Marty E. Hillman wrote: > I suppose one *could* use the forwarded pipe function of ssh to forward > the mail across a secure pipe to the mail server. This would keep it > encrypted within the tunnel. Just install Cygwin with ssh on the > Exchange server (assuming a mostly Micro$oft network like mine). On the > OSSEC machine, > > ssh [EMAIL PROTECTED] -L 25:mailserver.mynetwork.com:25 > > This should redirect all port 25 traffic to the corresponding SMTP port > on the server. Just email at localhost. > > Setting up Cygwin to tunnel - > http://pigtail.net/LRP/printsrv/cygwin-sshd.html
This to me sounds worse than giving OSSEC a passphraseless gpg key... In this scenario you are giving OSSEC the ability to ssh to external servers without a passphrase, be it through hostbased equivalency or publickey authentication. Also, the message is only encrypted until it reaches the end of the tunnel (unless all MTA hops are using TLS/SSL). If some password file gets modified and a diff is sent to you, someone could capture that diff, and extract authentication tokens for your site. Additionally, only root can forward privileged ports, so OSSEC would have to run this as root =(. There really isnt a graceful solution to this problem. The best answer so far seems to be locking down your OSSEC server, give OSSEC a gpg key which you "somewhat" trust, and hope your OSSEC system doesnt get broken into. My favorite answer so far is "just dont send diffs automatically". -- -dave
