External & Internal mail server

Matthew Carpenter matt
Thu May 26 08:27:31 PDT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vu Pham wrote:

> Some of the documents I read about firewalls mention about internal
> mail server and external mail server in the DMZ and suggest to let
> the employee to access to the internal mail server which will
> forward outgoing email to the external mail server which will
> forward incmoing email to the internal one.
>
> Why do we need two ? Why don't we use only one mail server put in
> the DMZ zone ?
>
It's risk management.  The DMZ server is accessible from the Internet,
so any valid exploits will be able to compromise it.  The internal
server is the actual storage facility for the mail, and accessible
from the inside, and possibly from the DMZ box.  If the two
mailsystems have the same vulnerabilities, you may have bought some
time before they gain access to your internal system.  If they are
different (like Sendmail out front, Postfix or Lotus Notes on the
inside), you may have stopped the attacker in the DMZ.
Hopefully you are monitoring for strange behavior (including but not
limited to services failing and needing to be restarted).  Hopefully
you have IDS watching the key points in your network.  Hopefully you
have patch management procedures (easy in Linux, just automate it with
YOU, YUM, or Cron-Apt) and are fully patched at "all" times.

There are other, less extreme cases, but this is one example of why.
Security is a game of time.  You can't keep attackers out all the
time.  Hopefully you are able to slow them down and catch them before
they get anything of value.  This justifies what the industry calls
"Defense in Depth".

- --
Matthew Carpenter
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Security Consulting, Incident Handling & Forensics
* Network Consulting, Integration & Support
* Web Integration and E-Business
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFClca3so9lqh4MragRAi36AJ4ydG4YXannUItIdw59UvhdOl1LAACdEoBf
u2VOnvH4KBNvBqqkohZ8eUk=
=6BuN
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list