OT: Setting up a forwarding mail domain in DMZ without pinhol e.

Sanjay Arora skpobox at hotpop.com
Sun Aug 22 16:02:57 UTC 2004 

On Sun, 2004-08-22 at 18:58, Cowles, Steve wrote:

> If I had to deal with a security policy such as yours, I would look at
> configuring the DMZ mail server to store all inbound e-mail in a single
> mailbox (single password vs. multiple), then use fetchmail's multi-drop
> feature to retrieve e-mail from your DMZ server and then store the retrieved
> e-mail in individual mailboxes on the green server. See "man fetchmail" for
> examples of using multi-drop and especially the USER AUTHENTICATION AND
> ENCRYPTION section for password encryption between the green server and DMZ
> server. 
Dont know much about tools like fetchmail, but will study them. Do they
do mail injection to the smtp server, so that other aspects like
anti-virus, spam etc. are handled in the green machine. IAC, I dont
bounce any mail presently...just mark it & put it in a different common
folder for the domain (for fear of false-positives), so bouncing mails
at the DMZ is presently not a requirement with me.

But if I have to setup a mailbox...I guess one mailbox per domain or
even one mailbox for all domains is a good idea. Thanks...it will save
some scripting...I wonder why the best of simplest ideas do not occur to
one own self, when one is doing complicated thinking ;-))

> Another option might be to create an SSH tunnel between the
> green->DMZ server to pull your queued e-mail.
> 
Wont that be same as creating a pinhole...even if the traffic is encrypted? Since both the subnets are on local network, sniffing would be less of a risk...though if a firewall piercing strategy is taken...ssh would be a good idea...as it would add another layer of security. But if someone does get into the DMZ, wont the ssh VPN be the unrestricted tunnel for his traffic too...essentially bypassing the firewall.


> You know, if you were willing to relax your security policy for a given
> timeslot (like a cronjob), you could configure your DMZ MTA to use a
> "deferred" queue, then issue an ETRN (during the cronjob) to release/deliver
> your e-mail to the green server.
> 
Dont have the staff for complicated penetration detection/recovery....am
relying solely on not leaving as many configuration compromises as
possible. You have one door...you need one lock...Have too many
doors...you need dogs in the grounds ;-))

Thanks again.

Sanjay.

More information about the fedora-list mailing list