|Main Archive Page > Month Archives > postfix-users archives|
On Apr 1, 2010, at 7:33 PM, Stan Hoeppner wrote:
> If you want all the edge security managed by one device
I don't. There's a border router with ACLs, and everybody has a reasonably intelligent packet filter. I'm just trying for this one fairly fancy box in the middle for inspection and routing around the site (3 nets). It really isn't all that complicated, I don't think. I was just told I needed to do some stuff I'd never heard of, and I'm working on deciding on whether I believe it or not.
> If you actually know enough about what you're doing, just punch a TCP 25
> pub/priv PAT hole through your current F/W to your Postfix server and beef
> up your AS/AV countermeasures.
Actually, I'm thinking that Wietse and his buds know what they're doing, and I can poke that TCP 25 hole to Postfix, and Postfix can pretty much take care of itself, as long as I keep massive trash off it.
> We've talked about a plethora of such
> methods both here and on spam-l that you've seen.
> Using an SMTP proxy/relay
> on the F/W box and sticking your Postfix server in the DNZ is a useless,
> fruitless, labor hogging effort, complicating your network architecture and
> introducing new troubleshooting headaches, for _zero_ security gain.
Thanks, Stan. I'll keep your gently worded advice in mind :-)
It's actually pretty much the conclusion I was coming to anyway, except that I like having the Internet servers in the DMZ.
> Proxies and DMZs look neat on paper and in theory, but in the real world,
> for 95%+ or more of deployed applications, including SMTP mail, they create
> far more problems than they could ever hope to solve. Any seasoned sysop
> shuns unneeded complexity.
Certainly, although I'm far from seasoned. The hard part is defining "unneeded". I'm running a small system, but the DMZ model's never given me much trouble. I don't have a problem managing it, and it's useful in segmenting functions of the hosts (physically and mentally).
-- Glenn English email@example.com