On 9/8/18 6:01 PM, Chris Bennett wrote:
[snip]
IMHO, I would skip using partially insecure OS's like Linux. These are
your kids!
Of course security at the OS level is important but also a lot of work
must be done around in the infrastructure area too for security...
running a good IDS for example: OpenBSD with Snort totally rocks in this
area.... going through a web proxy... again OpenBSD with Squid and Clamd.
Additionally perhaps a VPN to whatever mail solution the OP chooses if
'in house' like OpenVPN running on an OBSD gateway for example then lock
down the mail system to just have port 25 open inbound in PF maybe even
with queueing enabled.
Encryption of the storage medium can also be suggested so wherever the
maildir store is located the FS becomes encrypted as added layer of
security.
There's a lot one can do even just by sticking to a few OpenBSD based
boxes but it really is a matter of locking things down as opposed to
doing something silly.... even OpenBSD will become insecure if port 22
(ssh) is opened up with root account available and password something
easily guessed like 'root' or 'admin'.
It's not really a short topic that has one specific answer but I will
state that OpenBSD for router/gateways and servers is an excellent
solution as unlike other OS's is not resource intensive and overall
pretty secure right out of the box.
--K