2 Postfix servers (DMZ + LAN)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

2 Postfix servers (DMZ + LAN)

Augusto Casagrande-2
Hi
My idea is to put 2 MTA's servers, one in the DMZ and the other in the LAN.
The goal is to get security in the LAN , and only expouse one server
to the internet. Also, i want to "decompress" the traffic , between
the LAN and internet.
So far , i' ve managed to send email from @myfomail.com to
@mydomain.com , and from untrusted (internet) networks to
@mydomain.com. But i cannot send from @mydomain.com to untrusted
(internet) networks ( ie : @yahoo.com, @gmail.com).

My DMZ Postfix postconf -d:

alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 172.20.22.12, 26.80.xxx.xxx, localhost
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = $mydomain
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain $mydomain
mydomain = mydomain.com
myhostname = cluster2.mydomain.com
mynetworks = 172.20.22.14
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relay_domains = correo.mydomain.com
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_use_tls = no
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_use_tls = no
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

And the LAN Postfix postconf -d :

alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 172.20.22.14, localhost
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 102400000
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain $mydomain, correo.mydomain.com
mydomain = mydomain.com
myhostname = cluster1.mydomain.com
mynetworks = 172.16.40.0/24, 127.0.0.0/8, 172.20.0.0/16
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtpd_banner =
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual

My DNS server direct-zone file :

$ORIGIN .
$TTL 86400      ; 1 day
mydomain.com          IN SOA  cluster1.mydomain.com. root.mydomain.com. (
                                2009077609 ; serial
                                60         ; refresh (1 minute)
                                60         ; retry (1 minute)
                                3600       ; expire (1 hour)
                                86400      ; minimum (1 day)
                                )
                        NS      cluster1.mydomain.com.
                        NS      cluster3.mydomain.com.
                        A       172.20.22.14
                        MX      5 cluster2.mydomain.com.
$ORIGIN mydomain.com.
cluster1                A       172.20.22.14
cluster2                A       172.20.22.12
cluster3                A       172.20.22.13
correo                  A       172.20.22.14

I'm new at Postfix, and my english is not so good, but any help will
be appreciated.
Thank you very much!

Augusto
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Charles Marcus
On 10/2/2009, Augusto Casagrande ([hidden email]) wrote:
> My DMZ Postfix postconf -d:

-d only gives the defaults...

You need to provide postconf -n output...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers
In reply to this post by Augusto Casagrande-2
On 2009-10-02 Augusto Casagrande wrote:
> My idea is to put 2 MTA's servers, one in the DMZ and the other in the
> LAN. The goal is to get security in the LAN , and only expouse one
> server to the internet. Also, i want to "decompress" the traffic ,
> between the LAN and internet.
> So far , i' ve managed to send email from @myfomail.com to
> @mydomain.com , and from untrusted (internet) networks to
> @mydomain.com. But i cannot send from @mydomain.com to untrusted
> (internet) networks ( ie : @yahoo.com, @gmail.com).

What route is your mail supposed to take?

Inbound:  I-net -->   MX    --> LAN-MTA
                    DMZ-MTA

Outbound: Client --> LAN-MTA --> Smarthost --> I-net
                                  DMZ-MTA

Which server hosts your users' mailboxes?

> My DMZ Postfix postconf -d:
[...]
> And the LAN Postfix postconf -d :

Please post the output of "postconf -n" (-d will report the defaults,
which won't help much). Also please refrain from obfuscating things
unless you know exactly what you're doing.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Augusto Casagrande-2
Sorry my mistake , it was actually postconf -n (as you can see , there
are no default options).

The users mailboxes are in the LAN MTA

The route for inbound is : Internet->MX->DMZ MTA->LAN MTA
For Otubound : Clnt->LAN MTA->DMZ MTA

Regards.

