Loading ...
Sorry, an error occurred while loading the content.

Re: reverse proxy

Expand Messages
  • Noel Jones
    ... It s fairly common to use postfix as an email gateway for multiple internal mail servers. Here s a starting point:
    Message 1 of 15 , Apr 1, 2010
    • 0 Attachment
      On 4/1/2010 12:49 PM, Glenn English wrote:
      > Is it possible to use postfix as a reverse proxy for my SMTP server?
      >
      > I think what I'm asking is does postfix do its UBE and protocol checks *before* it sends to a smarthost.
      >
      > If not, do you know of a way to reverse proxy SMTP? How about POP3 and IMAP?
      >

      It's fairly common to use postfix as an email gateway for
      multiple internal mail servers. Here's a starting point:
      http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

      Other information on configuring postfix can be found here:
      http://www.postfix.org/documentation.html

      You can use dovecot as a IMAP/POP3 proxy, more info here:
      http://dovecot.org/
      http://wiki.dovecot.org/HowTo/ImapProxy

      -- Noel Jones
    • Victor Duchovni
      ... Yes, but why? ... Yes, but when Postfix is a proxy, there is no smarthost involved, that is what happens when Postfix is not a proxy. In proxy mode, all
      Message 2 of 15 , Apr 1, 2010
      • 0 Attachment
        On Thu, Apr 01, 2010 at 11:49:50AM -0600, Glenn English wrote:

        > Is it possible to use postfix as a reverse proxy for my SMTP server?

        Yes, but why?

        > I think what I'm asking is does postfix do its UBE and protocol checks
        > *before* it sends to a smarthost.

        Yes, but when Postfix is a proxy, there is no "smarthost" involved, that
        is what happens when Postfix is not a proxy. In proxy mode, all SMTP
        transactions are proxied to a fixed downstream SMTP server which ultimately
        accepts or rejects the message, but Postfix gets a chance to apply its
        policy first.

        http://www.postfix.org/SMTPD_PROXY_README.html

        --
        Viktor.

        P.S. Morgan Stanley is looking for a New York City based, Senior Unix
        system/email administrator to architect and sustain our perimeter email
        environment. If you are interested, please drop me a note.
      • Glenn English
        ... Because I was told over on the mailop list that it needs to be done for security reasons, and I m looking into whether to believe it or not. Thanks to you
        Message 3 of 15 , Apr 1, 2010
        • 0 Attachment
          On Apr 1, 2010, at 12:25 PM, Victor Duchovni wrote:

          >> Is it possible to use postfix as a reverse proxy for my SMTP server?
          >
          > Yes, but why?

          Because I was told over on the mailop list that it needs to be done for security reasons, and I'm looking into whether to believe it or not.

          Thanks to you and Noel for the speedy advice. I haven't been able to find much with google...

          --
          Glenn English
          ghe@...
        • Victor Duchovni
          ... What is the it that has to be done for security reasons . Normally Postfix is a store/forward MTA not a reverse proxy, and this is likely more secure,
          Message 4 of 15 , Apr 1, 2010
          • 0 Attachment
            On Thu, Apr 01, 2010 at 12:50:04PM -0600, Glenn English wrote:

            >
            > On Apr 1, 2010, at 12:25 PM, Victor Duchovni wrote:
            >
            > >> Is it possible to use postfix as a reverse proxy for my SMTP server?
            > >
            > > Yes, but why?
            >
            > Because I was told over on the mailop list that it needs to be done
            > for security reasons, and I'm looking into whether to believe it or not.

            What is the "it" that has to be done for "security reasons". Normally
            Postfix is a store/forward MTA not a reverse proxy, and this is likely
            more secure, because SMTP commands are fully generated by Postfix,
            rather than proxied through.

            If you don't need proxy-mode for non-security reasons, you don't need
            proxy mode.

            --
            Viktor.

            P.S. Morgan Stanley is looking for a New York City based, Senior Unix
            system/email administrator to architect and sustain our perimeter email
            environment. If you are interested, please drop me a note.
          • Glenn English
            ... Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for
            Message 5 of 15 , Apr 1, 2010
            • 0 Attachment
              On Apr 1, 2010, at 1:48 PM, Victor Duchovni wrote:

              > What is the "it" that has to be done for "security reasons".

              Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for HTTP -- ACLs based on UR* and stuff like that might make apache's life easier -- but I don't really know what good an SMTP reverse proxy would do, aside from double checking protocol.

              > If you don't need proxy-mode for non-security reasons, you don't need
              > proxy mode.

              I didn't think so (I'm a long way from needing load balancing, and postfix seems to do a pretty good job of looking out for itself), but I'm looking into it. Thanks for the vote against.

              It occurs to me to move the spam filtering to the firewall, but I don't see a lot to be gained from that. Besides, I'm a refugee from "fixup protocol smtp."

