Re: [gentoo-user] Portknock before Postfix delivery?
On Mon, 4 Jul 2011 08:31:10 +0700, Pandu Poluan wrote: If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? Postgrey. -- Neil Bothwick Old hitchhikers never die-they just throw in the towel.
Re: [gentoo-user] Portknock before Postfix delivery?
On Mon, Jul 4, 2011 at 09:55, Walter Dnes waltd...@waltdnes.org wrote: On Mon, Jul 04, 2011 at 08:31:10AM +0700, Pandu Poluan wrote If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? portknocking sounds like doing things the hard way. The gateway has to have either a fixed IP address or at least a domain name. Set up iptables on your internal server to accept connections on the shifted smtp port only if the connection is coming from the right IP address or domain name. *slaps forehead* Gosh, you're right. What was I thinking... Clearly a case of Rube Goldberg-ian solution . Thanks for knocking some sense into my thick skull :-) Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com Google Talk: pepoluan Y! messenger: pepoluan MSN / Live: pepol...@hotmail.com (do not send email here) Skype: pepoluan
Re: [gentoo-user] Portknock before Postfix delivery?
On Mon, Jul 4, 2011 at 14:22, Neil Bothwick n...@digimed.co.uk wrote: On Mon, 4 Jul 2011 08:31:10 +0700, Pandu Poluan wrote: If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? Postgrey. Mmmm... no thanks. I'm trying to save the puny bandwidth incoming to my office :-) Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com Google Talk: pepoluan Y! messenger: pepoluan MSN / Live: pepol...@hotmail.com (do not send email here) Skype: pepoluan
Re: [gentoo-user] Portknock before Postfix delivery?
On Mon, 4 Jul 2011 17:15:41 +0700, Pandu Poluan wrote: If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? Postgrey. Mmmm... no thanks. I'm trying to save the puny bandwidth incoming to my office :-) You run postgrey alongside postfix on the VM. Only the non-spam mails that get through user up any of your office's bandwidth. -- Neil Bothwick Those who live by the sword get shot by those who don't. signature.asc Description: PGP signature
Re: [gentoo-user] Portknock before Postfix delivery?
On 07/03/2011 09:31 PM, Pandu Poluan wrote: I'm just wondering... I'm implementing an email gateway using postfix. The gateway lives as a VM in my ISP, and it will deliver 'accepted' emails to the company's email server which lives in the DMZ. The email server's port is shifted to a non-25 external port number. So far so good. However, a portscanner might still be able to detect which port is open and attempt deliveries there. So, the question: Is it possible to configure the system in some way so that Postfix will first perform a portknocking before attempting delivery to the internal mail server? If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? What defines an accepted email? If they will all be coming from one or more pre-defined hosts, just add them to mynetworks: mynetworks = whoever is allowed to send mail to you smtpd_recipient_restrictions = permit_mynetworks, reject If they could be coming from anywhere, you can either configure SASL (easier) or certificate-based authentication (harder). I suppose you could set up a VPN that lands them within $mynetworks, too.
[gentoo-user] Portknock before Postfix delivery?
I'm just wondering... I'm implementing an email gateway using postfix. The gateway lives as a VM in my ISP, and it will deliver 'accepted' emails to the company's email server which lives in the DMZ. The email server's port is shifted to a non-25 external port number. So far so good. However, a portscanner might still be able to detect which port is open and attempt deliveries there. So, the question: Is it possible to configure the system in some way so that Postfix will first perform a portknocking before attempting delivery to the internal mail server? If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? Rgds, -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/
Re: [gentoo-user] Portknock before Postfix delivery?
On Mon, Jul 04, 2011 at 08:31:10AM +0700, Pandu Poluan wrote If that is not possible, what solution would you recommend to 'harden' the non-25 mail port? portknocking sounds like doing things the hard way. The gateway has to have either a fixed IP address or at least a domain name. Set up iptables on your internal server to accept connections on the shifted smtp port only if the connection is coming from the right IP address or domain name. -- Walter Dnes waltd...@waltdnes.org
