On 19/07/10 18:07, Angelo Amoruso wrote:
On 16/07/2010 10.10, Jonathan Tripathy wrote:
Hi Everyone,
I have set up a mail server (on a VM) as per this article:
http://workaround.org/ispmail/lenny
I wish to host this server for a customer. However, I don't think
it's "best practise" to simply place the whole VM in a DMZ and port
forward to it. My question is, what should I do and what should I
"split up"? The networks I have available to me are:
DMZ allows you to restrict which traffic goes where, e.g. you can say
that such mail host can only receive SMTP connections from outside
(Internet) and generate outbound SMTP traffic only. This helps
restricting what an attacker can do with such machine if it gets "owned".
The innermost security guard is of course given by regular machine
maintaince, ie updating software when patches and security fixes are
available.
My .2c ;-)
Best regards,
Angelo 'Archie' Amoruso
Regarding the DMZ, I am fairly confident that if the mail server in the
DMZ were to get compramised, my DMZ rules would prevent any attack on
other network computers.
So do you feel that it is safe enough, provided I keep the machine
up-to-date, to place the whole mail server (Postfix, Dovecot + user
databases + email storage) in a DMZ, and just open the ports for SMTP
and IMAP?
Thanks
