On Fri, Jul 18, 2003 at 09:45:37AM -0700, Cooper Stevenson wrote: > The Goal: build a server that will effectively filter spam, deliver > email, and provide convenient remote access to corporate data. The > server may or may not be behind a firewall, so security is of primary > importance. > The Solution: > > Postfix + Spamassassin + UW IMAP + Samba + Apache Web Server + > SquirrelMail Without another firewall, the server itself should be the firewall by compiling in netfilter. Netfilter should be here in order to block ports that are not allowed open, even if the daemon needs to be running.
> This configuration allows business travelers and office workers alike > the ability to access their email and server file shares from anywhere > on the Internet, including their homes. Please refer to the following > links: Accessing a samba share across the internet is not secure. Since you mention it may not be behind a firewall, this means samba is available to the internet. Bad idea. This is because LM and NTLM are not secure. The former is easily crackable and both are replayable. I would not implement this over the public internet if I were you. NTLMv2 which uses 128bit encryption and negotiated keys should be required and all lesser protocols refused. This means specially configuring each win9x client to support ntlmv2 (installing new patches) and configuring nt/2k clients to only send ntlmv2 and configuring samba to use only ntlmv2. However Samba 2.2.8a does not support it yet! Therefore you cannot do this securely. If you want remote clients to access samba remotely then freeswan should be compiled into the kernel as well and each client should have an ipsec client. These come with windows 2000, but for home cable users a linksys that supports ipsec is excellent. Also accessing windows shares across 256kb or less is too slow to be practical. Remote access like vnc is much better for accessing browesable windows shares. Next netfilter is used in conjunction with the vpn so that only packets authenticated by ipsec are allowed to samba services. Otherwise it is perhaps just a mail/imap/web server. > using SpamAssassin. Now, while the 'images' directory is a sub-folder > under my home directory, there is absolutely no reason why this could > not be a Samba share pointing to a remote Linux or NT server. This means > in effect that business travelers can access their email and files > centrally through their email client. Doing so negates the need for a > VPN within the scope of these accesses. The user need know only how to > set their account up through their email client. Security is handled via > Secure Socket Layer (SSL). This is true, relying on imap/ssl could provide secure remote access without a vpn, however only with imap minus ssl disabled. > While totally conjecture at this point, I see no reason why the web > server and the mail server need be on the same computer. No longer is it conjecture, I've done it. It is not necessary for them to be the same machine with the applications you have suggested. In fact nearly all of the applications can reliably be on separate servers with the exception of apache+squirrelmail and postfix+imapd. The rest of it looks good. > I can build install, and document these and other servers at your > facility if you are interested. So is this a question or an ad? Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
