Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After spending considerable time trying to config sendmail, I said forget it. So I downloaded postfix. It was easier to get up and running as a local server, but what I want is to send smtp over the internet to my clients.
What I have is a proxy server running squid and a web server on different linux machines. The proxy being (192.168.1.1) and the web server (APACHE) on 192.168.1.4.
What I propose is to set up postfix as an Email gateway server on the proxy machine and have the actual Postfix smtp server on the web server box.
I've gone through the documentation at the Postfix site and I think I have a general idea as to what to do. Can anyone point me to a better source with maybe some example config of what I'm trying to do. I always like to consult more than one source when I find myself in merky water. There is always someone who can explain a problem better than the next guy.
From what I read so far it seems like postfix as a gateway server forwards smtp (outgoing mail) to recipients over the net but can forward incoming mail to my pop3 server as well. If I'm wrong about that then you can see at least one area where I am confused.
After spending some time researching this subject I discovered that the Gateway/Email configuration of postfix is supposed to run on a bastion host. The purpose of this configuration is to isolate the actual internal network smtp server from the internet.
As postfix is acting as an integral part of a firewall. I don't see how you can deem such a usage as not being security related.
I guess what I'm trying to say is that people who don't know what they are talking about shouldn't post.
So, to be clear, you're trying to setup an SMTP server for you and your friends, so that they can send outbound email through your SMTP server, correct?
No this setup is for security reasons. One postfix is to run on a bastion host and is supposed to relay outbound mail to "CUSTOMERS" ( as in business clients ). The bastion instance should only accept smtp from the smtp server on my internal lan. It should not even accept smtp from any of my internal host except for the internal smtp server. This will prevent spammers from taking control of my smtp server.
A second postfix server will be running on the internal network. It has a two-fold purpose. Namely, to relay mail between internal clients on my network and secondly to relay mail that is internet bound to the postfix instance running on the bastion host. The postfix instance running on the bastion host will then relay mail that is internet bound to the appropriate destination over the internet.
Like this:
Internet <-- Postfix (bastion) <-- Postfix (internal)
<-->Internal Network
This should not be difficult to understand, since such configs are typical in modern firewalls and DMZs. That's why I find it frustrating that people on the forum would think this is not security related. But I guess that's old hat. So back to your question.
The postfix instance on the bastion simply acts as a internet forwarder/proxy for the actual smtp server on my internal network. In this way the internal smtp server can be isolated from exploits over the internet which may give an attacker access to my internal network where databases and client's personal information might be stored.
This way if the attacker successfully exploits the postfix server running on the bastion, then this will only give him access to an unpriviledged user on the bastion host. If the hackers goal is to get to my internal servers, then he would have to crack into an account on the bastion host with root privs. Then he would have to get through yet another firewall to get to my internal lan.
In closing I must say that what I have just described is extremely security related. And if people on this forum are willing to dismiss such a discussion, which is typical of firewall construction, as , "not being security related", then I guess that why I haven't been able to get an answer to my question.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.