Hi,
> > The proper way to set this up is to have the firewall itself accept mail with
> > smapd and sendmail v8.6 and then re-route that mail to the internal servers.
> > The internal servers are never vulnerable to an attack because the outside
> > world cannot talk directly to them.
> >
>
> Agreed, that is what I was explaining to checkpoint.
Umm.. thats not completely right. Where is the difference in receiving mail
from the outside or from an smapd forwarder? In both caes you can still have
broken Envelops or Headers. It's probably better to put the MX Host outside
of the firewall, or an secure forwarder on the firewall, but secure MTAs
like qmail are a possible solution without using smtp-forwarders which dont
give you much security (at least not hose i know of).
Greetings
Bernd
> > The best way to secure things is to assume nothing is secure on your internal
> > network. Reduce your points of faliure on the DMZ, and trust nothing. If you
> > make sure that your DMZ versions of sendmail are secure and they talk to your
> > internal servers, no direct communication ever takes place from the external
> > network to the internal network.
> >
>
> "If you make sure that your DMZ versions of sendmail are secure.."
If you trust your DMZ hosts you can even put them inside the Firewall
perimeter, right. If you receive Mail on a bastion host on the DMZ, then you
still need a way tosecure mail from the bastion host to the internal net
(i.e. filtering mail forwarder on the firewall or secure MTA on the internal
net). Since Hackers can still send you malicious mail if they have hacked
the bastion.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels @
Wittumstrasse13 .
76646Bruchsal .
de --
( .. ) ecki @
{lina .
inka .
de,linux.de} http://home.pages.de/~eckes/
o--o *plush* 2048/A2C51749 eckes @
irc +4972573817 *plush*
(O____O) If privacy is outlawed only Outlaws have privacy
References:
|
|
