On Thu, 7 Dec 2000, Al Sparks wrote:
> Some of the posts on this thread (and others) seem to be referring to
> the mail server receiving the mail from the outside as the "firewall".
>
> Actually a mail server that receives mail and then passes the mail on
> to the internal mail server for further processing should probably be
> called a mail proxy server because it has about the same functionality
> as a web proxy server.
>
Hi Al,
True enough. However, most if not all firewalls come pre-packaged with
somekind of mail proxy. The mail proxy is only one of the many services a
firewall provides. Obviously, in large scale domains, you may want or need
to dedicate a system to do only mail proxying/relaying, but certainly not
in every case, as in this one.
> Of course you could run mail software on a firewall depending on what
> kind of platform and OS you run your firewall on, but it�s not
> recommended from a security point of view. The more services you run
> on your firewall, the more vulnerable you make it.
Again, that's true. I would definetly stay away from ANY sendmail
implementation on a firewall. But qmail I can live with (and have).
Besides, the purpose of a firewall is to provide a way to securely access
an unsecure network. So, chances are, you'll have to provide those main
services (HTTP, SMTP, etc) whether you like them or not. You just have to
find a way to make them as secure as you possibly can. There are mail
proxies out there (SMAP/SMAPD for example), but to me qmail does a fine
job when properly configured. That's the beauty of qmail compared with
sendmail... the ease of configuration.
>
> What I would recommend is a separate mail server to receive mail
> outside your firewall (or in the DMZ), and forward that mail to your
> mail server with all the accounts, inside the firewall. The theory
> being that if someone invades your "proxy" mail server, your internal
> mail server isn�t bothered (it just stops being able to receive and
> send mail to the outside).
> === Al
Still... you're firewall in the above example will need some kind of proxy
or mail relay agent. Basically you are adding an extra box in front, which
to me is only an extra possible point of failure. The same
situation/requirement remains.
Jean
-
Jean Caron
Network Security Consultant
NORAC inc. - Network Optimization Research & Analysis Canada
Quebec, Canada
(613) 277-6672
