Mailinglist Archive: opensuse-security (564 mails)

< Previous Next >
Re: [suse-security] Getting mail via POP from DMZ server
  • From: Sven Schultheiß <schultheiss@xxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 07 Jan 2001 12:21:21 +0100
  • Message-id: <3A585131.C5F40D3C@xxxxxxxxxxxxxxxxxxx>

Stefan Suurmeijer schrieb:
> Maybe I'm reading this too simple, but isn't it easier to have sendmail
> relay mail to your internal net?? Keep the dmz machine as main MX for
> your domain, have it receive the mail, and then alias all your users to
> the machine on the internal net. That would mean all external mail would
> arrive at the dmz machine, which would accept it and then forward it to
> your internal net. Then you only need to allow that connection through
> your firewall.

But then, you need an open port from the DMZ into your internal net. I
don't think that this is a good Idea. If your DMZ's Mailserver is
compromised, your internal net could be compromised in an easy way.
(Normaly you would have the same Mailserver/same Version with the same
Bug in your internal net)
With no open Ports from the DMZ to the local net, this should be harder.
(I guess you can at least lock out Script Kiddies)

Wouldn't it be possible to write a script on the internal Mailserver
which fetches the Mail and run a cron job every couple of minutes to get
the mail??

> Minimum hassle, no double user accounts. In fact, your dmz
> machine wouldn't even need user accounts.
> good luck
> Stefan
> BTW: POP sucks. try apop or imaps


< Previous Next >