tarballed
July 7th, 2003, 16:47
Hi everyone.
I have a question about a possible scenario on setting up a email server on our company's network.
I had a long meeting today with management and they decided they wanted to have me try and setup a email server, with a twist.
Basically, what they want to do is setup our web server to be able to forward email requests to our internal network, which contains the email server. They decided that they do not want to stick the mail server on our DMZ, but instead, but our web server on the DMZ and set it up to act as a 'middle man' sort a speak.
First, is that possible?
Second, is it even a good idea/bad idea?
Third, does anyone have any suggestions to a possible alternative to this if this is not a good idea? Or, suggestions for something I can setup to appease managment here?
Lastly, any links on where I can find this out at?
Im still fighting with managment on what type of program to use for email. I cringe at using sendmail, but they want to use it for a variety of reasons.
Well, im eager to get some feedback on this.
Thanks everyone.
Tarballed
tarballed
July 7th, 2003, 19:15
Also, if I might add. I would really like to find out more about sendmail and postfix and using them as a mail server.
Does anyone have any reviews or comments of some sort, where I can see what is good and what is bad?
Anyone care to share personal experiences with sendmail or postfix?
Which of the two is more robust? Can I add Anti-virus scanners to both sendmail and postifx? Spam? etc...the list goes on.
Oh, one last thing.
From this proposed 'solution' management derived, what are your personal thoughts about it? Let me put it this way. If it was up to you, what would you do?
Im trying to gather as much data as I can so I can make better decisions and less hassle in the long run.
Thanks guys!
Tarballed
frisco
July 7th, 2003, 20:12
What is their goal? You've told us the proposed solution, but i don't see the problem it is intended to solve.
tarballed
July 7th, 2003, 20:40
Let me put a bit more out there.
They do not want to put the email server in the DMZ. They want as little as problems as possible. (Believe me, I had to literally fight tooth and nail to convince them that putting a bunch of things on one server, could be bad.)
Anyway, so there thinking is, lets put up a web server in the DMZ and have all email requests forwarded to our internal mail server.
So, we have a email server that will be accessed both internall and externally.
I was trying to locate the good and bad about this.
Also, a good way of going about this.
What mail server to use? Postfix? Sendmail? etc...
I was also looking for more info on Postfix and Sendmail (reviews, personal experiences etc....) so I can build upon this for the future.
That help?
I can add more to this. :)
Thanks
Tarballed
|MiNi0n|
July 7th, 2003, 23:15
First of all, postfix is the way to go. It's reliable, robust and it's mega configurable (and easy to config!).
Second of all. It *is* quite a good idea to use a mail gateway on the outside to pass mail to a final destination on the inside, even if it's a web server too. You can bounce mail at the gateway before it gets inside (virus, spam, rbl). You can do maintenance on the internal server while mail just collects externally. Lotsa good reasons to do this. In fact, I wouldn't do it any other way.
Now, you can pass that mail internally through various secure methods. First off, I believe postfix supports secure transport of mail. Secondly, you can use something like stunnel.
If you need any more input ask away. There are a few heavy duty mail admins on this list, we'll lend ya some stellar advice.
But, do yourself a favour and go postfix!!!!
tarballed
July 8th, 2003, 00:05
Right on guys!! Right on!!
Ok. First thing I need to do is convince management to go with Postfix.
Secondly, I need to start planning this rollout and present it to the 'suits.'
Lastly, I know this is a great place to post for help (everyone here rocks!) but are there any links that can help with this, or docs of some sort?
I like to compile as much documentation as I can. :)
Thanks guys....I will post a ton of stuff soon!!
Tarballed
KrUsTy!
July 8th, 2003, 01:59
Postfix is deffinately the way to go as far as I am concerned. It just rocks. I was turned onto postfix about 3 years ago, and I have never looked at another MTA. Postfix does everything I want, fast and secure.
Best place to start for docs is;
http://www.postfix.org
In the docs section they have a ton of great stuff.
Also SE has some good stuff about postfix and BSDs...
http://screamingelectron.org/phpBB2/viewtopic.php?t=3&highlight=postfix
http://screamingelectron.org/phpBB2/viewtopic.php?t=279&highlight=postfix
|MiNi0n|'s suggested way to run postfix is extact the way I think it should be done. A gateway MTA and then pass filtered email into an internal MTA for delivery.
Here is an article that discusses the benefits of a single point external DMZed MTA and the use of postfix.
http://www.linuxjournal.com/article.php?sid=4241
Hope this helps.
