NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] sendmail on DMZ



Naresh Narang <[email protected]> wrote:

> Mike,
>
> Though I agree that moving sendmail to DMZ is a good idea, but
> nothing prevents a hacker to reach your mailserver in DMZ.

Harden that machine and use a secure MTA (qmail, postfix) or an smtp 
proxy in the DMZ. The machine should only offer one single service that 
is smtp.  

>  May be if you would want to run some SMTP proxy on firewall.

Hm, you can do that, but I don't recommend ist. I find it far more 
secure to have a separate machine in the DMZ that can be a reached on 
port 25 than have that port open on the firewall itself. If the daemon 
in use (whatever ist is) turns out to be vulnerable the other day only 
the machine in the DMZ can be attacked but not the firewall. 

Again: 

Basic Rule No1 in all firewalling:

Best is to have just no open ports on your firewall/packet filter.

Wolfgang
-- 
Wolfgang Kueter Netzwerkadministration & Security
SHLINK Internet Service http://www.shlink.de [email protected]
Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany
Telefon: +49 4121 269 006 Fax: +49 4121 269 007


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.