On 27.05.19 08:51, De Petter Mattheas wrote:
We have setup a postfix server that serves as a relay server between the office
and our fleet.
The postfix gets his mails from the exchange server onboard.
The restriction is set that only mails from the ip of the exchange are accepted.
And this security rule works, from no other ip mails can be send.
+But are sec officer is worried what is somebody gets in to the vm running the
exchange server, or creates a vm that has the same ip as the exchange, than can
you send mails without auth.
If anyone can break into or impersonate an exchange server, I presume is it in
your
internal network/DMZ, then using postfix server to send mail is the least
problem.
That's why I'm searching to a way to secure are postfix server with password
and username.
I'm trying to setup sasl auth but with no luck.
Does anybody have a good tutorial on how to setup this on postfix 2.10.1 on
redhad 7.6 ?
I have used soms tutorials but maisl get true without out.
Authentication is only needed between exchange and postfix, postfix to postfix
doesn't need auth
If postfix accepts authentication, it doen't matter where do the
authenticated clients connect from. In fact, if the used password was
broken into (e.g. by bruteforcing) someone could impersonate you as well,
which would make your problem even worse (spam from anywhere).
You would need to make surce only the exchange is able to authenticate to
your postfix by another steps. But breaking into that exchange would not
help, the attacker could use anything configured in the exchange server to
send mail.
So, imho, making the exchange sit safe in the DMZ that nobody has access
into, is the most efficient way to avoid the problem.
using username and password could only help you against breaking into connection
between exchange and postfix (DMZ), when you restricted authentication from
exchange server's IP and used authentication that doesn't send plaintext
password.
Still, if someone was able to do MITM attack between exchange and postfix,
they could reveal the passwords unless you used ssl certificate verification
Does the sec officer consider possibility of breaking into your postfix?
Is is so easy to break into your netework?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
