[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] sendmail on DMZ
Naresh Narang <[email protected]> wrote: > Mike, > > Though I agree that moving sendmail to DMZ is a good idea, but > nothing prevents a hacker to reach your mailserver in DMZ. Harden that machine and use a secure MTA (qmail, postfix) or an smtp proxy in the DMZ. The machine should only offer one single service that is smtp. > May be if you would want to run some SMTP proxy on firewall. Hm, you can do that, but I don't recommend ist. I find it far more secure to have a separate machine in the DMZ that can be a reached on port 25 than have that port open on the firewall itself. If the daemon in use (whatever ist is) turns out to be vulnerable the other day only the machine in the DMZ can be attacked but not the firewall. Again: Basic Rule No1 in all firewalling: Best is to have just no open ports on your firewall/packet filter. Wolfgang -- Wolfgang Kueter Netzwerkadministration & Security SHLINK Internet Service http://www.shlink.de [email protected] Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany Telefon: +49 4121 269 006 Fax: +49 4121 269 007 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|