From: Alex Satrapa (alex.satrapaapf.edu.au)
Date: Thu Nov 08 2007 - 18:44:19 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 09/11/2007, at 11:24 , Dave McGuire wrote:

> Is there any way for me to configure the back-end servers to only
> accept messages from the front-end filtering server?

At the IP level, set up the firewall to only allow connections to
specified services from legitimate clients. Especially on an
Internet-facing host, you should (IMHO) have make it your policy to
"reject everything that is not specifically allowed". If you're
using Linux, consider using the FireHOL package which is my favourite
for allowing the administrator to produce semantically meaningful
firewall configuration. But I feel that's detouring off-topic.

> I thought of simply configuring smtpd_client_restrictions to just
> reject mail from anything but the front-end machine, but that seems
> wrong to me for some reason.

Possibly because the "security is like an onion" meme is bouncing
around inside your head but hasn't found a voice :)

I would configure the internal-only mail server to only accept
connections from my_networks, rejecting everything else. Perhaps
it's my turn to get educated too...

Alex

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]