Il 19/07/2010 22:04, Jonathan Tripathy ha scritto:
A typical environment: 2 (or more) smtp servers and 2 (or more) imap/pop proxies front-ends (VLAN1, public ips, behind firewall and balancers), 2 AVAS servers (sophos, or anything else) in VLAN2 plus mail storage and RDBMS in VLAN3On 19/07/10 18:07, Angelo Amoruso wrote:On 16/07/2010 10.10, Jonathan Tripathy wrote:Hi Everyone, I have set up a mail server (on a VM) as per this article: http://workaround.org/ispmail/lenny I wish to host this server for a customer. However, I don't think it's "best practise" to simply place the whole VM in a DMZ and port forward to it. My question is, what should I do and what should I "split up"? The networks I have available to me are:DMZ allows you to restrict which traffic goes where, e.g. you can say that such mail host can only receive SMTP connections from outside (Internet) and generate outbound SMTP traffic only. This helps restricting what an attacker can do with such machine if it gets "owned". The innermost security guard is of course given by regular machine maintaince, ie updating software when patches and security fixes are available. My .2c ;-) Best regards, Angelo 'Archie' AmorusoRegarding the DMZ, I am fairly confident that if the mail server in the DMZ were to get compramised, my DMZ rules would prevent any attack on other network computers. So do you feel that it is safe enough, provided I keep the machine up-to-date, to place the whole mail server (Postfix, Dovecot + user databases + email storage) in a DMZ, and just open the ports for SMTP and IMAP? Thanks
-- Simone Caruso IT Consultant
<<attachment: info.vcf>>
