Hi to all.
I would like to implement a secure Mail server.
This is an internal mail server and belongs to the network behind the
external firewall.
I also would like to have a system which permits external users to
connect to the internal mail
server in order to fetch their internal mail or to send their mail
througth this server (POP with SSL and SMTP).
The only way i see to have external connection is to add a rule to my
firewall teling it to redirect all POP and SMTP
traffic to this internal server.
Is there a more secure way to do this? Is it secure to implement this
scheme?
I think this way my internal mail is exposed to the world, but i don't
see other solution to do what i pretend....
Any suggestion ?
Thanks in advance,
P.S : sorry about my english
João Reis
==========================================================
Hi all,
i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a
freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution.
Everything including x509-Support is tested and working fine.
Now i want to add NAT-Traversal functionality. As written in
/u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by
Mathieu Lafon) for the *freeswan-package* are already inserted in
the package provided by SuSE.
But to get it running one has also to patch the *kernel* with the
fswan-nat-t-kernel.diff, they write, and which is provided in the
same directory.
I applied the patch to my kernel-sources (Return Code=0) and
recompiled the kernel:
- make oldconfig (perhaps wrong?? don't know what this exactly is
doing..)
-i took a look in make xconfig and noticed that there were no
possibilities to do configuration for IPSec, but at that moment i
did'nt care
- changed the Makefile's Extraversion Number..
- make dep
- make clean
- make bzImage
- make modules
- make modules_install
I prepared my bootloader and did mkinitrd for that kernel. Booting
with that kernel was ok, but ipsec did'nt start anymore:
"ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to
lack KLIPS."
I booted my old kernel again and according to some mails of this
list i took a look into .../kernel_modules/zz_freeswan/Makefile and
tried:
in that directory:
- make insert
Result: make xconfig in /usr/src/linux did'nt work anymore.
- make kmodule
Result: make xconfig didn't work yet.
- make klink
Result: make xconfig worked again! And it had configuration-options
for IPSec!! I configured this -i took all the defaults i found
there, the only thing i changed was the IPSec-Stuff- and compiled
another kernel exactly as described above (except that i used
xconfig instead oldconfig). Every step gave a Return Code of 0.
Result when booting this new kernel:
"Kernel panic: unresolved symbol reiserfs.o" (which is my boot
partition).
Question:
can anyone give me a hint about the correct way to apply this patch
and get a working kernel?
*Which* make -steps / targets do i have to take in .../zz_freeswan/
(e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in
which order**?
Any help would be greatly appreciated.. thnxalot!
Kind regards
Elmar
Greetings All,
Sorry if this has been covered, I have googled a bit and haven't really come up with anything relevant.
Does anyone have a working Tripwire config for a SuSE 8.1 system? The SuSE 8.1 ships with Tripwire 1.2-597.
Thanks!
Grant
This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.
Grant
> Greetings all,
>
> We are configuring a sendmail relay server and are having some problems.
> Sendmail was all setup and working nicely, until I came along to install
> and configure SuSEfirewall2. Even with the firewall shutdown,
> sendmail fails to respond to remote connections.
When you stop SuSEfirewall2 the kernel modules are still loaded. You have to
unload the modules or to reboot without starting SuSEfirewall2 at startup.
> Actually, the banner appears, but sendmail won't respond to a helo or
> any other SMTP commands. When attempted locally, this works fine.
> Again, this is with the firewall shutdown (SuSEfirewall2 stop).
> The same symptoms occur with the firewall loaded.
Did you check the log-files (messeges/warn)?
>
> Any ideas on what I should be looking for?
For e.g. 8.2:
In '/etc/sysconfig/SuSEfirewall2':
FW_SERVICES_EXT_TCP="smtp"
In '/etc/sysconfig/mail':
SMTPD_LISTEN_REMOTE="yes"
In the '/etc/hosts.allow':
sendmail: ALL : ALLOW
>
> TIA,
>
> Grant
>
>
rgds,
Sandro
Greetings all,
We are configuring a sendmail relay server and are having some problems. Sendmail was all setup and working nicely, until I came along to install and configure SuSEfirewall2. Even with the firewall shutdown, sendmail fails to respond to remote connections. Actually, the banner appears, but sendmail won't respond to a helo or any other SMTP commands. When attempted locally, this works fine. Again, this is with the firewall shutdown (SuSEfirewall2 stop). The same symptoms occur with the firewall loaded.
Any ideas on what I should be looking for?
TIA,
Grant
This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.
Is your new kernel missing reiserfs.o in the /lib/modules/<kernel
version>/kernel/fs/reiserfs/ directory?
If not then you have probably got a faulty config. If it is there then skip
this next section (skip to the ***s)...
Fixing your config
***
One thing that I found which helped and that might help you too.
You've already patched the kernel so future compiles will give you all the
Ipsec options that you need. Now you need to get a good config file to use!
This is the trick I did (was also backed up by others on this mailing list
on this trick)...
