Hi. Preparing a new DMZ server I wonder how Email from external, which arrives at the DMZ server is to be treated most secure. Is there a secure possibility to transfer the whole mail to my internal server (fetchmail?) where staff could get it by POP or is POP from internal to DMZ secure enough? Clients run on WinNT. Any advice appreciated, Rainer --
also sprach suse@diplan.de (on Sat, 06 Jan 2001 04:30:06PM +0100):
Preparing a new DMZ server I wonder how Email from external, which arrives at the DMZ server is to be treated most secure. Is there a secure possibility to transfer the whole mail to my internal server (fetchmail?) where staff could get it by POP or is POP from internal to DMZ secure enough? Clients run on WinNT.
well, there's APOP, POP with SSL, and regular POP3 as well as IMAP. the last two transmit clear text passwords. the first two aren't free to implement as far as i know. i don't have experience with the first two, but what i do (linux clients) is to tunnel a POP3 channel via SSH2 port forwarding. if you find a way to forward something like port 11000 on the NT boxes to 110 of the mail server with SSH, then your problem would be solved. or you may want to consider VPN internally. martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- qvid me anxivs svm?
On 06:01-Jan:35, MaD dUCK wrote:
also sprach suse@diplan.de (on Sat, 06 Jan 2001 04:30:06PM +0100):
Preparing a new DMZ server I wonder how Email from external, which arrives at the DMZ server is to be treated most secure. Is there a secure possibility to transfer the whole mail to my internal server (fetchmail?) where staff could get it by POP or is POP from internal to DMZ secure enough? Clients run on WinNT.
well, there's APOP, POP with SSL, and regular POP3 as well as IMAP. the last two transmit clear text passwords. the first two aren't free to implement as far as i know. i don't have experience with the first two, but what i do (linux clients) is to tunnel a POP3 channel via SSH2 port forwarding. if you find a way to forward something like port 11000 on the NT boxes to 110 of the mail server with SSH, then your problem would be solved. or you may want to consider VPN internally.
martin
[greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- qvid me anxivs svm?
thanks first. actually my thoughts trouble more about having the Email of the company lying "around" on the DMZ server. Wouldn't it be just better to get it away into the internal net as soon as possible? Secondly to get the Email by POP I have to have the user accounts on the machine, including the pop password which is the default unix password on that machine. Being able to forward the received mail immediately to my internal server in a secure way I could get rid of that possible problem. Users could then get the mail from the internal server. Of course I want to keep my receiving sendmail on the DMZ. rainer --
On Sat, 6 Jan 2001 suse@diplan.de wrote:
thanks first.
actually my thoughts trouble more about having the Email of the company lying "around" on the DMZ server. Wouldn't it be just better to get it away into the internal net as soon as possible?
Secondly to get the Email by POP I have to have the user accounts on the machine, including the pop password which is the default unix password on that machine. Being able to forward the received mail immediately to my internal server in a secure way I could get rid of that possible problem. Users could then get the mail from the internal server. Of course I want to keep my receiving sendmail on the DMZ.
rainer
--
Maybe I'm reading this too simple, but isn't it easier to have sendmail relay mail to your internal net?? Keep the dmz machine as main MX for your domain, have it receive the mail, and then alias all your users to the machine on the internal net. That would mean all external mail would arrive at the dmz machine, which would accept it and then forward it to your internal net. Then you only need to allow that connection through your firewall. Minimum hassle, no double user accounts. In fact, your dmz machine wouldn't even need user accounts. good luck Stefan BTW: POP sucks. try apop or imaps
Hi, Stefan Suurmeijer schrieb:
Maybe I'm reading this too simple, but isn't it easier to have sendmail relay mail to your internal net?? Keep the dmz machine as main MX for your domain, have it receive the mail, and then alias all your users to the machine on the internal net. That would mean all external mail would arrive at the dmz machine, which would accept it and then forward it to your internal net. Then you only need to allow that connection through your firewall.
But then, you need an open port from the DMZ into your internal net. I don't think that this is a good Idea. If your DMZ's Mailserver is compromised, your internal net could be compromised in an easy way. (Normaly you would have the same Mailserver/same Version with the same Bug in your internal net) With no open Ports from the DMZ to the local net, this should be harder. (I guess you can at least lock out Script Kiddies) Wouldn't it be possible to write a script on the internal Mailserver which fetches the Mail and run a cron job every couple of minutes to get the mail??
Minimum hassle, no double user accounts. In fact, your dmz machine wouldn't even need user accounts.
good luck
Stefan
BTW: POP sucks. try apop or imaps
Sven
Sven Schulthei�:
Hi,
But then, you need an open port from the DMZ into your internal net. I don't think that this is a good Idea. I do. I would recommend everyone to set up a bastion host, which receives
mail for your network and relays it to your internal mailserver. You only need to open a connection from your bastion host (port above 1023) to your internal mailserver (port 25). I don't see much trouble here.
If your DMZ's Mailserver is compromised, your internal net could be compromised in an easy way. (Normaly you would have the same Mailserver/same Version with the same Bug in your internal net)
Only true if the compromise is achieved via the mailservice. Otherwise the intruder would be able to send mail via SMTP to your internal mailserver. Of course one should use a recent, secured mailserver.
Wouldn't it be possible to write a script on the internal Mailserver which fetches the Mail and run a cron job every couple of minutes to get the mail??
and how is your mail transported in this scenario? This also opens a way from the DMZ to your internal network. Peter
You should run a secure mailserver in your DMZ such as postfix on a completely stripped down box. You can also chroot postfix easily (no local delivery eh) and only the master program (30k or so) runs as root (and if that's flawed I'ds be pretty surprised). If you are super paranoid there are ways to pull the mail from internally, however there are some issues with this: fetchmail: reasonably complicated, has had flaws, adding complexity means more room for bugs which means more things to attack UUCP: you can do this over the network you know, of course uucp has a pretty bad track record (prolly safe but I wouldn't do it) spool mail up into a single file then use something like ftp/rsync to pull it: delays, complicated, etc. If I had to do this I'd go with a postfix based relay in the DMZ, have it forward on to the internal mail server. Way less maintenance too (fetchmail, gyeah). If I was really paranoid and had money I'd use an airgap server between the DMZ and internal lan such as: http://www.whalecommunications.com/fr_0200.htm So ends today's lesson =). Goodnight and drive safely. Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
On Sun, 7 Jan 2001, Kurt Seifried wrote:
If I had to do this I'd go with a postfix based relay in the DMZ, have it forward on to the internal mail server. Way less maintenance too (fetchmail, gyeah).
Exactly, although I do believe sendmail would do nicely as well ;-), sorry Kurt. Fetchmail = accounts = nono.
So ends today's lesson =). Goodnight and drive safely.
Tell us more, sensei. Stefan
participants (6)
-
Kurt Seifried -
MaD dUCK -
Peter Wiersig -
Stefan Suurmeijer -
suse@diplan.de -
Sven Schultheiß