Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Rules for mailserver which is in internet zone ??
From: jseymour () LinxNet com (Jim Seymour)
Date: Fri, 12 Dec 2003 08:29:08 -0500 (EST)
Dilip M <dilipm () bristolindia com> wrote:



Hi,

Consider that my mail machine is in internet zone and i do pop directly 
 from that machine.
What is a best rules to have on it to be secure??


I'm guessing you mean, by that, that you want to access the machine
from the outside?  Via the Internet?

I would move the POP server to a dedicated machine on a third network.
E.g.:

  'net --- FW --- secure LAN
           |
           | semi-secure 3rd network
           |
          POP
         server

for starters.  That machine would be locked-down, running nothing *but*
popd.  (And smtpd--see following.)

Secondly: You're going to need SMTP access to the same machine, no?
Else how will clients *send* email?  I don't think you want to poke a
hole for SMTP through your firewall to your inside machine, on your
"secure LAN," do you?

Speaking of SMTP: No matter which way you handle that, how will you
handle identification/authentication to make sure clients using your
SMTP server are *yours*, and not a spammer/cracker (attempting to)
abuse it?  SMTP AUTH (along with some IP-based restrictions to at least
broad network ranges, if possible) would be your friend there, I should
think.  Or at least POP-before-SMTP.

This way, if your client email services machine is compromised, all
that's at risk is your 3rd, not-quite-as-secure, network, rather than
your secure LAN.

Speaking of compromise: On the client email services machine, I'd use a
set of services that allowed me to create client email services that
didn't require local user accounts, such as the Cyrus IMAP server
suite, perhaps.

-- 
Jim Seymour                | Spammers sue anti-spammers:
jseymour () LinxNet com       |     http://www.LinxNet.com/misc/spam/slapp.php
http://jimsun.LinxNet.com  | Please donate to the SpamCon Legal Fund:
                           |     http://www.spamcon.org/legalfund/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]