Sahil Tandon put forth on 10/4/2009 5:28 PM: > I appreciate the adherence to Firewalling 101 (something you have > preached before on security-basics), but common sense and practical > issues might impel one to make an exception and allow port 25 *only* > from Outside Postfix -> Inside Postfix. > > IMHO, of course. YMMV, TMTOWTDI and all other disclaiming acronyms.
DMZs are overrated in most situations, and merely add unnecessary complexity to security goals easily accomplished by simpler methods. For instance, merely implementing inbound TCP 25 PAT on a NATi'ing/PAT'ing firewall/router would accomplish all security needs with the exception of possible attacks on the smtpd listening daemon. However, due to Wietse's modular daemon design and limited privileges of the daemon user, attacks on the listener daemon could only allow for DOS, not compromise. To date I've not heard of such an attack. I'm not saying it hasn't occurred, I've just not heard of such a case. You're better off using your firewall for what it's meant to do instead of playing with DMZ hosts, which normally cause more problems than they solve (already proven in this case). -- Stan
