[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewalling, imap, DMZ's etc.

On Wed, Oct 18, 2006 at 01:48:49AM -0700, Adam D wrote:
> Andrew Sackville-West wrote:
> > On Tue, Oct 17, 2006 at 07:20:31PM -0700, Adam D wrote:
> >> Andrew Sackville-West wrote:
> >>> Hi list, I need some advice. My work situation has changed such that I
> >>> now have to get out of my chair and climb out of my basement at
> >>> frequent but irregular intervals. I live by email and need to connect
> >>> to my email and possibly my desktop from multiple locations.
> >>>
> >>> 3. redo my smoothwall box into a debian machine as a
> >>>    firewall/router/dhcp server/etc and put IMAP on that box. I could
> >>>    lock down that box pretty well and get rid of all kinds of stuff
> >>>    that I wouldn't need (like SSH as I'd never be sitting at that box
> >>>    and need to SSH to another, for example, though I'd still need sshd
> >>>    to get into the thing on occaision.)
> >>
> >> What comes to mind right off the bat, would be VPN into your network while you are away to acess your files/mail.
> > 
> > VPN is totally foreign to me, I'll have to do some research. thanks
> > for the suggestion.
> No problem. ;)  What I can see that would be a great solution ...  You can then keep your box as a firewall, router, VPN, DHCP, DNSmasq and keep it simple and secure.

definitely worth a look though it is a crufty old machine...

> > What about this? 
> > 
> > run an IMAP server on the firewall box, but leave the actual mail on
> > my server inside the LAN? I suppose I could mount them maildirs as an
> > nfs share. What I wonder are the security issues with that as well.
> > That would mean I could lighten the load on my poor tired
> > old firewall box. I suspect its neither here nor there, though my mail
> > directories are getting pretty large. I'm running about .5 gig right
> > now, but I've recently archived a bunch of stuff making it smaller
> > than usual. 
> I would really stay away from having anyone logging onto your firewall including your self.  That provides unnecessary ways in which the system can be compromised.  The more ports you open up esp for logging into would be ports that can be compromised.  A good rule of thumb to follow...  From my best experience the firewall should be a standalone box or a commercial product that you pass through depending your credentials or blacked at the front door.  
> If you do go the route of putting the IMAP on the firewall (not suggested) cyrus maybe good choice because it has a backend for server and a front end for users using the mudclient on the frontend box. (The one you will log into while away from your network.)
> Is your mail going to be kept on a standalone box on the LAN; is it shared with other services on a server or is it kept on a box used by everyone i.e. surfing web, etc.?  

currently mail is stored on a server that also carries all our music,
photos, video etc. Also does clamav, and spam filtering and mail
routing for me but not, at this time, the rest of the
house. Obviously, I'd like to keep the internet accessible portions of
the network isolated as much as possible from the rest of the LAN, but
don't necessarily have the resources to throw at a whole new box. 

Maybe, if I've got enough horsepower, I could set up a chroot on the
server and run just mail in that chroot with portforwarding to the
chroot. I think its possible, isn't it, to run the chroot with a
different IP over one interface. That way if the mail service
is compromised I won't necessarily lose the whole server. Since the
server only carries mail and only handles incoming access, I can setup
default DENY rules on all the other LAN boxes pegged to that IP so
that you can't get from it to anywhere else. 

So many possibilites.


Attachment: signature.asc
Description: Digital signature

Reply to: