[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Delivery between MTA and MDA

This one time, at band camp, Simon Buchanan said:
> We are setting up mail services to service a small ISP (-2000 Mail 
> boxes) using postfix and DBmail, which we have configured and working 
> well. The MTA (postfix with spam/virus) sits on a pairing exchange 
> (along with a web server)... we are connected to the Internet from the 
> pairing exchange via a 100Mbit connection. From the exchange to our NOC 
> is a 5Mbit pipe. The MDA (postfix/DBMail) sits in off our NOC.
> What i want to do is setup some sort of secure transfer between the MTA 
> and MDA. In theory the only traffic that is comming into the MDA is 
> correctly filtered mail.. Outgoing is a different story and not an issue 
> here.
> The MDA is sitting in its own DMZ behind a Borderware firewall.
> Suggesions for/against/other are welcome (please!)....

Firewall the MDA machine to only accept port 25 conections from the MTA
machine (I assume that's the desired goal here).  If by 'secure' you
also mean encrypted, use TLS for transport between the two machines.  I
tend to think TLS is a waste of overhead for most email, as it passes in
the clear on most hops, but if you expect to be passing sensitive
information like system logs or passwordss, then I would use it.  It is
by no means "completely secure" but it adds overhead to people trying to
hack your network.  If they really want in, they'll genereally find a
way, but if they're just looking for an easy to push over machine, this
layer of defense can be helpful.
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

Attachment: pgpaJcPJVhQs2.pgp
Description: PGP signature

Reply to: