Re: It's been a while...
On Thu, 7 Dec 2000, Al Sparks wrote: > Some of the posts on this thread (and others) seem to be referring to > the mail server receiving the mail from the outside as the "firewall". > > Actually a mail server that receives mail and then passes the mail on > to the internal mail server for further processing should probably be > called a mail proxy server because it has about the same functionality > as a web proxy server. > Hi Al, True enough. However, most if not all firewalls come pre-packaged with somekind of mail proxy. The mail proxy is only one of the many services a firewall provides. Obviously, in large scale domains, you may want or need to dedicate a system to do only mail proxying/relaying, but certainly not in every case, as in this one. > Of course you could run mail software on a firewall depending on what > kind of platform and OS you run your firewall on, but its not > recommended from a security point of view. The more services you run > on your firewall, the more vulnerable you make it. Again, that's true. I would definetly stay away from ANY sendmail implementation on a firewall. But qmail I can live with (and have). Besides, the purpose of a firewall is to provide a way to securely access an unsecure network. So, chances are, you'll have to provide those main services (HTTP, SMTP, etc) whether you like them or not. You just have to find a way to make them as secure as you possibly can. There are mail proxies out there (SMAP/SMAPD for example), but to me qmail does a fine job when properly configured. That's the beauty of qmail compared with sendmail... the ease of configuration. > > What I would recommend is a separate mail server to receive mail > outside your firewall (or in the DMZ), and forward that mail to your > mail server with all the accounts, inside the firewall. The theory > being that if someone invades your "proxy" mail server, your internal > mail server isnt bothered (it just stops being able to receive and > send mail to the outside). > === Al Still... you're firewall in the above example will need some kind of proxy or mail relay agent. Basically you are adding an extra box in front, which to me is only an extra possible point of failure. The same situation/requirement remains. Jean - Jean Caron Network Security Consultant NORAC inc. - Network Optimization Research & Analysis Canada Quebec, Canada (613) 277-6672
RE: It's been a while...
On Thu, 7 Dec 2000, Alexander Jernejcic wrote: > hi, > Jean Caron wrote: > --snip-- > > First question, I have to move my mail server behind my firewall (it was > > in front until now). My goal is to have the firewall accept all mail for > > the domain, and forward "everything" "as is" to the mail server, inside. > > A dumb relay, is all I need. > --snip-- > this might be a philosophical approach, but have you considered to > portforward smtp to your local (inside) mail-server? > > ready to get flamed > > ;) > alexander > Hi, No flames... I did "think" about the option, but that's one I really don't like. I'd much rather use some mail "proxy", or even qmail over which you keep "some" control, over a hole in the firewall that redirects everything onto the private network. Bad idea, but thanks anyway. ;) Jean --
Re: It's been a while...
Some of the posts on this thread (and others) seem to be referring to the mail server receiving the mail from the outside as the "firewall". Actually a mail server that receives mail and then passes the mail on to the internal mail server for further processing should probably be called a mail proxy server because it has about the same functionality as a web proxy server. Of course you could run mail software on a firewall depending on what kind of platform and OS you run your firewall on, but its not recommended from a security point of view. The more services you run on your firewall, the more vulnerable you make it. What I would recommend is a separate mail server to receive mail outside your firewall (or in the DMZ), and forward that mail to your mail server with all the accounts, inside the firewall. The theory being that if someone invades your "proxy" mail server, your internal mail server isnt bothered (it just stops being able to receive and send mail to the outside). === Al --- Felix von Leitner <[EMAIL PROTECTED]> wrote: > Thus spake Jean Caron ([EMAIL PROTECTED]): > > First question, I have to move my mail server behind my firewall (it was > > in front until now). My goal is to have the firewall accept all mail for > > the domain, and forward "everything" "as is" to the mail server, inside. > > A dumb relay, is all I need. > > Don't do that. > It degrades performance and reliability and increases the complexity of > the system and with that the risk for security problems. > > If what your signature is right, i.e. that you are working on network > optimization, than you should see why this is a bad idea. > > Felix __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Re: It's been a while...
Hi, I have mostly a simular problem, this seems to be a hard problem. I beneficied of helps of several people but have stil some problems. In my case I have mail relay in DMZ and mail server in LAN. [internet]-[Routeur]-[DMZ][Firewall]-[LAN] without setting a firewall all work fine. But when setting firewall, I can only sent (outcoming messages), but no incoming ones can reach to me. My relay does not stock messages, it forward them directly to the local mail one. Is a simular fierwall with only two cards is appropriated? Can it communicate in the two senses (in/out)? What I must doing in order to let it works in the two sense? Thanks for any helps. --- Jean Caron <[EMAIL PROTECTED]> a écrit : > > Hi folks, > > It's been a while since I had to even think of qmail (it > really runs that > good!). > > But now I need to change my network architecture, and I > would appreciate > some help with a few things. > > First question, I have to move my mail server behind my > firewall (it was > in front until now). My goal is to have the firewall > accept all mail for > the domain, and forward "everything" "as is" to the mail > server, inside. > A dumb relay, is all I need. I believe > (from looking up my notes and searching the archive) that > I have to create > a control/smtproutes file containing ": IP>" on the > firewall. As for the control/rcpthosts file, does it > suffice to put > "mydomain.com:" or do I need a list > of machine names, > ie: "mail.mydomain.com:", etc... > Then, what's needed > in control/locals, control/me and control/virtualdomains > (I have no > virtual domain), only the firewall's hostname (except for > virtualdomains)? > > On my mail server itself, all I do is create > control/smtproutes and put it > the following; ":" ? > > I am using both tcpserver and tcprules on the firewall > already. The rule > was to relay from any host inside to the mail server. It > still needs to > relay... but what should be in there exactly now ? Like I > started by > saying, it's been a while... > > Am I missing anything to get this show on the road ? > > [private network + mail server] <==> [firewall] <==> [big > bad Internet] > > And on a different note, I've been looking for a web > interface which would > work nicely with qmail (Pine is nice, but not nice > enough). Oh BTW, and > I guess at this point I should confess to still be using > Mailbox > format. I know I should start by doing something about > that, yet I > don't know where to start. Most web interfaces I've > looked at required > me to move to maildir. Any suggestions ? (I know...move > to maildir, > right?) Ok, say I do, which package should I then use ? > How hard is it to > move to maildir ? A good procedure would come handy at > this point... > > Sleeves are rolled up, here comes my w/end qmail > refresher course. > > Thanks, > > Jean > - > Jean Caron > Network Security Consultant > NORAC inc. - Network Optimization Research & Analysis > Canada > Quebec, Canada > (613) 277-6672 > > __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
RE: It's been a while...
hi, Jean Caron wrote: --snip-- > First question, I have to move my mail server behind my firewall (it was > in front until now). My goal is to have the firewall accept all mail for > the domain, and forward "everything" "as is" to the mail server, inside. > A dumb relay, is all I need. --snip-- this might be a philosophical approach, but have you considered to portforward smtp to your local (inside) mail-server? ready to get flamed ;) alexander
Re: It's been a while...
On Thu, 7 Dec 2000, Felix von Leitner wrote: > Thus spake Jean Caron ([EMAIL PROTECTED]): > > First question, I have to move my mail server behind my firewall (it was > > in front until now). My goal is to have the firewall accept all mail for > > the domain, and forward "everything" "as is" to the mail server, inside. > > A dumb relay, is all I need. > > Don't do that. > It degrades performance and reliability and increases the complexity of > the system and with that the risk for security problems. > > If what your signature is right, i.e. that you are working on network > optimization, than you should see why this is a bad idea. > > Felix > Felix, Sometimes the "best option" is no longer an option... I agree with you, however... the network architecture is changing and the mail server is being moved behind the firewall. Jean - Jean Caron Network Security Consultant NORAC inc. - Network Optimization Research & Analysis Canada Quebec, Canada (613) 277-6672
Re: It's been a while...
Thus spake Jean Caron ([EMAIL PROTECTED]): > First question, I have to move my mail server behind my firewall (it was > in front until now). My goal is to have the firewall accept all mail for > the domain, and forward "everything" "as is" to the mail server, inside. > A dumb relay, is all I need. Don't do that. It degrades performance and reliability and increases the complexity of the system and with that the risk for security problems. If what your signature is right, i.e. that you are working on network optimization, than you should see why this is a bad idea. Felix
Re: It's been a while...
First off, you posted this as a reply to an unrelated message -- makes it a little less likely you'll get an answer from this list. > First question, I have to move my mail server behind my firewall (it was > in front until now). My goal is to have the firewall accept all mail for > the domain, and forward "everything" "as is" to the mail server, inside. > A dumb relay, is all I need. I believe > (from looking up my notes and searching the archive) that I have to create > a control/smtproutes file containing ":" on the > firewall. Yes, providing that's all it has to do. > As for the control/rcpthosts file, does it suffice to put > "mydomain.com:" or do I need a list of machine names, > ie: "mail.mydomain.com:", etc... Wrong format. No colons; just machine/domain names: bar.foo.com baz.foo.com .example.org Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
RE: It's been a while...
> a control/smtproutes file containing ":" on the > firewall. Actually, that would forward ALL mail - for your domain, or being sent out from your domain! - to the internal server. You want "mydomain.com:" in smtproutes on the firewall. > As for the control/rcpthosts file, does it suffice to put > "mydomain.com:" or do I need a list of > machine names, ie: "mail.mydomain.com:", > etc... You're confusing smtproutes syntax and rcpthosts syntax here. On the firewall, you want "mydomain.com" in the rcpthosts file. If you also intend to accept mail for hosts in your domain (i.e., mail.myodmain.com), you can put them in one by one or wildcard them with ".mydomain.com". Make sure MX records exist in global DNS pointing to firewall.mydomain.com for any hosts or domains you want it to relay. > Then, what's needed > in control/locals, control/me and control/virtualdomains (I have no > virtual domain), only the firewall's hostname (except for > virtualdomains)? control/locals should be empty; you are forwarding mail. If you want mail for firewall.mydomain.com to stay on the firewall instead of being forwarded, you can put that there (and make sure firewall.mydomain.com or .mydomain.com is in rcpthosts). control/me should be the firewall's hostname. control/virtualdomains can be deleted. > On my mail server itself, all I do is create > control/smtproutes and put it > the following; ":" ? Yes. Also add "mydomain.com" to rcpthosts and locals (and, again, any hosts or wildcards you also want to accept mail for). > I am using both tcpserver and tcprules on the firewall > already. The rule was to relay from any host inside to > the mail server. It still needs to relay... but what > should be in there exactly now ? Like I started by > saying, it's been a while... That can stay as is, unless you want to tighten the rules so outgoing mail can only come from the internal mail server. As long as the internal mail server is allowed to relay in the existing rules, you're fine. -- gowen -- Greg Owen -- [EMAIL PROTECTED] SoftLock.com is now DigitalGoods!
It's been a while...
Hi folks, It's been a while since I had to even think of qmail (it really runs that good!). But now I need to change my network architecture, and I would appreciate some help with a few things. First question, I have to move my mail server behind my firewall (it was in front until now). My goal is to have the firewall accept all mail for the domain, and forward "everything" "as is" to the mail server, inside. A dumb relay, is all I need. I believe (from looking up my notes and searching the archive) that I have to create a control/smtproutes file containing ":" on the firewall. As for the control/rcpthosts file, does it suffice to put "mydomain.com:" or do I need a list of machine names, ie: "mail.mydomain.com:", etc... Then, what's needed in control/locals, control/me and control/virtualdomains (I have no virtual domain), only the firewall's hostname (except for virtualdomains)? On my mail server itself, all I do is create control/smtproutes and put it the following; ":" ? I am using both tcpserver and tcprules on the firewall already. The rule was to relay from any host inside to the mail server. It still needs to relay... but what should be in there exactly now ? Like I started by saying, it's been a while... Am I missing anything to get this show on the road ? [private network + mail server] <==> [firewall] <==> [big bad Internet] And on a different note, I've been looking for a web interface which would work nicely with qmail (Pine is nice, but not nice enough). Oh BTW, and I guess at this point I should confess to still be using Mailbox format. I know I should start by doing something about that, yet I don't know where to start. Most web interfaces I've looked at required me to move to maildir. Any suggestions ? (I know...move to maildir, right?) Ok, say I do, which package should I then use ? How hard is it to move to maildir ? A good procedure would come handy at this point... Sleeves are rolled up, here comes my w/end qmail refresher course. Thanks, Jean - Jean Caron Network Security Consultant NORAC inc. - Network Optimization Research & Analysis Canada Quebec, Canada (613) 277-6672