2009/10/2 Ansgar Wiechers <[hidden email]>:

> On 2009-10-02 Augusto Casagrande wrote:
>> My idea is to put 2 MTA's servers, one in the DMZ and the other in the
>> LAN. The goal is to get security in the LAN , and only expouse one
>> server to the internet. Also, i want to "decompress" the traffic ,
>> between the LAN and internet.
>> So far , i' ve managed to send email from @myfomail.com to
>> @mydomain.com , and from untrusted (internet) networks to
>> @mydomain.com. But i cannot send from @mydomain.com to untrusted
>> (internet) networks ( ie : @yahoo.com, @gmail.com).
>
> What route is your mail supposed to take?
>
> Inbound:  I-net -->   MX    --> LAN-MTA
>                    DMZ-MTA
>
> Outbound: Client --> LAN-MTA --> Smarthost --> I-net
>                                  DMZ-MTA
>
> Which server hosts your users' mailboxes?
>
>> My DMZ Postfix postconf -d:
> [...]
>> And the LAN Postfix postconf -d :
>
> Please post the output of "postconf -n" (-d will report the defaults,
> which won't help much). Also please refrain from obfuscating things
> unless you know exactly what you're doing.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

mouss-4
In reply to this post by Augusto Casagrande-2
Augusto Casagrande a écrit :

> Hi
> My idea is to put 2 MTA's servers, one in the DMZ and the other in the LAN.
> The goal is to get security in the LAN , and only expouse one server
> to the internet. Also, i want to "decompress" the traffic , between
> the LAN and internet.
> So far , i' ve managed to send email from @myfomail.com to
> @mydomain.com , and from untrusted (internet) networks to
> @mydomain.com. But i cannot send from @mydomain.com to untrusted
> (internet) networks ( ie : @yahoo.com, @gmail.com).
>

configure the LAN postfix to relay mail via the DMZ one. use relayhost
for this. The DMZ postfix must allow relay from the LAN postfix. use
mynetworks for this (if NAT is used, use the IP as seen from the DMZ
postfix).

for help, you need to describe what happens exactly. "I cannot send" is
not very helpful.

> [snip]
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers
In reply to this post by Augusto Casagrande-2
On 2009-10-02 Augusto Casagrande wrote:
> Sorry my mistake , it was actually postconf -n (as you can see , there
> are no default options).
>
> The users mailboxes are in the LAN MTA
>
> The route for inbound is : Internet->MX->DMZ MTA->LAN MTA

Is your DMZ server supposed to be the MX or do you have a third server
that is acting as MX?

Anyway, I'd strongly discourage using a setup where a DMZ server relays
mail to an internal server, because that would effectively break the
DMZ. An (IMHO) better approach would be to make the DMZ server the
endpoint for inbound mail, and then have your LAN server pull the mail
from it.

If you absolutely must relay mail from the DMZ to your LAN, at least
make sure that the DMZ server is thoroughly hardened.

After these general DMZ/firewall considerations back to Postfix
configuration. To avoid generating backscatter you need to make sure
that your MX only accepts mail for valid recipients. You could use the
reject_unverified_recipient restriction [1]. Personally I'd prefer to
use relay_recipient_maps [2] and maintain a list of valid recipients,
though. Depending on your environment, that list can be generated and
pushed to the MX automatically.

> For Otubound : Clnt->LAN MTA->DMZ MTA

Configure the LAN server to relay all mail through the DMZ server [3].

[1] http://www.postfix.org/postconf.5.html#reject_unverified_recipient
[2] http://www.postfix.org/postconf.5.html#relay_recipient_maps
[3] http://www.postfix.org/postconf.5.html#relayhost

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

mouss-4
Ansgar Wiechers a écrit :

> On 2009-10-02 Augusto Casagrande wrote:
>> Sorry my mistake , it was actually postconf -n (as you can see , there
>> are no default options).
>>
>> The users mailboxes are in the LAN MTA
>>
>> The route for inbound is : Internet->MX->DMZ MTA->LAN MTA
>
> Is your DMZ server supposed to be the MX or do you have a third server
> that is acting as MX?
>
> Anyway, I'd strongly discourage using a setup where a DMZ server relays
> mail to an internal server, because that would effectively break the
> DMZ. An (IMHO) better approach would be to make the DMZ server the
> endpoint for inbound mail, and then have your LAN server pull the mail
> from it.

what kind of "pull" do you have in mind? if it's fetchmail or the like,
then no. If mail should endup in the LAN, then relay is the best option.

anyway, it is ok to relay mail from the DMZ to the LAN.