              --
              Glenn English
              ghe@...
            • Victor Duchovni
              ... Were you asking about using Postfix as a proxy in front of internal SMTP servers, or using firewall reverse-proxy SMTP support to sit in front of Postfix.
              Message 6 of 15 , Apr 1, 2010
              • 0 Attachment
                On Thu, Apr 01, 2010 at 03:52:46PM -0600, Glenn English wrote:

                >
                > On Apr 1, 2010, at 1:48 PM, Victor Duchovni wrote:
                >
                > > What is the "it" that has to be done for "security reasons".
                >
                > Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for HTTP -- ACLs based on UR* and stuff like that might make apache's life easier -- but I don't really know what good an SMTP reverse proxy would do, aside from double checking protocol.
                >
                > > If you don't need proxy-mode for non-security reasons, you don't need
                > > proxy mode.
                >
                > I didn't think so (I'm a long way from needing load balancing, and postfix seems to do a pretty good job of looking out for itself), but I'm looking into it. Thanks for the vote against.
                >
                > It occurs to me to move the spam filtering to the firewall, but I don't see a lot to be gained from that. Besides, I'm a refugee from "fixup protocol smtp."

                Were you asking about using Postfix as a proxy in front of internal SMTP
                servers, or using firewall reverse-proxy SMTP support to sit in front of
                Postfix. The latter is definitely a very bad idea. The former is sometimes
                appropriate, but fairly unusual, letting Postfix operate normally with
                a store and forward queue is much more typical and usually the right choice.

                --
                Viktor.

                P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                system/email administrator to architect and sustain our perimeter email
                environment. If you are interested, please drop me a note.
              • Glenn English
                ... I was asking about Postfix running as a daemon on the firewall computer that handles routing and inspecting traffic between the WAN, the DMZ, and the LAN.
                Message 7 of 15 , Apr 1, 2010
                • 0 Attachment
                  On Apr 1, 2010, at 4:05 PM, Victor Duchovni wrote:

                  > Were you asking about using Postfix as a proxy in front of internal SMTP
                  > servers, or using firewall reverse-proxy SMTP support to sit in front of
                  > Postfix?

                  I was asking about Postfix running as a daemon on the firewall computer that handles routing and inspecting traffic between the WAN, the DMZ, and the LAN. This Postfix would intercept and inspect incoming SMTP connections (and drop some) before passing valid ones on to the real Postfix MTA running on a computer in the DMZ. A 3-hole PIX running Postfix, in other words.

                  > The latter is definitely a very bad idea.

                  Why? I can see how it'd be a duplication of effort, but I don't see how it would hurt.

                  > The former is sometimes
                  > appropriate, but fairly unusual, letting Postfix operate normally with
                  > a store and forward queue is much more typical and usually the right choice.

                  I know it's much more typical; I'd never heard of putting proxies on the firewall before (I'd never thought of the PIX stuff as a proxy, just a little content filtering (that was always getting me in trouble)). But popularity in itself doesn't make it the best way to do things.

                  The argument is that a packet filter is easily made 'default deny' but a lot of cruft gets through because the packet headers may be OK, while the content is evil. An IDS/IPS is not effective because it's 'default allow' and is always chasing the latest exploit pattern. A reverse proxy, though, is an application level 'default deny'. Therefore, reverse proxy filtering can block content-based attacks that haven't been seen yet.

                  (I know there's a lot more to Snort's rules than just the latest patterns, and that it's 'default allow' because that's the way the default ruleset is configured. I'm just repeating some of what they said, and I'm attracted to parts of the proxy argument.)

                  --
                  Glenn English
                  ghe@...
                • Wietse Venema
                  ... So why must this be a Postfix-as-proxy, instead of a complete Postfix-with-queue instance? Wietse
                  Message 8 of 15 , Apr 1, 2010
                  • 0 Attachment
                    Glenn English:
                    >
                    > On Apr 1, 2010, at 4:05 PM, Victor Duchovni wrote:
                    >
                    > > Were you asking about using Postfix as a proxy in front of internal SMTP
                    > > servers, or using firewall reverse-proxy SMTP support to sit in front of
                    > > Postfix?
                    >
                    > I was asking about Postfix running as a daemon on the firewall computer th
                    >-at handles routing and inspecting traffic between the WAN, the DMZ, and the
                    >-LAN. This Postfix would intercept and inspect incoming SMTP connections (and
                    >- drop some) before passing valid ones on to the real Postfix MTA running on
                    >-a computer in the DMZ. A 3-hole PIX running Postfix, in other words.

                    So why must this be a Postfix-as-proxy, instead of a complete
                    Postfix-with-queue instance?

