public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] Portknock before Postfix delivery?
@ 2011-07-04  1:31 Pandu Poluan
  2011-07-04  2:55 ` Walter Dnes
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Pandu Poluan @ 2011-07-04  1:31 UTC (permalink / raw
  To: Gentoo-user

I'm just wondering...

I'm implementing an email gateway using postfix. The gateway lives as
a VM in my ISP, and it will deliver 'accepted' emails to the company's
email server which lives in the DMZ. The email server's port is
shifted to a non-25 external port number.

So far so good. However, a portscanner might still be able to detect
which port is open and attempt deliveries there.

So, the question: Is it possible to configure the system in some way
so that Postfix will first perform a portknocking before attempting
delivery to the internal mail server?

If that is not possible, what solution would you recommend to 'harden'
the non-25 mail port?

Rgds,


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] Portknock before Postfix delivery?
  2011-07-04  1:31 [gentoo-user] Portknock before Postfix delivery? Pandu Poluan
@ 2011-07-04  2:55 ` Walter Dnes
  2011-07-04 10:14   ` Pandu Poluan
  2011-07-04  7:22 ` Neil Bothwick
  2011-07-04 13:46 ` Michael Orlitzky
  2 siblings, 1 reply; 7+ messages in thread
From: Walter Dnes @ 2011-07-04  2:55 UTC (permalink / raw
  To: gentoo-user

On Mon, Jul 04, 2011 at 08:31:10AM +0700, Pandu Poluan wrote

> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

  portknocking sounds like doing things the hard way.  The gateway has
to have either a fixed IP address or at least a domain name.  Set up
iptables on your internal server to accept connections on the shifted
smtp port only if the connection is coming from the right IP address or
domain name.

-- 
Walter Dnes <waltdnes@waltdnes.org>



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] Portknock before Postfix delivery?
  2011-07-04  1:31 [gentoo-user] Portknock before Postfix delivery? Pandu Poluan
  2011-07-04  2:55 ` Walter Dnes
@ 2011-07-04  7:22 ` Neil Bothwick
  2011-07-04 10:15   ` Pandu Poluan
  2011-07-04 13:46 ` Michael Orlitzky
  2 siblings, 1 reply; 7+ messages in thread
From: Neil Bothwick @ 2011-07-04  7:22 UTC (permalink / raw
  To: gentoo-user

On Mon, 4 Jul 2011 08:31:10 +0700, Pandu Poluan wrote:

> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

Postgrey.


-- 
Neil Bothwick

Old hitchhikers never die-they just throw in the towel.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] Portknock before Postfix delivery?
  2011-07-04  2:55 ` Walter Dnes
@ 2011-07-04 10:14   ` Pandu Poluan
  0 siblings, 0 replies; 7+ messages in thread
From: Pandu Poluan @ 2011-07-04 10:14 UTC (permalink / raw
  To: gentoo-user

On Mon, Jul 4, 2011 at 09:55, Walter Dnes <waltdnes@waltdnes.org> wrote:
>
> On Mon, Jul 04, 2011 at 08:31:10AM +0700, Pandu Poluan wrote
>
> > If that is not possible, what solution would you recommend to 'harden'
> > the non-25 mail port?
>
>  portknocking sounds like doing things the hard way.  The gateway has
> to have either a fixed IP address or at least a domain name.  Set up
> iptables on your internal server to accept connections on the shifted
> smtp port only if the connection is coming from the right IP address or
> domain name.
>

*slaps forehead*

Gosh, you're right. What was I thinking...

Clearly a case of Rube Goldberg-ian solution >.<

Thanks for knocking some sense into my thick skull :-)

Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Google Talk:    pepoluan
Y! messenger: pepoluan
MSN / Live:      pepoluan@hotmail.com (do not send email here)
Skype:            pepoluan



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] Portknock before Postfix delivery?
  2011-07-04  7:22 ` Neil Bothwick
@ 2011-07-04 10:15   ` Pandu Poluan
  2011-07-04 12:49     ` Neil Bothwick
  0 siblings, 1 reply; 7+ messages in thread
From: Pandu Poluan @ 2011-07-04 10:15 UTC (permalink / raw
  To: gentoo-user

On Mon, Jul 4, 2011 at 14:22, Neil Bothwick <neil@digimed.co.uk> wrote:
> On Mon, 4 Jul 2011 08:31:10 +0700, Pandu Poluan wrote:
>
>> If that is not possible, what solution would you recommend to 'harden'
>> the non-25 mail port?
>
> Postgrey.
>

Mmmm... no thanks. I'm trying to save the puny bandwidth incoming to
my office :-)

Rgds,
-- 
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Google Talk:    pepoluan
Y! messenger: pepoluan
MSN / Live:      pepoluan@hotmail.com (do not send email here)
Skype:            pepoluan



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] Portknock before Postfix delivery?
  2011-07-04 10:15   ` Pandu Poluan
@ 2011-07-04 12:49     ` Neil Bothwick
  0 siblings, 0 replies; 7+ messages in thread
From: Neil Bothwick @ 2011-07-04 12:49 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 500 bytes --]

On Mon, 4 Jul 2011 17:15:41 +0700, Pandu Poluan wrote:

> >> If that is not possible, what solution would you recommend to
> >> 'harden' the non-25 mail port?  
> >
> > Postgrey.
> >  
> 
> Mmmm... no thanks. I'm trying to save the puny bandwidth incoming to
> my office :-)

You run postgrey alongside postfix on the VM. Only the non-spam
mails that get through user up any of your office's bandwidth.


-- 
Neil Bothwick

Those who live by the sword get shot by those who don't.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [gentoo-user] Portknock before Postfix delivery?
  2011-07-04  1:31 [gentoo-user] Portknock before Postfix delivery? Pandu Poluan
  2011-07-04  2:55 ` Walter Dnes
  2011-07-04  7:22 ` Neil Bothwick
@ 2011-07-04 13:46 ` Michael Orlitzky
  2 siblings, 0 replies; 7+ messages in thread
From: Michael Orlitzky @ 2011-07-04 13:46 UTC (permalink / raw
  To: gentoo-user

On 07/03/2011 09:31 PM, Pandu Poluan wrote:
> I'm just wondering...
> 
> I'm implementing an email gateway using postfix. The gateway lives as
> a VM in my ISP, and it will deliver 'accepted' emails to the company's
> email server which lives in the DMZ. The email server's port is
> shifted to a non-25 external port number.
> 
> So far so good. However, a portscanner might still be able to detect
> which port is open and attempt deliveries there.
> 
> So, the question: Is it possible to configure the system in some way
> so that Postfix will first perform a portknocking before attempting
> delivery to the internal mail server?
> 
> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

What defines an "accepted" email? If they will all be coming from one or
more pre-defined hosts, just add them to mynetworks:

  mynetworks = <whoever is allowed to send mail to you>
  smtpd_recipient_restrictions = permit_mynetworks, reject

If they could be coming from anywhere, you can either configure SASL
(easier) or certificate-based authentication (harder). I suppose you
could set up a VPN that lands them within $mynetworks, too.



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2011-07-04 13:47 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-04  1:31 [gentoo-user] Portknock before Postfix delivery? Pandu Poluan
2011-07-04  2:55 ` Walter Dnes
2011-07-04 10:14   ` Pandu Poluan
2011-07-04  7:22 ` Neil Bothwick
2011-07-04 10:15   ` Pandu Poluan
2011-07-04 12:49     ` Neil Bothwick
2011-07-04 13:46 ` Michael Orlitzky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox