Re: [qmailtoaster] Re: fail2ban - now more than ever

Sat, 05 Apr 2014 18:33:26 -0700 

On Saturday 05 April 2014 08:33 PM, Eric Shubert wrote:

On 04/05/2014 04:44 AM, Bharath Chari wrote:

On Saturday 05 April 2014 07:38 AM, Eric Shubert wrote:




Another option (of course) is to have both public and private
interfaces on any public facing host (as many servers do), and only
allow ssh access from the private side.

And yet another is to have a perimeter firewall that port forwards
traffic to QMT. This case should not allow ssh on port 25 at all, and
forwards no ssh traffic anywhere from a public address. Yet QMT can
accept SSH connections from anywhere, since the firewall is taking
care of potentially malicious traffic.

I'd be interested to know how many people run QMT on a public address,
vs behind a NATing router. This affects how the QMT firewall is
configured, and I'm planning to automate that setup. Just curious to
know though how people are setting up their QMT hosts.

(Survey Says:)


I run an openvpn server and force SSHD/FTP to bind to the VPN IP. Access
is only via a client connected using a VPN. Port scans won't reveal
anything on the public IP. In one instance IMAP, POP3 and SUBMISSION
also listen only on the VPN IP. BTW, this isn't a QMT setup, but there's
no reason why it couldn't be implemented.

Bharath

---------------------------------------------------------------------



I do essentially the same thing (I think), using IPCop to manage the 
VPNs. IPCop eliminates some of the complexity of setting up an openvpn 
(or IPSec) VPN, as well as providing other network services. I run 
everything as virtual hosts under ProxmoxVE, so there's minimal 
hardware involved.



You say this isn't a QMT setup. I presume you mean that the VPN is 
separate from your QMT host. How is your QMT configured with regards 
to networking? How many NICs? Public or private addresses?


Thanks for chiming in, Bharath.



I do run the VPN separate from the Mail Server host because I run other 
services which aren't mail related and require connectivity via a VPN. 
Sadly this isn't a QMT setup, it's a posfix / dovecot setup. I only run 
QMT for my personal testing and pleasure these days :)


Bharath

---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
























					Reply via email to