On Sat, 2005-11-05 at 05:48 -0500, Binand Sethumadhavan wrote: > > Every mail server has two bits of information to identify a connecting client. > > 1. The argument the connecting client presents with the SMTP EHLO > command. While the RFCs require this to be the FQDN of the connecting > client, this can be easily spoofed by the client. No self-respecting > server will use this bit as the sole source for client identification. > > 2. The IP address from where the client is connecting from. This > cannot be spoofed, hence this is what most servers rely on. Mail > servers of busy ISPs require that this IP address has a valid reverse > DNS entry. > > (We are talking only of the connection setup; I know there is SMTP > AUTH etc. to identify the client once the transaction is in progress). > You mean that the server on the other end will know my mail-server Ip (192.168.y.x) is natted by my real IP 202.x.x.x ? And if the Real IP reverse DNS resolution is correct most will accept mail though some will deny mail? (This assumes my scenario of the outgoing server on local LAN & not DMZ)
> If I read that correctly, you plan to have two websites and two mail > servers on two servers - one in your DMZ and one inside your LAN. Yes > Why > don't you put both these servers on the DMZ and merge your two > websites into one server by Apache virtual hosting, and use the other > server for emails in both directions? I'd expect it to be a cleaner > design. You will open up port 80 inbound on the webserver machine, > port 25 inbound and outbound on the mail server machine. Further, you > will use Apache's mod_access to restrict your intranet to your > internal LAN (or run your intranet on a different port and do port > translation on your firewall). > Yes..that's possible and much less work. > Your basic design is sound - you have clearly demarcated your Trust, > Untrust and DMZ security zones. But after that you seem to have > faltered - by putting machines that should go on the DMZ into your > Trust zone. > > I am not familiar with IPCop, but any decent firewall will let you map > IP:port1 to one server in your DMZ, and IP:port2 to another. Well, I am assuming that the DMZ server WILL be broken into. Since, in addition to the perimeter firewall (IPcop), I intend to firewall the DMZ server itself allowing only http, incoming smtp & DNS from the internet and http & pop3/imap access from the LAN. As far as I am concerned, the DMZ server will be vulnerable to Apache exploits, SMTP & DNS Server exploits only as everything else will be firewalled...no pin-holes nothing. Regular updates, coupled with choice of Qmail & DJ Bernstein's TinyDNS (which I believe are more secure), will ensure that these services are not the break-points). However, as I believe that all security is relative, I intend to add another layer of security. All web-apps required by users on the LAN will be serviced by a seperate web-server & database on a machine which will also act as a File Server & Windows PDC (SMB Services). Being an average Power user & not a security expert, I would rather build security in the Network Design rather than rely on my capability to troubleshoot, which I believe is questionable. Please do critique the design and my logic. With best regards. Sanjay. ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ linux-india-help mailing list linux-india-help@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-india-help
