On Freitag, 1. September 2023 13:54:47 CEST Freek de Kruijf wrote:
Op vrijdag 1 september 2023 13:08:59 CEST schreef mh@mike.franken.de:
On Freitag, 1. September 2023 12:39:14 CEST Freek de Kruijf wrote:
Hi,
[...]
Please indicate whether you are interested in a script to implement these measures.
I am always interested in security improvements, but I am not sure, if your suggested measures are applicable for my environment, although I have an internal mail server and my own domain(s). My domain is split between the outside world and my internal network, i.e. a few DNS entries are known world wide and hosted by external DNS servers, but most of the machines are only known within my internal network and are managed by internal DNS servers. My smtp (postfix) and my imap servers (dovecot) are among these internal only machines. Receiving mail is handled by uucp (!!), sending mail by postfix and smtp directly to an smtp server hosted by my computer club. Because there is no connection between the internal machines and the external DNS, I suspect that your measures won't work here. If I'm wrong, please correct me.
Bye. Michael.
The script I have been working on is about a rather simple environment. There is one domain name and you have a server which is serving that domain using postfix and optional dovecot as imap/authentication server. Obviously it is connected rather directly to the global internet (maybe via port forwarding in your router).
In your case I assume you have one or more servers, more or less directly connected to the internet. The measures I wrote about are only necessary on
The postfix can't be reached from the internet, incoming mail is fetched via uucp. The dovecot server is available from the internet via vpn, but not directly. Outgoing mail can be sent via the postfix server - in this direction by smtp, not by uucp. Everything is protected by pfSense routers *and* additionally by a Fritz!Box firewall.
this/these server(s). The server of your computer club? It is a requirement that outgoing email to the internet is presented on port 587 (submission), obviously authenticated.
This is how my postfix server is delivering mail to the smtp server of my computer club.
Is incoming email from the internet also coming into this/these server(s)?
No, incoming mail comes via uucp.
If yes, it is there where you do the checking and when accepted you can send it on to wherever you want is and with the protocol you want, but that is not covered in my script.
Probably checking can be done between the first postfix, that gets the mails by uucp and the postfix, that delivers them internally.
When you use the setup with one domain as an example, it is quite easy to expand it for more domains.
Ok. Thx. Bye. Michael.