I'll add some pointers, but first
I've just installed a backup email server in a remote (unmanned) location and I'm now wondering about security.
...isn't that the opposite of careful planning? :-]
If this is a backup in the sense of fall-back MX, then in essence all you have to do is mimick the requirements and setup of the first MX server. If you didn't configure that one yourself IMHO you could save yourself troubles by familiarizing yourself with its setup, tasks, performance and problems. In any case please make sure you harden the box properly (regardless of it being NATted or not) and regularly audit the box running at least some file integrity checker like Aide or Samhain. Please check out the
LQ FAQ: Security references for more info.
1) Is it secure to simply port forward another port for remote admin i.e. ssh on port 22??
Yes, but in addition to what Anomie said (block root access to sshd) you should:
- use the firewall to narrow access down to "known good" networks administration tasks will be done from,
- use /etc/hosts.{deny,allow} to do the same (if OpenSSH is compiled with -libwrap which it usually is on Linux),
- use sshd_config (or PAM) to allow only (a few) non-privileged users to access to ssh.
I would also like to suggest running either software to keep sshd up (like Monit) or add a fall-back ssh entry to Xinetd (if you run that) if the server doesn't run.
3) do I need to worry about iptables in a serious way if I'm behind a nat firewall? if so could anyone recommend a good guide or set of rules to use?
Yes. Best rule is: deny everything you do not absolutely need to have access.
I agree this is the best stance. In the LQ FAQ: Security references you'll find amongst others a lead to the Netguru's Iptables site. Also, if the LAN segment you're in is shared by other hosts having nothing to do with your setup, you may want to block access from them specifically (just my experience). If you want to show us what you want to set up, please do and we'll try to add to that.