Interesting question. I am going to waffle on a bit here as this is such
a huge subject......
SMTP is one of the only protocols that you have to allow in and out of
your organisation. In addition, SMTP exchanges often have to hold a list
of all the users of the system (MS Exchange for example). The host
running the SMTP Exchange also has to have a specific record defined in
DNS ... the MX record. Headers in SMTP mail can give away information
about routing inside your network and to the internet, and internal
network structure such as the IP range used for the internal LAN. So
there is a lot a would be attacker could glean from your implementation
of SMTP which could be usefull in attacking your internal LAN.
My preffered implementation would be something like the following......
Diagram.....
INTERNET CLOUD -----------------ISP NS ( MX record for SMTP Relay using
NAT IP address .. not real internal IP)
|
|
ROUTER
|
|
FIREWALL (NAT - Block everything inbound except SMTP - Outbound allow
just what you need and only from relay host... i.e. use for www etc
aswell)
|
|
SMTP RELAY (Content Analysis .. AV scanning, blocking of undesireable
content ... spam protection and anti relay .. i.e. only relay for mail
to your domain etc)
|
|
FIREWALL (NAT .... allow SMTP data only from SMTP Relay .... outbound
from MAIL Exchange and other proxies for www etc)
|
|
MAIL EXCHANGE (SMTP MAILSERVER)
Then , once you have this up , but before you go live, find a good and
reputable firm to perform a health check on the system to clear up any
vulnerabilities which may have gone un-noticed and unchecked. The
testing should comprise of both external testing ... i.e. illegal access
to your LAN from outside ... and also internal testing to make sure your
users can't get around the securities you have configured .... make sure
the data flows allowed by your security policy are the only data flows
possible.... so check your security policy first .....
Have fun......
Cheers,Liam.
> ----------
> From: Luiz Eduardo
> Sent: 11 April 2000 17:16
> To: '[EMAIL PROTECTED]'
> Subject: Re: The best way to do smtp
>
> Please I would like to know which is more correct form of configuring
> and or to
> implement a smtp server. Should I place a smtp server in DMZ and other
> inside of
> my network interns?
> How should I configure these servers, should I have all the users in
> the two
> servers?
>
> thank�s
>
> Luiz Eduardo
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