>
> If you absolutely must relay mail from the DMZ to your LAN, at least
> make sure that the DMZ server is thoroughly hardened.
>

indeed. and if it's not, then just get rid of it! and this doesn't
depend on push or pull.

> [snip]

Reply | Threaded
Open this post in threaded view
|

RE: 2 Postfix servers (DMZ + LAN)

Terry Gilsenan

Terry Gilsenan
Corporate IT Manager
InterOil Corporation
P: +61 (7) 4046-4698
M: +61 417-600-360
________________________________________
From: [hidden email] [[hidden email]] On Behalf Of mouss [[hidden email]]
Sent: Monday, 5 October 2009 7:01 AM
To: [hidden email]
Subject: Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers a écrit :

> On 2009-10-02 Augusto Casagrande wrote:
>> Sorry my mistake , it was actually postconf -n (as you can see , there
>> are no default options).
>>
>> The users mailboxes are in the LAN MTA
>>
>> The route for inbound is : Internet->MX->DMZ MTA->LAN MTA
>
> Is your DMZ server supposed to be the MX or do you have a third server
> that is acting as MX?
>
> Anyway, I'd strongly discourage using a setup where a DMZ server relays
> mail to an internal server, because that would effectively break the
> DMZ. An (IMHO) better approach would be to make the DMZ server the
> endpoint for inbound mail, and then have your LAN server pull the mail
> from it.

what kind of "pull" do you have in mind? if it's fetchmail or the like,
then no. If mail should endup in the LAN, then relay is the best option.

anyway, it is ok to relay mail from the DMZ to the LAN.

>
> If you absolutely must relay mail from the DMZ to your LAN, at least
> make sure that the DMZ server is thoroughly hardened.
>

indeed. and if it's not, then just get rid of it! and this doesn't
depend on push or pull.


Heh, that depends on how big the server is, getting rid of it could involve quite a lot of pushing and pulling....

/me slinks off to hide under a rock

Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers
In reply to this post by mouss-4
On 2009-10-04 mouss wrote:

> Ansgar Wiechers a écrit:
>> On 2009-10-02 Augusto Casagrande wrote:
>>> Sorry my mistake , it was actually postconf -n (as you can see ,
>>> there are no default options).
>>>
>>> The users mailboxes are in the LAN MTA
>>>
>>> The route for inbound is : Internet->MX->DMZ MTA->LAN MTA
>>
>> Is your DMZ server supposed to be the MX or do you have a third
>> server that is acting as MX?
>>
>> Anyway, I'd strongly discourage using a setup where a DMZ server
>> relays mail to an internal server, because that would effectively
>> break the DMZ. An (IMHO) better approach would be to make the DMZ
>> server the endpoint for inbound mail, and then have your LAN server
>> pull the mail from it.
>
> what kind of "pull" do you have in mind? if it's fetchmail or the
> like, then no.

Why?

> anyway, it is ok to relay mail from the DMZ to the LAN.

No.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Sahil Tandon
On Sun, 04 Oct 2009, Ansgar Wiechers wrote:

> On 2009-10-04 mouss wrote:
>
>> anyway, it is ok to relay mail from the DMZ to the LAN.
>
> No.

Why?

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers
On 2009-10-04 Sahil Tandon wrote:
> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>> On 2009-10-04 mouss wrote:
>>
>>> anyway, it is ok to relay mail from the DMZ to the LAN.
>>
>> No.
>
> Why?

Because violating the DMZ is never okay without a Damn Good Reason(tm).
That's firewalling 101. If you allow inbound connections from untrusted
to trusted networks, there's no point in having a DMZ in the first
place.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Sahil Tandon
On Sun, 04 Oct 2009, Ansgar Wiechers wrote:

> On 2009-10-04 Sahil Tandon wrote:
> > On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
> >> On 2009-10-04 mouss wrote:
> >>
> >>> anyway, it is ok to relay mail from the DMZ to the LAN.
> >>
> >> No.
> >
> > Why?
>
> Because violating the DMZ is never okay without a Damn Good Reason(tm).
> That's firewalling 101. If you allow inbound connections from untrusted
> to trusted networks, there's no point in having a DMZ in the first
> place.

I appreciate the adherence to Firewalling 101 (something you have
preached before on security-basics), but common sense and practical
issues might impel one to make an exception and allow port 25 *only*
from Outside Postfix -> Inside Postfix.

IMHO, of course.  YMMV, TMTOWTDI and all other disclaiming acronyms.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Wietse Venema
Sahil Tandon:

> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>
> > On 2009-10-04 Sahil Tandon wrote:
> > > On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
> > >> On 2009-10-04 mouss wrote:
> > >>
> > >>> anyway, it is ok to relay mail from the DMZ to the LAN.
> > >>
> > >> No.
> > >
> > > Why?
> >
> > Because violating the DMZ is never okay without a Damn Good Reason(tm).
> > That's firewalling 101. If you allow inbound connections from untrusted
> > to trusted networks, there's no point in having a DMZ in the first
> > place.
>
> I appreciate the adherence to Firewalling 101 (something you have
> preached before on security-basics), but common sense and practical
> issues might impel one to make an exception and allow port 25 *only*
> from Outside Postfix -> Inside Postfix.
>
> IMHO, of course.  YMMV, TMTOWTDI and all other disclaiming acronyms.

If they really want no open ports, they can run UUCP between inside
and outside machine, where inside polls the outside machine.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Stan Hoeppner
In reply to this post by Sahil Tandon
Sahil Tandon put forth on 10/4/2009 5:28 PM:

> I appreciate the adherence to Firewalling 101 (something you have
> preached before on security-basics), but common sense and practical
> issues might impel one to make an exception and allow port 25 *only*
> from Outside Postfix -> Inside Postfix.
>
> IMHO, of course.  YMMV, TMTOWTDI and all other disclaiming acronyms.

DMZs are overrated in most situations, and merely add unnecessary
complexity to security goals easily accomplished by simpler methods.
For instance, merely implementing inbound TCP 25 PAT on a
NATi'ing/PAT'ing firewall/router would accomplish all security needs
with the exception of possible attacks on the smtpd listening daemon.
However, due to Wietse's modular daemon design and limited privileges of
the daemon user, attacks on the listener daemon could only allow for
DOS, not compromise.  To date I've not heard of such an attack.  I'm not
saying it hasn't occurred, I've just not heard of such a case.

You're better off using your firewall for what it's meant to do instead
of playing with DMZ hosts, which normally cause more problems than they
solve (already proven in this case).

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers
In reply to this post by Sahil Tandon
On 2009-10-04 Sahil Tandon wrote:

> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>> On 2009-10-04 Sahil Tandon wrote:
>>> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>>>> On 2009-10-04 mouss wrote:
>>>>> anyway, it is ok to relay mail from the DMZ to the LAN.
>>>>
>>>> No.
>>>
>>> Why?
>>
>> Because violating the DMZ is never okay without a Damn Good Reason(tm).
>> That's firewalling 101. If you allow inbound connections from untrusted
>> to trusted networks, there's no point in having a DMZ in the first
>> place.
>
> I appreciate the adherence to Firewalling 101 (something you have
> preached before on security-basics), but common sense and practical
> issues might impel one to make an exception and allow port 25 *only*
> from Outside Postfix -> Inside Postfix.

