sendmail through a dmz?

I am soon going to propose some network changes at work. I know
how to forward through the firewall SMTP traffic to a DMZ host
that will run things like spamassassin, clamav, etc., on incoming
messages and act properly. I want to open as few pinholes to the
inside servers as possible. One way to open fewer pinholes is to
have the primary mail server storage on the inside query the DMZ
email server for anything that is queued up. The internal, primary
email server can then distribute, process aliases, etc. What I'm
not sure about is how to configure the DMZ server to use the milters
for processing/filtering the emails, then to queue the emails for
the inside, primary server to come collect them. I don't want the
DMZ server to forward the messages, for this I must open a pinhole.
I want the inside server to initiate the session to the DMZ, pull
any messages, then break the session.

Is there an easy way to set this up? Are there instructions somewhere?

Mike

Re: sendmail through a dmz?

Mike writes:

<...>
> Is there an easy way to set this up? Are there instructions somewhere?
>
> Mike

There is no easy way.

So you can not use basic SMTP if server can not open connection.

Someone will suggest pop or imap, but note that these do not preserve
envelope information. So they are bad idea.


Perhaps UUCP is possible. I do not know.

/ Kari Hurtta

Re: sendmail through a dmz?

In article , Mike writes:
>I am soon going to propose some network changes at work. I know
>how to forward through the firewall SMTP traffic to a DMZ host
>that will run things like spamassassin, clamav, etc., on incoming
>messages and act properly. I want to open as few pinholes to the
>inside servers as possible. One way to open fewer pinholes is to
>have the primary mail server storage on the inside query the DMZ
>email server for anything that is queued up. The internal, primary
>email server can then distribute, process aliases, etc. What I'm
>not sure about is how to configure the DMZ server to use the milters
>for processing/filtering the emails, then to queue the emails for
>the inside, primary server to come collect them. I don't want the
>DMZ server to forward the messages, for this I must open a pinhole.
>I want the inside server to initiate the session to the DMZ, pull
>any messages, then break the session.
>
>Is there an easy way to set this up? Are there instructions somewhere?
>

Getting the internal SMTP server to initiate a connection to the external SMTP
server and download mail waiting for it is certainly possible.
You need to lookup documentation on the ETRN SMTP command


David Webb
Security team leader
CCSS
Middlesex University





>Mike

Re: sendmail through a dmz?

david20@alpha2.mdx.ac.uk writes:

> In article , Mike writes:
>>I am soon going to propose some network changes at work. I know
>>how to forward through the firewall SMTP traffic to a DMZ host
>>that will run things like spamassassin, clamav, etc., on incoming
>>messages and act properly. I want to open as few pinholes to the
>>inside servers as possible. One way to open fewer pinholes is to
>>have the primary mail server storage on the inside query the DMZ
>>email server for anything that is queued up. The internal, primary
>>email server can then distribute, process aliases, etc. What I'm
>>not sure about is how to configure the DMZ server to use the milters
>>for processing/filtering the emails, then to queue the emails for
>>the inside, primary server to come collect them. I don't want the
>>DMZ server to forward the messages, for this I must open a pinhole.
>>I want the inside server to initiate the session to the DMZ, pull
>>any messages, then break the session.
>>
>>Is there an easy way to set this up? Are there instructions somewhere?
>>
>
> Getting the internal SMTP server to initiate a connection to the
> external SMTP server and download mail waiting for it is certainly
> possible. You need to lookup documentation on the ETRN SMTP command

0) "internal server" establishes SMTP connection to "external server"
and sends ETRN
1) "external server" establishes *NEW* SMTP connection to "internal
server" and sends queued messages

I do not think it is what Mike have asked for.

--
[pl2en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl

Re: sendmail through a dmz?

In article <87k656cnvf.fsf@anfi.homeunix.net>, Andrzej Adam Filip writes:
>david20@alpha2.mdx.ac.uk writes:
>
>> In article , Mike writes:
>>>I am soon going to propose some network changes at work. I know
>>>how to forward through the firewall SMTP traffic to a DMZ host
>>>that will run things like spamassassin, clamav, etc., on incoming
>>>messages and act properly. I want to open as few pinholes to the
>>>inside servers as possible. One way to open fewer pinholes is to
>>>have the primary mail server storage on the inside query the DMZ
>>>email server for anything that is queued up. The internal, primary
>>>email server can then distribute, process aliases, etc. What I'm
>>>not sure about is how to configure the DMZ server to use the milters
>>>for processing/filtering the emails, then to queue the emails for
>>>the inside, primary server to come collect them. I don't want the
>>>DMZ server to forward the messages, for this I must open a pinhole.
>>>I want the inside server to initiate the session to the DMZ, pull
>>>any messages, then break the session.
>>>
>>>Is there an easy way to set this up? Are there instructions somewhere?
>>>
>>
>> Getting the internal SMTP server to initiate a connection to the
>> external SMTP server and download mail waiting for it is certainly
>> possible. You need to lookup documentation on the ETRN SMTP command
>
>0) "internal server" establishes SMTP connection to "external server"
> and sends ETRN
>1) "external server" establishes *NEW* SMTP connection to "internal
> server" and sends queued messages
>
>I do not think it is what Mike have asked for.
>
Sorry. Yes your correct - I'd forgotten that ETRN used a new connection.


David Webb
Security team leader
CCSS
Middlesex University



>--
>[pl2en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl

Re: sendmail through a dmz?

Kari Hurtta wrote:
> Mike writes:
>
> <...>
> > Is there an easy way to set this up? Are there instructions somewhere?
> >
> > Mike
>
> There is no easy way.
>
> So you can not use basic SMTP if server can not open connection.
>
> Someone will suggest pop or imap, but note that these do not preserve
> envelope information. So they are bad idea.
>

If the DMZ machine handles "no such user" and DNSBLs, is there really
anything important lost with fetchmail or similar? I agree it is a very
bad idea to blindly accept all mail on a DMZ machine.

Anyway, isn't the connect address and the "helo" name available in the
final received header? What else would you want?

Daniel Feenberg


>
> Perhaps UUCP is possible. I do not know.
>
> / Kari Hurtta

Re: sendmail through a dmz?

On 08/17/06 17:59, Mike wrote:



> Is there an easy way to set this up? Are there instructions somewhere?

I'm not sure if this would work or not, but you can read it over and try it
if you would like.

Configure your DMZ server as a mail relay. Set up all your known recipient
email addresses as "OK" in the Access DB on the relay and reject any not ok
addresses. This will help prevent back scatter. Use the Mailertable to
inform the DMZ server that it is to attempt to relay the messages for your
domain to your internal server irregardless of what DNS has for MX records.
Then configure your firewall to allow stateful filtering between your
internal mail server and your DMZ mail server. If you get your firewall
configured correctly you should be able to have your internal mail server
connect to the DMZ mail server and issue an ETRN command. This in theory
will cause your firewall to see the traffic from the DMZ mail server to
your internal mail server as related and thus allow it through where as
normally it would not allow it.

One potential caveat that I see has to do with the path of your outbound
messages and what server they live on. More specifically, how will the
mail queue be handled. I usually set up HostStatusDirectory to help
""enlighten the mail queue runners to not try to reconnect to a host that
is down more than once during the mail queue run. If you do use this, you
may end up with a situation where the messages will not be delivered even
when you ETRN them because the HostStatus for your mail internal mail
server will indicate that the server is down. However, you may be able to
do such nasty things as make a known good "host is up and happy" host
status file and lock it in to place such that Sendmail will somehow (???)
fail updating the HostStatus file for your internal server but see that it
is good when it goes to read it. I don't know about this part. However I
think this could be worked around.



Grant. . . .

Re: sendmail through a dmz?

On 08/18/06 05:57, Andrzej Adam Filip wrote:
> I do not think it is what Mike have asked for.

It was my (possibly mistaken) understanding that the OP wanted a method
that would get messages from the external mail server in to the internal
mail server with out having any ports, (I'll add) or as few ports as
possible, open. If you take some leeway with this there are some
possibilities.

As I indicated in my other post, it should be possible to get the firewall
set up such that the external server can not normally send traffic in to
the internal server. Rather that is to say that the external server can
only send traffic in to the internal server while there is an established
connection from the internal server to the external server so that the
traffic is seen as related and can thus pass back in to the internal
server. This would be much like the data verses command ports in FTP.



Grant. . . .

Re: sendmail through a dmz?

On 08/20/06 11:43, Taylor, Grant wrote:
> Configure your DMZ server as a mail relay. Set up all your known recipient
> email addresses as "OK" in the Access DB on the relay and reject any not ok
> addresses. This will help prevent back scatter. Use the Mailertable to
> inform the DMZ server that it is to attempt to relay the messages for your
> domain to your internal server irregardless of what DNS has for MX records.
> Then configure your firewall to allow stateful filtering between your
> internal mail server and your DMZ mail server. If you get your firewall
> configured correctly you should be able to have your internal mail server
> connect to the DMZ mail server and issue an ETRN command. This in theory
> will cause your firewall to see the traffic from the DMZ mail server to
> your internal mail server as related and thus allow it through where as
> normally it would not allow it.

Another possibility would be to use a Mailertable entry to define a
different mailer. This different mailer would still be an ESMTP mailer,
just one configured to work on a different port. This would allow the OP
to set up a rule in the firewall that would be traffic to a specific known
port (other than 25) of the OPs choosing.



Grant. . . .