Re: Debian mail server.

To: Lars Roland Kristiansen <m00lrk@math.ku.dk>
Cc: Debian-security@lists.debian.org
Subject: Re: Debian mail server.
From: Lupe Christoph <lupe@lupe-christoph.de>
Date: Mon, 1 Apr 2002 14:45:30 +0200
Message-id: <[🔎] 20020401144529.N11180@alanya.lupe-christoph.de>
In-reply-to: <[🔎] Pine.OSF.4.21.0204011339200.18822-100000@gram.math.ku.dk>; from m00lrk@math.ku.dk on Mon, Apr 01, 2002 at 01:47:21PM +0200
References: <[🔎] Pine.OSF.4.21.0204011339200.18822-100000@gram.math.ku.dk>

On Monday, 2002-04-01 at 13:47:21 +0200, Lars Roland Kristiansen wrote:
> I am going to configure an debian mail server for my company (only 20
> emplyes) i have 2 40 gigs disk witch are going to run raid 1. I am going
> to configure it with wu-imap/pop3 and postfix. Is there any special 
> security thing i should consider (the server is placed in DMZ becuase 2-3
> people are going to get mail from it outside our internal network). What
> about the size of the partitions i was thinking.

I prefer cyrus IMAP, but that's a personal preference, i.e.
no hard facts, just because WU FTPD is so bug-ridden.

I'd recommend installing AMaViS along with some virus scanner. I'm using
Kaspersky because it had a good recognition rate in a test and because
those Russians care more about Linux than most other AV vendors.
Also, AMaViS and the Kaspersky scanner can both run as daemons, saving
repeated startups of heavy-weight programs. (Use amavisd, not
amavis-perl, or even amavis-the-old-version ;-)

Maybe also a filter that keeps obnoxious attachments away like
scanmail.

> 100 megs for /boot
> 5000 meges for /
> rest for /var

I'd separate out the postfix hierarchy and the IMAP hierarchy
on separate volumes and watch them (and the others) with mon for
space usage. And then because it's hard to guess how much space
those will need, I'd use lvm. And a log-based filesystem, like
ext3 to get faster boots with large filesystems.

(ext3 had good marks in a recent test in c't. Most (all?) others
put bad data in files after a crash.)

> I will also put up iptables, webmin and sshd but no X.   

I don't have to tell you that webmin is real dangerous in a DMZ.
For remote access, I'd restrict to POP3 and IMAP over SSL. You
could also tunnel POP3 and IMAP over SSL and relay them to an
internal machine. Not much better, though. Maybe worse...

Putting the IMAP server in a chroot jail would also give you
an increase in security.

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Debian mail server.
  - From: Tim van Erven <tripudium@chello.nl>
- Re: Debian mail server.
  - From: "tarjei@nu.no" <tarjei@nu.no>

References:
- Debian mail server.
  - From: Lars Roland Kristiansen <m00lrk@math.ku.dk>

Prev by Date: Re: scp and sftp
Next by Date: re: scp and ftp
Previous by thread: Re: Debian mail server.
Next by thread: Re: Debian mail server.
Index(es):
- Date
- Thread