[gentoo-user] Portknock before Postfix delivery?

[gentoo-user] Portknock before Postfix delivery?

[Pandu Poluan]

I'm just wondering...

I'm implementing an email gateway using postfix. The gateway lives as
a VM in my ISP, and it will deliver 'accepted' emails to the company's
email server which lives in the DMZ. The email server's port is
shifted to a non-25 external port number.

So far so good. However, a portscanner might still be able to detect
which port is open and attempt deliveries there.

So, the question: Is it possible to configure the system in some way
so that Postfix will first perform a portknocking before attempting
delivery to the internal mail server?

If that is not possible, what solution would you recommend to 'harden'
the non-25 mail port?

Rgds,


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: [gentoo-user] Portknock before Postfix delivery?

[Walter Dnes]

On Mon, Jul 04, 2011 at 08:31:10AM +0700, Pandu Poluan wrote

> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

  portknocking sounds like doing things the hard way.  The gateway has
to have either a fixed IP address or at least a domain name.  Set up
iptables on your internal server to accept connections on the shifted
smtp port only if the connection is coming from the right IP address or
domain name.

-- 
Walter Dnes <waltdnes@waltdnes.org>

Re: [gentoo-user] Portknock before Postfix delivery?

[Pandu Poluan]

On Mon, Jul 4, 2011 at 09:55, Walter Dnes <waltdnes@waltdnes.org> wrote:
>
> On Mon, Jul 04, 2011 at 08:31:10AM +0700, Pandu Poluan wrote
>
> > If that is not possible, what solution would you recommend to 'harden'
> > the non-25 mail port?
>
>  portknocking sounds like doing things the hard way.  The gateway has
> to have either a fixed IP address or at least a domain name.  Set up
> iptables on your internal server to accept connections on the shifted
> smtp port only if the connection is coming from the right IP address or
> domain name.
>

*slaps forehead*

Gosh, you're right. What was I thinking...

Clearly a case of Rube Goldberg-ian solution >.<

Thanks for knocking some sense into my thick skull :-)

Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Google Talk:    pepoluan
Y! messenger: pepoluan
MSN / Live:      pepoluan@hotmail.com (do not send email here)
Skype:            pepoluan

Re: [gentoo-user] Portknock before Postfix delivery?

[Neil Bothwick]

On Mon, 4 Jul 2011 08:31:10 +0700, Pandu Poluan wrote:

> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

Postgrey.


-- 
Neil Bothwick

Old hitchhikers never die-they just throw in the towel.

Re: [gentoo-user] Portknock before Postfix delivery?

[Pandu Poluan]

On Mon, Jul 4, 2011 at 14:22, Neil Bothwick <neil@digimed.co.uk> wrote:
> On Mon, 4 Jul 2011 08:31:10 +0700, Pandu Poluan wrote:
>
>> If that is not possible, what solution would you recommend to 'harden'
>> the non-25 mail port?
>
> Postgrey.
>

Mmmm... no thanks. I'm trying to save the puny bandwidth incoming to
my office :-)

Rgds,
-- 
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Google Talk:    pepoluan
Y! messenger: pepoluan
MSN / Live:      pepoluan@hotmail.com (do not send email here)
Skype:            pepoluan

Re: [gentoo-user] Portknock before Postfix delivery?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 500 bytes --]

On Mon, 4 Jul 2011 17:15:41 +0700, Pandu Poluan wrote:

> >> If that is not possible, what solution would you recommend to
> >> 'harden' the non-25 mail port?  
> >
> > Postgrey.
> >  
> 
> Mmmm... no thanks. I'm trying to save the puny bandwidth incoming to
> my office :-)

You run postgrey alongside postfix on the VM. Only the non-spam
mails that get through user up any of your office's bandwidth.


-- 
Neil Bothwick

Those who live by the sword get shot by those who don't.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Portknock before Postfix delivery?

[Michael Orlitzky]

On 07/03/2011 09:31 PM, Pandu Poluan wrote:
> I'm just wondering...
> 
> I'm implementing an email gateway using postfix. The gateway lives as
> a VM in my ISP, and it will deliver 'accepted' emails to the company's
> email server which lives in the DMZ. The email server's port is
> shifted to a non-25 external port number.
> 
> So far so good. However, a portscanner might still be able to detect
> which port is open and attempt deliveries there.
> 
> So, the question: Is it possible to configure the system in some way
> so that Postfix will first perform a portknocking before attempting
> delivery to the internal mail server?
> 
> If that is not possible, what solution would you recommend to 'harden'
> the non-25 mail port?

What defines an "accepted" email? If they will all be coming from one or
more pre-defined hosts, just add them to mynetworks:

  mynetworks = <whoever is allowed to send mail to you>
  smtpd_recipient_restrictions = permit_mynetworks, reject

If they could be coming from anywhere, you can either configure SASL
(easier) or certificate-based authentication (harder). I suppose you
could set up a VPN that lands them within $mynetworks, too.