{K}
|MiNi0n|
July 8th, 2003, 03:38
http://www.redhat.com/support/resources/howto/RH-postfix-HOWTO/c49.html
http://www.linuxjournal.com/article.php?sid=4241
tarballed
July 10th, 2003, 14:03
Hey Thanks guys. I really do appreciate it. Im still around, i've just been having a crap load of stuff happen lately and my life feels a little out of control. Took a few days of work to take care of some family issues, but everything is better and slowly returning to 'normal.'
Anyways, I am going to be hammering away on the mail server tomorrow and next week. I have convinced management to let me use Postfix. :D
So, get ready for questions. :)
Tarballed
psyche101
September 1st, 2003, 04:33
Good Luck tarballed
We use postfix for our internal/external mail server without a hitch, I only wish that our Win2K file/Application server was even half as stable, always have great uptime and very little issues, we are also running squid, and apache and as I mentioned, I doubt that FreeBSD has the word crash in it's database. FreeBSD makes a great firewall, and the setup cost will make you popular with 'the suits' if you get a few quotes on the competitors setup fees.
I agree with minion, heaps easier to config than sendmail. Have fun :)
tarballed
September 1st, 2003, 15:39
thanks psyche101...
So far, everything seems to be working well. Gateway is up and running and forwarding email correctly. The mail server is receiving email from the gateway and deliverying as it should. Also, sending email out through the mail server is working correctly as well..
The things im still working on:
Still working with postfix UCE controls...speaking of, anybody ever implemented some of the suggestions from this web site's stuff?
http://www.securitysage.com/guides/postfix_uce.html
Specifically, I was curious about the RHSBL stuff...I found their header checks very useful and im working on access file as well...
I also really like the way they explained all the differences between smtpd_*_restritcions...Made me thing about how to setup mine up...
So far, I setup all my rules for the most part under smtpd_recipient_restrictions
Im also working on Mailman. I got it up and running, but I still need to configure a few things on it. The one thing that drives me crazy is a lack of documentation. As it is now, is there a way to lock down the Mailman server? Also, the mailmanctl that starts the qrunner, there is not a whole lot of info about that program, other than it needs to be running in order to use the mailing lists...
Still looking into a local MDA: looking at Maildrop and Procmail. I know postfix works as a MDA, but researching if it would benefit me to put in something like procmail...
Apache: Worked with apache in the past, but havent in awhile...
Anyone care to comment?
Thanks guys..
Tarballed
|MiNi0n|
September 1st, 2003, 16:17
Be careful with the restrictions you implement, you can bounce a whole lot of email.
<rant>
The trouble with this is that are are *so* many "Mail Admins" (I use that term loosely!) that plop a mail server on the Net and just let 'er rip. These systems aren't correctly configured yet they're passing legitimate mail in many cases so you can end up bouncing them if you're not careful :)
I know what you're going to say tarballed: "What should I and what shouldn't I implement?" My best advice is read and learn! The more knowledgeable mail admins out there the better off we all are.
</rant>
Ok... I'm done, I feel better now :lol:
tarballed
September 1st, 2003, 16:25
Ok... I'm done, I feel better now
Hehe..I know what your saying Minion. I've been pouring over UCE documents for a better part of yesterday and today. There are so many options out there that its almost mind numbing at times.
There are a few things I do like about some of the information that securitysage.com provides. For example, if you take a look at some of the data in header_checks and access files they provide, a lot of it seems to be setup nicely, to rejct spam stuff: Like "Grow your P3n1s to be huge!" heheheh
Your right there. I dont want to reject 'safe' email. I guess that is why Im making sure I have everything correct, before this goes live. I dont need a 'wide open' mail server on my hands...that would suck.
here is a quick snip of what I have in my smtpd_recipient_restrictions part:
[code:1:47592d8293]smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, check_recipient_access hash:/etc/postfix/access, reject_rbl client relays.ordb.org, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, permit[/code:1:47592d8293]
I'm still building it and adding as I see fit. This is the setup on my mail gateway.
Any comments? See anything that looks bad. :)
Tarballed
elmore
September 1st, 2003, 16:39
Be careful with the restrictions you implement, you can bounce a whole lot of email.
<rant>
The trouble with this is that are are *so* many "Mail Admins" (I use that term loosely!) that plop a mail server on the Net and just let 'er rip. These systems aren't correctly configured yet they're passing legitimate mail in many cases so you can end up bouncing them if you're not careful :)
Is that wrong? Should I not be doing that? I gotta plead ignorance on this one. ;)
Of course good old MiNi0n is correct.