Boot using a working kernel, like the one that came with the distribution.
After booting you'll see a file called /proc/config.gz, copy that somewhere
to play with, unzip it and then check the resulting file. It should be a
kernel configuration file, similar to /usr/src/linux/.config - the latter is
the current kernel configuration as written by make xconfig (run in
/usr/src/linux/).
You've guessed it! Copy the unzipped file over /usr/src/linux/.config
before running make xconfig again. Then you should have a configuration
that's identical to your working configuration but with any changes you
choose to make. The obvious changes are to switch on Ipsec, the NAT
traversal and X509 patches, you can also switch on KLIPS debugging here,
which I would recommend - it doesn't run unless you set it to run anyway so
it *should* be built into KLIPS by default I think!
After this make a kernel as before and you should get full KLIPS with the
patches and your reiserfs.o!
***
If the build process did make reiserfs.o but you're still getting a kernel
panic then the problem is probably in the initrd. I don't have SuSE 8.2
here so you'll have to RTFM for me! If you do man -k initrd you should find
the commands that make initrd and install it, etc.
Come back to the group if that doesn't help.
Carl
>From: Elmar Marschke <elmar.marschke(a)epost.de>
>To: suse-security(a)suse.com
>Subject: [suse-security] How to apply IPSec NAT-Traversal Patch to
>SuSE8.2-Kernel ?
>Date: Sat, 27 Sep 2003 18:15:04 +0200
>
>Hi all,
>i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a
>freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution.
>Everything including x509-Support is tested and working fine.
>
>Now i want to add NAT-Traversal functionality. As written in
>/u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by
>Mathieu Lafon) for the *freeswan-package* are already inserted in
>the package provided by SuSE.
>But to get it running one has also to patch the *kernel* with the
>fswan-nat-t-kernel.diff, they write, and which is provided in the
>same directory.
>
>I applied the patch to my kernel-sources (Return Code=0) and
>recompiled the kernel:
>
>- make oldconfig (perhaps wrong?? don't know what this exactly is
>doing..)
>-i took a look in make xconfig and noticed that there were no
>possibilities to do configuration for IPSec, but at that moment i
>did'nt care
>- changed the Makefile's Extraversion Number..
>- make dep
>- make clean
>- make bzImage
>- make modules
>- make modules_install
>
>I prepared my bootloader and did mkinitrd for that kernel. Booting
>with that kernel was ok, but ipsec did'nt start anymore:
>"ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to
>lack KLIPS."
>I booted my old kernel again and according to some mails of this
>list i took a look into .../kernel_modules/zz_freeswan/Makefile and
>tried:
>in that directory:
>- make insert
>Result: make xconfig in /usr/src/linux did'nt work anymore.
>- make kmodule
>Result: make xconfig didn't work yet.
>- make klink
>Result: make xconfig worked again! And it had configuration-options
>for IPSec!! I configured this -i took all the defaults i found
>there, the only thing i changed was the IPSec-Stuff- and compiled
>another kernel exactly as described above (except that i used
>xconfig instead oldconfig). Every step gave a Return Code of 0.
>Result when booting this new kernel:
>"Kernel panic: unresolved symbol reiserfs.o" (which is my boot
>partition).
>
>Question:
>can anyone give me a hint about the correct way to apply this patch
>and get a working kernel?
>*Which* make -steps / targets do i have to take in .../zz_freeswan/
>(e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in
>which order**?
>Any help would be greatly appreciated.. thnxalot!
>Kind regards
>Elmar
>
>
>
>
>
>--
>Check the headers for your unsubscription address
>For additional commands, e-mail: suse-security-help(a)suse.com
>Security-related bug reports go to security(a)suse.de, not here
>
_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today!
http://www.msn.co.uk/messenger
Yes, that's it.
I don't know why... all possible outgoing traffic has been blocked ( for testing ) but he will not hangup... :-(
bruno
Keith Roberts <keith(a)topaz5.worldonline.co.uk> schrieb am 30.09.2003 15:48:57:
>
>
>
> On Tue, 30 Sep 2003 BLeonhardt(a)analytek.de wrote:
>
> >
> >
> >
> >
> > Hi,
> >
> > > What are you trying to do before timeout is reached?
> > -> just surfing
> >
> > > What happens before timeout is reached?
> > -> some icmp messages from outside and some other requests (i.e. worms, etc.)
> >
> > > What are you trying to do after timeout is reached?
> > -> nothing / just doing some other works and if he hang up he won't dial
> until I request it ( so my local blocking rules are working correctly.. i.e.
> netbios, multicast messages, etc. )
> >
> > > What is hapening when timeout is reached?
> > -> nothing - the isdn-int. won't hangup // I saw some icmp messages ( type 8
> code 0 // just a ping I think ) and other stuff from worms, etc.
>
> Is this the problem then - Your ISDN connection not going
> down after a certain amount of inactivity on the ISDN
> line?
