On Sat, 2005-11-05 at 05:48 -0500, Binand Sethumadhavan wrote:

> 
> Every mail server has two bits of information to identify a connecting client.
> 
> 1. The argument the connecting client presents with the SMTP EHLO
> command. While the RFCs require this to be the FQDN of the connecting
> client, this can be easily spoofed by the client. No self-respecting
> server will use this bit as the sole source for client identification.
> 
> 2. The IP address from where the client is connecting from. This
> cannot be spoofed, hence this is what most servers rely on. Mail
> servers of busy ISPs require that this IP address has a valid reverse
> DNS entry.
> 
> (We are talking only of the connection setup; I know there is SMTP
> AUTH etc. to identify the client once the transaction is in progress).
> 
You mean that the server on the other end will know my mail-server Ip
(192.168.y.x) is natted by my real IP 202.x.x.x ? And if the Real IP
reverse DNS resolution is correct most will accept mail though some will
deny mail? (This assumes my scenario of the outgoing server on local LAN
& not DMZ)


> If I read that correctly, you plan to have two websites and two mail
> servers on two servers - one in your DMZ and one inside your LAN.

Yes 
>  Why
> don't you put both these servers on the DMZ and merge your two
> websites into one server by Apache virtual hosting, and use the other
> server for emails in both directions? I'd expect it to be a cleaner
> design. You will open up port 80 inbound on the webserver machine,
> port 25 inbound and outbound on the mail server machine. Further, you
> will use Apache's mod_access to restrict your intranet to your
> internal LAN (or run your intranet on a different port and do port
> translation on your firewall).
> 
Yes..that's possible and much less work. 

> Your basic design is sound - you have clearly demarcated your Trust,
> Untrust and DMZ security zones. But after that you seem to have
> faltered - by putting machines that should go on the DMZ into your
> Trust zone.
> 
> I am not familiar with IPCop, but any decent firewall will let you map
> IP:port1 to one server in your DMZ, and IP:port2 to another.

Well, I am assuming that the DMZ server WILL be broken into. Since, in
addition to the perimeter firewall (IPcop), I intend to firewall the DMZ
server itself allowing only http, incoming smtp & DNS from the internet
and http & pop3/imap access from the LAN.

As far as I am concerned, the DMZ server will be vulnerable to Apache
exploits, SMTP & DNS Server exploits only as everything else will be
firewalled...no pin-holes nothing. Regular updates, coupled with choice
of Qmail & DJ Bernstein's TinyDNS (which I believe are more secure),
will ensure that these services are not the break-points). However, as I
believe that all security is relative, I intend to add another layer of
security. All web-apps required by users on the LAN will be serviced by
a seperate web-server & database on a machine which will also act as a
File Server & Windows PDC (SMB Services).

Being an average Power user & not a security expert, I would rather
build security in the Network Design rather than rely on my capability
to troubleshoot, which I believe is questionable.

Please do critique the design and my logic.

With best regards.
Sanjay.




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
linux-india-help mailing list
linux-india-help@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-india-help

Reply via email to