This:
"I simply will configure "plain text" communication..." Should have read: "I simply will not configure "plain text" communication..." -Cooper > On Fri, Jul 18, 2003 at 09:45:37AM -0700, Cooper Stevenson wrote: > > The Goal: build a server that will effectively filter spam, deliver > > email, and provide convenient remote access to corporate data. The > > server may or may not be behind a firewall, so security is of primary > > importance. > > The Solution: > > > > Postfix + Spamassassin + UW IMAP + Samba + Apache Web Server + > > SquirrelMail > Without another firewall, the server itself should be the firewall by > compiling in netfilter. Netfilter should be here in order to block > ports that are not allowed open, even if the daemon needs to be running. > > > This configuration allows business travelers and office workers alike > > the ability to access their email and server file shares from anywhere > > on the Internet, including their homes. Please refer to the following > > links: > Accessing a samba share across the internet is not secure. Since you > mention it may not be behind a firewall, this means samba is available > to the internet. Bad idea. This is because LM and NTLM are not secure. > The former is easily crackable and both are replayable. I would not > implement this over the public internet if I were you. NTLMv2 which > uses 128bit encryption and negotiated keys should be required and all > lesser protocols refused. This means specially configuring each win9x > client to support ntlmv2 (installing new patches) and configuring nt/2k > clients to only send ntlmv2 and configuring samba to use only ntlmv2. > However Samba 2.2.8a does not support it yet! Therefore you cannot do > this securely. > > If you want remote clients to access samba remotely then freeswan > should be compiled into the kernel as well and each client should have > an ipsec client. These come with windows 2000, but for home cable users > a linksys that supports ipsec is excellent. Also accessing windows > shares across 256kb or less is too slow to be practical. Remote access > like vnc is much better for accessing browesable windows shares. > > Next netfilter is used in conjunction with the vpn so that only packets > authenticated by ipsec are allowed to samba services. Otherwise it > is perhaps just a mail/imap/web server. > > > using SpamAssassin. Now, while the 'images' directory is a sub-folder > > under my home directory, there is absolutely no reason why this could > > not be a Samba share pointing to a remote Linux or NT server. This means > > in effect that business travelers can access their email and files > > centrally through their email client. Doing so negates the need for a > > VPN within the scope of these accesses. The user need know only how to > > set their account up through their email client. Security is handled via > > Secure Socket Layer (SSL). > This is true, relying on imap/ssl could provide secure remote access > without a vpn, however only with imap minus ssl disabled. > > > While totally conjecture at this point, I see no reason why the web > > server and the mail server need be on the same computer. > No longer is it conjecture, I've done it. It is not necessary for them > to be the same machine with the applications you have suggested. In > fact nearly all of the applications can reliably be on separate servers > with the exception of apache+squirrelmail and postfix+imapd. The rest > of it looks good. > > > I can build install, and document these and other servers at your > > facility if you are interested. > So is this a question or an ad? > > Cory -- -------------------------------------------------------------- | Cooper Stevenson | Em: [EMAIL PROTECTED] | | Open Source Consultant | Ph: 541.924.9434 | -------------------------------------------------------------- _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