>
> Regards - Keith
>
>
>
>
>
>
>
>
>
>
Hi Elmar,
I also needed NAT-Traversal with FreeSWAN.
First i wanted to apply the NAT-Traversal-Patch, like you,
but then i saw, that the X.509-Patch has also an NAT-Traversal-
functionality. This X.509-Patch is applied to the FreeSWAN-
paket shipped with SuSE 8.2.
See
http://www.freeswan.ca/patches/www.strongsec.com/freeswan/install.htm#secti…
Best regards
Andy
>>> Elmar Marschke <elmar.marschke(a)epost.de> 27.09.2003 18:15:04 >>>
Hi all,
i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a
freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution.
Everything including x509-Support is tested and working fine.
Now i want to add NAT-Traversal functionality. As written in
/u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by
Mathieu Lafon) for the *freeswan-package* are already inserted in
the package provided by SuSE.
But to get it running one has also to patch the *kernel* with the
fswan-nat-t-kernel.diff, they write, and which is provided in the
same directory.
I applied the patch to my kernel-sources (Return Code=0) and
recompiled the kernel:
- make oldconfig (perhaps wrong?? don't know what this exactly is
doing..)
-i took a look in make xconfig and noticed that there were no
possibilities to do configuration for IPSec, but at that moment i
did'nt care
- changed the Makefile's Extraversion Number..
- make dep
- make clean
- make bzImage
- make modules
- make modules_install
I prepared my bootloader and did mkinitrd for that kernel. Booting
with that kernel was ok, but ipsec did'nt start anymore:
"ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to
lack KLIPS."
I booted my old kernel again and according to some mails of this
list i took a look into .../kernel_modules/zz_freeswan/Makefile and
tried:
in that directory:
- make insert
Result: make xconfig in /usr/src/linux did'nt work anymore.
- make kmodule
Result: make xconfig didn't work yet.
- make klink
Result: make xconfig worked again! And it had configuration-options
for IPSec!! I configured this -i took all the defaults i found
there, the only thing i changed was the IPSec-Stuff- and compiled
another kernel exactly as described above (except that i used
xconfig instead oldconfig). Every step gave a Return Code of 0.
Result when booting this new kernel:
"Kernel panic: unresolved symbol reiserfs.o" (which is my boot
partition).
Question:
can anyone give me a hint about the correct way to apply this patch
and get a working kernel?
*Which* make -steps / targets do i have to take in .../zz_freeswan/
(e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in
which order**?
Any help would be greatly appreciated.. thnxalot!
Kind regards
Elmar
Hi,
> What are you trying to do before timeout is reached?
-> just surfing
> What happens before timeout is reached?
-> some icmp messages from outside and some other requests (i.e. worms, etc.)
> What are you trying to do after timeout is reached?
-> nothing / just doing some other works and if he hang up he won't dial until I request it ( so my local blocking rules are working correctly.. i.e. netbios, multicast messages, etc. )
> What is hapening when timeout is reached?
-> nothing - the isdn-int. won't hangup // I saw some icmp messages ( type 8 code 0 // just a ping I think ) and other stuff from worms, etc.
bruno
Keith Roberts <keith(a)topaz5.worldonline.co.uk> schrieb am 30.09.2003 12:27:39:
>
>
> On Tue, 30 Sep 2003 BLeonhardt(a)analytek.de wrote:
>
> >
> >
> >
> >
> > Hi,
> >
> > I'm running a self-made linux-isdn-router at home and wondering that the
> idle timeout isn't working correctly. I see several inbound connections ( in
> the fw-log ) which will be dropped after logging. now, usually the idel-
> timeout will wait for 300 secon
> ds until no traffic was gone through the isdn-interface.
> >
> > I am logging Portscans, etc. on the isdn-interface - could this be the
> reason why the idle timeout won't work correctly ? I didn't try to not log
> incoming syn's on the isdn-interface ( it's very important for me to see - who
> wants to come in .. ).
> >
> > What should / could I else do to prevent that the timeout won't be reached ?
>
>
> What are you trying to do before timeout is reached?
>
> What happens before timeout is reached?
>
>
> What are you trying to do after timeout is reached?
>
> What is hapening when timeout is reached?
>
> Kind Regards - Keith Roberts
>
>
>
>
>
>
>
>
> >
> > yours,
> > bruno
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help(a)suse.com
> > Security-related bug reports go to security(a)suse.de, not here
> >
> >
>
Hi,
I'm running a self-made linux-isdn-router at home and wondering that the idle timeout isn't working correctly. I see several inbound connections ( in the fw-log ) which will be dropped after logging. now, usually the idel-timeout will wait for 300 seconds until no traffic was gone through the isdn-interface.
I am logging Portscans, etc. on the isdn-interface - could this be the reason why the idle timeout won't work correctly ? I didn't try to not log incoming syn's on the isdn-interface ( it's very important for me to see - who wants to come in .. ).
What should / could I else do to prevent that the timeout won't be reached ?
yours,
bruno