Greg Owen {gowen} wrote:
> How does Qmail act as an outbound relay for a host who is not listed in
> DNS?
>
> I'm setting up a network which has two Qmail mail relays on the DMZ, and
> the mail server (mail store) on the internal network. The firewall allows
> the mail store to talk to the mail relays (and vice versa), and the mail
> relays to talk to the Internet (and vice versa).
Greg,
Check out the O'Reilly book "Building Internet Firewalls" (? may be
slightly wrong title). It has a lot of useful suggestions which may
help you.
I have a similar setup, ie mail is received by a "bastion host" on our
perimeter network (DMZ) and forwarded to the internal mail host on our
internal network through a router doing address translation, ie the
internal network uses 172.16.x.
I acually use QMQP to transfer mail from the bastion host to the
internal mail host. The bastion host runs qmail-smtpd to receive
incoming mail, and uses qmail-qmqpc to send it all through the firewall
to the internal mail host. No mail is delivered locally on the bastion
host; all locally generated system mail is delivered to the internal
mail host.
I don't bother using the bastion host as an outgoing relay; I send all
mail direct from the internal mail host. There's not really much more
of a security rick since you only have to open up the router for
outgoing packets (from what I can gather). Though it wouldn't be too
much trouble allowing the internal machine to use the bastion host as an
outgoing relay as the bastion host uses the "internal" DNS ie as
specified in resolv.conf.
> 1) Add the mail store to Internet-available DNS? Security guidelines
> say not to do this, in order to deny information to attackers, but that's
> always seemed a pretty weak argument to me (once someone is in a position to
> use the information, they're in a position to gather the information pretty
> easily).
Nope.
>
> 2) Set the firewall to allow the mail relays to query the INTERNAL DNS
> servers, which will know about this host and will forward other requests
> back out the firewall to the ISP's DNS server? Seems inefficient, and
> presumably is as bad or worse than #1 security wise (cracker need only break
> DMZ to get all DNS info, as opposed to breaking onto the internal network).
This is what I do.
>
> 3) Set up a forwarding DNS server on the DMZ which knows about the
> internal mail store, but doesn't pass that info on to the Internet?
Nope. You seem to be confusing DNS server and DNS client. You can
specify that the bastion host uses the internal DNS to resolve names for
its own processes and run a DNS server on the same box containing
completely different information.
> 4) Entering an [dotted quad] into smtproutes fixes this on the inbound
> relay case. Is there a similar fax for the outbound relay case?
Why not send outgoing mail directly?
R.
--
Two rules to success in life:
1. Don't tell people everything you know.
-- Sassan Tat
