Security Basics mailing list archives
Re: DMZ to LAN SMTP connections
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 14 Mar 2008 18:16:17 +0100
On 2008-03-14 ???????????? wrote:
I have an Exchange 2003 server. It resides on dedicated server VLAN and serves local users' Outlooks and OWA logins using integrated authentication. Of course, all this is the AD domain. I have settled two Postfix MTAs on DMZ and allowed Internet to connect them to 25/tcp and vice versa. Also I have allowed MTAs to request DNS servers anywhere on the Internet. Exchange may connect MTAs and uses them as smart hosts for outgoing mail. MTAs may only connect Exchange to send it emails addressed to my mail domain. I administer those MTAs from LAN using SSH. So, the firewall policy looks like below. Consider DMZ-based hots are provided with public IPs and all other traffic is denied by default. Internet:any/tcp ---> DMZ-based MTA:25/tcp Internet:25/tcp <--- DMZ-based MTA:any/tcp Internet:53/udp <--- DMZ-based MTA:any/udp DMZ-based MTA:22/tcp <--- LAN-based admin host:any/tcp DMZ-based MTA:25/tcp <--- LAN-based Exchange:any/tcp DMZ-based MTA:any/tcp ---> LAN-based Exchange:25/tcp And I wonder is that rule allowing MTAs to connect Exchange ESMTP correct. I mean I heard a lot about denying connections from the networks with lower security level into secured networks, LAN in this case. Is this restriction to SMTP traffic only enough, or should I choose some other design: NAT Exchange:25/tcp outside to DMZ, use fetchmail, or something like that?
Correctness of this rule is not the issue, but whether or not it poses a security risk. The general rule is to not allow any connection attempts from the DMZ into your LAN. The reason behind that is that even if an attacker manages to compromise a host on the DMZ, he still won't be able to access (and thus possibly exploit) anything on the LAN. I'd suggest to stick with this rule unless you have very good reasons not to. A better approach (IMHO) would be to have Exchange poll the incoming mail from the postfix servers, e.g. by using fetchmail from Cygwin. Also I'd recommend to have the Exchange server push a list with the vailid e-mail addresses to the Postfix servers, so they'll accept mail only for those valid addresses. Basically you'd configure your domains as relay domains, specify the valid e-mail addresses in $relay_recipient_maps, set the transport to deliver all mail to a virtual mailbox, periodically fetch the incoming mail from that mailbox and feed it to Exchange. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- DMZ to LAN SMTP connections ыфзкфт (Mar 14)
- Re: DMZ to LAN SMTP connections Ansgar -59cobalt- Wiechers (Mar 14)
- Re: DMZ to LAN SMTP connections Kurt Buff (Mar 14)