Re: DMZ to LAN SMTP connections

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-03-14 ???????????? wrote:
> I have an Exchange 2003 server. It resides on dedicated server VLAN
> and serves local users' Outlooks and OWA logins using integrated
> authentication. Of course, all this is the AD domain.
>
> I have settled two Postfix MTAs on DMZ and allowed Internet to connect
> them to 25/tcp and vice versa. Also I have allowed MTAs to request DNS
> servers anywhere on the Internet. Exchange may connect MTAs and uses
> them as smart hosts for outgoing mail. MTAs may only connect Exchange
> to send it emails addressed to my mail domain. I administer those MTAs
> from LAN using SSH. So, the firewall policy looks like below. Consider
> DMZ-based hots are provided with public IPs and all other traffic is
> denied by default.
>
> Internet:any/tcp ---> DMZ-based MTA:25/tcp
> Internet:25/tcp <--- DMZ-based MTA:any/tcp
> Internet:53/udp <--- DMZ-based MTA:any/udp
> DMZ-based MTA:22/tcp <--- LAN-based admin host:any/tcp
> DMZ-based MTA:25/tcp <--- LAN-based Exchange:any/tcp
> DMZ-based MTA:any/tcp ---> LAN-based Exchange:25/tcp
>
> And I wonder is that rule allowing MTAs to connect Exchange ESMTP
> correct. I mean I heard a lot about denying connections from the
> networks with lower security level into secured networks, LAN in this
> case. Is this restriction to SMTP traffic only enough, or should I
> choose some other design: NAT Exchange:25/tcp outside to DMZ, use
> fetchmail, or something like that?

Correctness of this rule is not the issue, but whether or not it poses a
security risk. The general rule is to not allow any connection attempts
from the DMZ into your LAN. The reason behind that is that even if an
attacker manages to compromise a host on the DMZ, he still won't be able
to access (and thus possibly exploit) anything on the LAN. I'd suggest
to stick with this rule unless you have very good reasons not to.

A better approach (IMHO) would be to have Exchange poll the incoming
mail from the postfix servers, e.g. by using fetchmail from Cygwin. Also
I'd recommend to have the Exchange server push a list with the vailid
e-mail addresses to the Postfix servers, so they'll accept mail only for
those valid addresses.

Basically you'd configure your domains as relay domains, specify the
valid e-mail addresses in $relay_recipient_maps, set the transport to
deliver all mail to a virtual mailbox, periodically fetch the incoming
mail from that mailbox and feed it to Exchange.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq