OT: Setting up a forwarding mail domain in DMZ without pinhole.
Peter Boy
pboy at barkhof.uni-bremen.de
Sun Aug 22 22:28:14 UTC 2004
Am So, den 22.08.2004 schrieb Sanjay Arora um 19:02:
> - What are the risks associated with Directed Pinholing?
> - I assume as IPs can be spoofed but in that case cannot be routed back
> to the hacker, unless he has gotten root access on the DMZ server and
> has setup a reverse proxy of some sort? Especially, as the DMZ
> mailserver is in private address space 192.168.x.x and the firewall is
> port forwarding the smtp & http packets.
>
> People, please comment on this option.
If you have a "real" DMZ, your DMZ server is protected by a filtering
router (at least). IP spoofing should be handled by that machine. A
problem may arise when someone succeeds in compromising your DMZ host.
You can restrict incoming traffic on the firewall by originating IP (in
your case: DMZ server only), the port number, the protocol (UDP/TCP)
and the destination host (your green mail server) and some more subtle
criteria (e.g. handling of truncated packages). So just in case someone
can compromise your DMZ server the possible damage might be quite
limited. You can narrow it down further if you don't use a monolithic
smtp server (like sendmail) on the green server.
Nevertheless, weather to open the firewall a little bit or not is a
matter of risk management and risk evaluation. If your green server is a
controller for nuclear weapons at the same time, it might be a good idea
not to open it even just a little bit.
In most other cases, even in case of a business with a stronger security
demand, the very limited risk should be tolerable, compared to the
problems with mail access and others. By the way, the configuration
described by Garry is a usual / standard configuration with a DMZ host
which is the only one allowed to pass the firewall using well defined
ports and destinations. Usually you establish a DMZ just for that
purpose.
Nevertheless (again), if the fetchmail solution as outlined by Steve
does fulfill your needs it might be a good idea not to "pinhole" your
firewall - just in case ....
Peter
More information about the fedora-list
mailing list