Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] Getting mail via POP from DMZ server
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Sun, 7 Jan 2001 05:00:41 -0700
  • Message-id: <000901c078a1$75d78420$ca00030a@xxxxxxxxxxxx>
You should run a secure mailserver in your DMZ such as postfix on a completely
stripped down box. You can also chroot postfix easily (no local delivery eh) and
only the master program (30k or so) runs as root (and if that's flawed I'ds be
pretty surprised). If you are super paranoid there are ways to pull the mail
from internally, however there are some issues with this:

fetchmail: reasonably complicated, has had flaws, adding complexity means more
room for bugs which means more things to attack
UUCP: you can do this over the network you know, of course uucp has a pretty bad
track record (prolly safe but I wouldn't do it)
spool mail up into a single file then use something like ftp/rsync to pull it:
delays, complicated, etc.

If I had to do this I'd go with a postfix based relay in the DMZ, have it
forward on to the internal mail server. Way less maintenance too (fetchmail,
gyeah).

If I was really paranoid and had money I'd use an airgap server between the DMZ
and internal lan such as:
http://www.whalecommunications.com/fr_0200.htm

So ends today's lesson =). Goodnight and drive safely.

Kurt Seifried, seifried@xxxxxxxxxxxxxxxxxx
Securityportal - your focal point for security on the 'net






< Previous Next >
Follow Ups