On Mon, May 21, 2001 at 02:40:54AM +0100, John P wrote:
> We run a Linux box (LRP) as a firewall on our office network. Currently
> ports 25 and 110 are portforwarded to an internal server which runs qmail
> (on RedHat 7.0).
>
> Is there any point in setting up a forwarding-only version of qmail (perhaps
> using QMTP?) on the firewall box, or on a separate box in say a DMZ? I know
> a 'mail proxy' like this is recommended for Sendmail in some network
> security books, and if we did it then the internal box would have no ports
> open to the outside world*, but with qmail's inherent security, is it
> necessary?
You could put qmail on the firewall host with qmail-qmqpc (check the
mini-qmail docs) so that no outside box talks to your internal
mailserver directly. Local queueing+smtproutes works too, ofcourse.
Whether this is needed for a qmail box itself is not a question - when
creating a secure system, you ignore that any specific bit is secure
and still secure everything around it.
> *although as I type this I'm guessing that POP3 would still need to go
> through to the internal server due to the user's home directories being on
> there
Yes, pop3 is not that easily fixed.
Greetz, Peter.
