freebsd security - May 2004 - Mail Server in the DMZ question

Been trying to puzzle through a firewall layout here involving E-Mail.  Would 
have thought this was a more common kind of scenario, but I haven't been
able
to Google me up an answer to this one.

At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing 
mail into my secure network.  This is a less than optimal setup simply due to 
having to allow traffic from the DMZ into my secure network without a 
proceeding request for that data.

I want to have all the mail held on the server in the DMZ, then have it be 
pulled into the secure network for all my users by some means.

Originally I thought I could just setup a multi-drop box, pull in the mail 
with Fetchmail, then have it delivered to my internal server for processing.  
Seems that there are way too many pitfalls for this setup to reasonably 
support all my users.

I then looked into configuring the DMZ server to hold all mail, then release 
on an ETRN request.  From what I've read on this I'm really no better
off, as
I still have to allow port 25 requests into my secure network.

Thanks,
-- 
"In theory, there is no difference between theory and practice.
In practice, there is."
- Yogi Berra

On Mon, 2004-05-17 at 16:39, Michael Collette wrote:
> Been trying to puzzle through a firewall layout here involving E-Mail. 
Would
> have thought this was a more common kind of scenario, but I haven't
been able
> to Google me up an answer to this one.
> 
> At present I have an SMTP server (Postfix) in my DMZ that is simply
re-routing
> mail into my secure network.  This is a less than optimal setup simply due
to
> having to allow traffic from the DMZ into my secure network without a 
> proceeding request for that data.
> 
> I want to have all the mail held on the server in the DMZ, then have it be 
> pulled into the secure network for all my users by some means.
> 
> Originally I thought I could just setup a multi-drop box, pull in the mail 
> with Fetchmail, then have it delivered to my internal server for
processing.
> Seems that there are way too many pitfalls for this setup to reasonably 
> support all my users.
> 
> I then looked into configuring the DMZ server to hold all mail, then
release
> on an ETRN request.  From what I've read on this I'm really no
better off, as
> I still have to allow port 25 requests into my secure network.
> 
> Thanks,
I've seen one site implement UUCP for exactly this reason, but I think
the potential problems with a flaw in UUCP outweigh just using an SMTP
push.

As long as you've locked down your firewall to only allow the mail
gateway to open a connection through to your trusted net on port 25
(i.e. no other DMZ hosts are allow through in this manner) that's about
as good as you can do.

Look at it this way, what are you protecting against?  If you're
protecting against mail being sent in, well clearly that will happen
either way.  If you're protecting against an attacker that would hijack
the DMZ host and try to attack your internal machine via port 25, well
yes it will stop that, but if the attacker manages to hijack the machine
they're going to be able to do a lot worse things (snoop on all your
mail, possibly capture passwords, etc).

Really, the possibility that an attack would be able to make a
successful attack using only port 25 of your internal host is very
remote, and the possibility that they couldn't do anything else
malicious even though they had hijacked a host is even more remote. 
Make sure you're not over architecting your environment and introducing
unnecessary complications for very minimal potential benefit.

-- 
Brian Keefer, CISSP
Systems Engineer
CipherTrust Inc, www.CipherTrust.com