> How about if someone hacks port 25 via
> one of the seemingly endless mail bugs (are
> you using sendmail?) so that they now have
> control of a machine on your internal net?
> FWIW, I don't know of a good solution to this,
> short of being religious about keeping your
> mail demon updated and secure. Even if you
> have a mail server on the outside or on a DMZ
> which forwards to a mail server on the inside,
> it's just another hop. I suppose that would make
> it somewhat more difficult.
No, it's not just another hop. most of the endless sendmail
holes (And don't kid yourself, other mailer have 'em too) and just
"keeping current" doesn't help. I know lots of admins that "keep
current" and are still often one release behind sendmail. That's
usually all it takes :-) Howver, most mailer problems due to one of
1) The intruder talking directly to a large unverified
privileged program (i.e. sendmail)
2) The large previledged program that is setuid being invoked by
normal users in a manner to gain access to root.
From a firewall point of view the second is less troublesome,
since you presumably trust your lusers or keep them off the
mailserver. (or don't run sendmail setuid root, etc. etc.) It's 1)
that you're worried about.
The simple answer is to run something like Obtuse
smtpd(ftp://ftp.obtuse.com/smtpd) or TIS smap/smapd (wherever TIS is
sold in your neighborhood) on a bastion host that passes your mail
in/out from your mail server(s) that are inside. You have now
significantly reduced the risk of a mail daemon compromise. (sendmail
or otherwise.) (People can still mail your users evil things and ask
them to run them somehow, but that's another ball of wax).
Either of those should run fine on your linux firewall.
smtpd is free too.
Bob Beck Obtuse Systems Corporation
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.