On Wed, 6 Feb 2002 [EMAIL PROTECTED] wrote: > Date: Wed, 6 Feb 2002 01:13:02 +0000 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: pop3 > > Hi, > > I've installed a firewall and I want to permit that users may consult their > email from home. Is is correct to give them access from home with pop3 ? > What are the riscs with the email server on the internal network or in DMZ > ?
Allowing inbound client connections probably shouldn't happen without strong non-reusable authentication, and possibly shouldn't happen without good encryption. Most POP servers have had buffer overflow issues in the past, and if you're using static usernames and passwords you risk those credentials being compromised externally. Placine a server in the DMZ puts you in about the same position as an ISP, and you need to worry about the security of the server and the data on it, it's securable, but not trivially and will take lots of extra effort in keeping the system up to date (which will affect e-mail availability.) If I had to support such a system, I'd give the users an address in a subdomain and harden the heck out of a Web server, and make a Webmail application available via SSL only after the client's browser had authenticated via SecurID. Don't forget that if they're using home machines, they'll likely *not* have home anti-virus installed, and your internal address lists will be on their machines, there are lots of obvious issues there to think about. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