I have yet to see what "common sense" or "practical issues" would
"impel" someone to make this exception. You may want to elaborate on
that one.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Ansgar Wiechers
In reply to this post by Stan Hoeppner
On 2009-10-04 Stan Hoeppner wrote:

> Sahil Tandon put forth on 10/4/2009 5:28 PM:
>> I appreciate the adherence to Firewalling 101 (something you have
>> preached before on security-basics), but common sense and practical
>> issues might impel one to make an exception and allow port 25 *only*
>> from Outside Postfix -> Inside Postfix.
>
> DMZs are overrated in most situations, and merely add unnecessary
> complexity to security goals easily accomplished by simpler methods.
> For instance, merely implementing inbound TCP 25 PAT on a
> NATi'ing/PAT'ing firewall/router would accomplish all security needs
> with the exception of possible attacks on the smtpd listening daemon.

A scenario like that most certainly does *not* accomplish "all security
needs". Not only is NAT (or PAT for that matter) not designed to be a
security measure, your setup still allows an outside attacker to
directly attack a host INSIDE YOUR LOCAL NETWORK. Meaning that in case
of a remotely exploitable vulnerability the attacker steps directly into
your LAN. Which is exactly what a DMZ is supposed to prevent.

Whether or not someone's security needs justify the additional
complexity introduced by a DMZ is a different matter, but a blanket
statement "inbound 25/tcp PAT accomplishes all security needs" is just
plain and utterly wrong.

> However, due to Wietse's modular daemon design and limited privileges
> of the daemon user, attacks on the listener daemon could only allow
> for DOS, not compromise.

Running a daemon with limited privileges makes it harder to compromise
the entire system. It doesn't make it harder to compromise the account
running the daemon. And it most certainly doesn't rule out the
possibility of a compromization.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

Sahil Tandon
In reply to this post by Ansgar Wiechers
On Mon, 05 Oct 2009, Ansgar Wiechers wrote:

> On 2009-10-04 Sahil Tandon wrote:
> > On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
> >> On 2009-10-04 Sahil Tandon wrote:
> >>> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
> >>>> On 2009-10-04 mouss wrote:
> >>>>> anyway, it is ok to relay mail from the DMZ to the LAN.
> >>>>
> >>>> No.
> >>>
> >>> Why?
> >>
> >> Because violating the DMZ is never okay without a Damn Good Reason(tm).
> >> That's firewalling 101. If you allow inbound connections from untrusted
> >> to trusted networks, there's no point in having a DMZ in the first
> >> place.
> >
> > I appreciate the adherence to Firewalling 101 (something you have
> > preached before on security-basics), but common sense and practical
> > issues might impel one to make an exception and allow port 25 *only*
> > from Outside Postfix -> Inside Postfix.
>
> I have yet to see what "common sense" or "practical issues" would
> "impel" someone to make this exception. You may want to elaborate on
> that one.

Happy to take this off list with you and mouss, without extraneous
"quotations".

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: 2 Postfix servers (DMZ + LAN)

mouss-4
Sahil Tandon a écrit :

> On Mon, 05 Oct 2009, Ansgar Wiechers wrote:
>
>> On 2009-10-04 Sahil Tandon wrote:
>>> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>>>> On 2009-10-04 Sahil Tandon wrote:
>>>>> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>>>>>> On 2009-10-04 mouss wrote:
>>>>>>> anyway, it is ok to relay mail from the DMZ to the LAN.
>>>>>> No.
>>>>> Why?
>>>> Because violating the DMZ is never okay without a Damn Good Reason(tm).
>>>> That's firewalling 101. If you allow inbound connections from untrusted
>>>> to trusted networks, there's no point in having a DMZ in the first
>>>> place.
>>> I appreciate the adherence to Firewalling 101 (something you have
>>> preached before on security-basics), but common sense and practical
>>> issues might impel one to make an exception and allow port 25 *only*
>>> from Outside Postfix -> Inside Postfix.
>> I have yet to see what "common sense" or "practical issues" would
>> "impel" someone to make this exception. You may want to elaborate on
>> that one.
>
> Happy to take this off list with you and mouss, without extraneous
> "quotations".
>

no, thanks. OP seems to be a 101 oriented guy. I am a 69 oriented guy.
that's 32 points difference ;-p