On 2009-10-04 Stan Hoeppner wrote: > Sahil Tandon put forth on 10/4/2009 5:28 PM: >> I appreciate the adherence to Firewalling 101 (something you have >> preached before on security-basics), but common sense and practical >> issues might impel one to make an exception and allow port 25 *only* >> from Outside Postfix -> Inside Postfix. > > DMZs are overrated in most situations, and merely add unnecessary > complexity to security goals easily accomplished by simpler methods. > For instance, merely implementing inbound TCP 25 PAT on a > NATi'ing/PAT'ing firewall/router would accomplish all security needs > with the exception of possible attacks on the smtpd listening daemon.
A scenario like that most certainly does *not* accomplish "all security needs". Not only is NAT (or PAT for that matter) not designed to be a security measure, your setup still allows an outside attacker to directly attack a host INSIDE YOUR LOCAL NETWORK. Meaning that in case of a remotely exploitable vulnerability the attacker steps directly into your LAN. Which is exactly what a DMZ is supposed to prevent. Whether or not someone's security needs justify the additional complexity introduced by a DMZ is a different matter, but a blanket statement "inbound 25/tcp PAT accomplishes all security needs" is just plain and utterly wrong. > However, due to Wietse's modular daemon design and limited privileges > of the daemon user, attacks on the listener daemon could only allow > for DOS, not compromise. Running a daemon with limited privileges makes it harder to compromise the entire system. It doesn't make it harder to compromise the account running the daemon. And it most certainly doesn't rule out the possibility of a compromization. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
