Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: 2 Postfix servers (DMZ + LAN)

From: Ansgar Wiechers (listsplanetcobalt.net)
Date: Sun Oct 04 2009 - 19:21:08 CDT

On 2009-10-04 Stan Hoeppner wrote:
> Sahil Tandon put forth on 10/4/2009 5:28 PM:
>> I appreciate the adherence to Firewalling 101 (something you have
>> preached before on security-basics), but common sense and practical
>> issues might impel one to make an exception and allow port 25 *only*
>> from Outside Postfix -> Inside Postfix.
> DMZs are overrated in most situations, and merely add unnecessary
> complexity to security goals easily accomplished by simpler methods.
> For instance, merely implementing inbound TCP 25 PAT on a
> NATi'ing/PAT'ing firewall/router would accomplish all security needs
> with the exception of possible attacks on the smtpd listening daemon.

A scenario like that most certainly does *not* accomplish "all security
needs". Not only is NAT (or PAT for that matter) not designed to be a
security measure, your setup still allows an outside attacker to
directly attack a host INSIDE YOUR LOCAL NETWORK. Meaning that in case
of a remotely exploitable vulnerability the attacker steps directly into
your LAN. Which is exactly what a DMZ is supposed to prevent.

Whether or not someone's security needs justify the additional
complexity introduced by a DMZ is a different matter, but a blanket
statement "inbound 25/tcp PAT accomplishes all security needs" is just
plain and utterly wrong.

> However, due to Wietse's modular daemon design and limited privileges
> of the daemon user, attacks on the listener daemon could only allow
> for DOS, not compromise.

Running a daemon with limited privileges makes it harder to compromise
the entire system. It doesn't make it harder to compromise the account
running the daemon. And it most certainly doesn't rule out the
possibility of a compromization.

Ansgar Wiechers
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky