowed to send mail. Set the mail server to dump anything incoming that's not to an authorized user (whether you bounce or bit bucket it is your own choice). You can create your own DNS server for setting up whitelists/blacklists - model it after one of the anti-spam lists. Doing something like this means that you have only ONE email server visible to users, so only one account... -----Burton -----Original Message----- From: dataclaus1 () hushmail com [mailto:dataclaus1 () hushmail com] Sent: Monday, January 13, 2003 1:49 PM To: security-basics () securityfocus com Subject: Email server+network architecture -----BEGIN PGP SIGNED MESSAGE----- Fellow list folk: Situation: My company is very restrictive on internet and email use. Only select users are allowed external use, and fewer still have unrestricted net access. Communications (email) with 'customer data' are not permitted outside the corporate perimter, including the DMZ. We do not wish to have all of our users able to pop3/smtp outside our corporate perimeter, even to the DMZ. We want an email schema as listed below: Inside<->Inside: all users Inside<->Outside: Only those designated by management Currently external mail is hosted by our ISP but saving that money would be nice. Thinking about a topology-based solution presents the following: I can set up a 'corporate' mail server Inside (and no external linkage)without much trouble. But then the external-permitted people have to manage two accounts, one for inside and one for external mail (since those having external mail are some of the least computer savvy, this is not the best answer). Research indicates that putting a mail server Inside and then configuring a conduit through our firewall is the least preferable option, as compromise would allow Inside access. We don't want to place the server in the DMZ because then we'd have to permit smtp/POP3 to all users outside, and this does not meet the 'no customer data Outside' criteria. It seems I'm between a rock and a hard place. Have I missed something? Encryption may be an option, but is not implemented currently and we would still reqire a policy change (read slow Board proposal/approval process) before this would be a solution for a DMZ mail server. Any suggestions as to a topology or other creative solution that would work would be greatly appreciated. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl8EARECAB8FAj4jF4YYHGRhdGFjbGF1czFAaHVzaG1haWwuY29tAAoJEMX8YnuPyP0P y+wAnjEdzxS5cU76zQvHH22xhxv9JV0aAJ4zLBIJTQyaNscrlpSRKzId947SMw== =VmcP -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Email server+network architecture dataclaus1 (Jan 15)
- RE: Email server+network architecture Burton M. Strauss III (Jan 16)
- RE: Email server+network architecture Robert Buel (Jan 18)
- RE: Email server+network architecture Burton M. Strauss III (Jan 16)