                    Wietse
                  • Stan Hoeppner
                    ... If you want all the edge security managed by one device, I d suggest you look here: http://www.astaro.com/ and prepare to open the corporate pocketbook
                    Message 9 of 15 , Apr 1, 2010
                    • 0 Attachment
                      Glenn English put forth on 4/1/2010 5:42 PM:

                      > I was asking about Postfix running as a daemon on the firewall computer that handles routing and inspecting traffic between the WAN, the DMZ, and the LAN. This Postfix would intercept and inspect incoming SMTP connections (and drop some) before passing valid ones on to the real Postfix MTA running on a computer in the DMZ. A 3-hole PIX running Postfix, in other words.

                      If you want all the edge security managed by one device, I'd suggest you
                      look here: http://www.astaro.com/ and prepare to open the corporate
                      pocketbook relatively wide depending on the size of your user base and WAN
                      bandwidth.

                      If you actually know enough about what you're doing, just punch a TCP 25
                      pub/priv PAT hole through your current F/W to your Postfix server and beef
                      up your AS/AV countermeasures. We've talked about a plethora of such
                      methods both here and on spam-l that you've seen. Using an SMTP proxy/relay
                      on the F/W box and sticking your Postfix server in the DNZ is a useless,
                      fruitless, labor hogging effort, complicating your network architecture and
                      introducing new troubleshooting headaches, for _zero_ security gain.

                      Proxies and DMZs look neat on paper and in theory, but in the real world,
                      for 95%+ or more of deployed applications, including SMTP mail, they create
                      far more problems than they could ever hope to solve. Any seasoned sysop
                      shuns unneeded complexity. The KISS principle applies to IT as it does to
                      most things.

                      --
                      Stan
                    • Glenn English
                      ... I don t. There s a border router with ACLs, and everybody has a reasonably intelligent packet filter. I m just trying for this one fairly fancy box in the
                      Message 10 of 15 , Apr 1, 2010
                      • 0 Attachment
                        On Apr 1, 2010, at 7:33 PM, Stan Hoeppner wrote:

                        > If you want all the edge security managed by one device

                        I don't. There's a border router with ACLs, and everybody has a reasonably intelligent packet filter. I'm just trying for this one fairly fancy box in the middle for inspection and routing around the site (3 nets). It really isn't all that complicated, I don't think. I was just told I needed to do some stuff I'd never heard of, and I'm working on deciding on whether I believe it or not.

                        > If you actually know enough about what you're doing, just punch a TCP 25
                        > pub/priv PAT hole through your current F/W to your Postfix server and beef
                        > up your AS/AV countermeasures.

                        Actually, I'm thinking that Wietse and his buds know what they're doing, and I can poke that TCP 25 hole to Postfix, and Postfix can pretty much take care of itself, as long as I keep massive trash off it.

                        > We've talked about a plethora of such
                        > methods both here and on spam-l that you've seen.

                        Yup.

                        > Using an SMTP proxy/relay
                        > on the F/W box and sticking your Postfix server in the DNZ is a useless,
                        > fruitless, labor hogging effort, complicating your network architecture and
                        > introducing new troubleshooting headaches, for _zero_ security gain.

                        Thanks, Stan. I'll keep your gently worded advice in mind :-)

                        It's actually pretty much the conclusion I was coming to anyway, except that I like having the Internet servers in the DMZ.

                        > Proxies and DMZs look neat on paper and in theory, but in the real world,
                        > for 95%+ or more of deployed applications, including SMTP mail, they create
                        > far more problems than they could ever hope to solve. Any seasoned sysop
                        > shuns unneeded complexity.

                        Certainly, although I'm far from seasoned. The hard part is defining "unneeded". I'm running a small system, but the DMZ model's never given me much trouble. I don't have a problem managing it, and it's useful in segmenting functions of the hosts (physically and mentally).

                        --
                        Glenn English
                        ghe@...
                      • Glenn English
                        ... Like I said, I m not at all sure it does. But I m told that there should be an SMTP reverse proxy running on the firewall to protect the full server from
                        Message 11 of 15 , Apr 1, 2010
                        • 0 Attachment
                          On Apr 1, 2010, at 5:36 PM, Wietse Venema wrote:

                          > So why must this be a Postfix-as-proxy, instead of a complete
                          > Postfix-with-queue instance?

                          Like I said, I'm not at all sure it does. But I'm told that there should be an SMTP reverse proxy running on the firewall to protect the full server from "delivery attempts
                          to never-existed addresses (with a subclass for never-existed addresses
                          that match the format(s) of your generated Message-IDs), attempts to use
                          VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
                          spam-supporting abusers doing external SAV), and so on".

                          Just trying to decide whether I want to do it, and I think I've been convinced on this list that I don't.

                          Thanks all...

                          --
                          Glenn English
                          ghe@...
                        • Wietse Venema
                          ... Postfix can take care of that just fine, including overload-adaptive behavior. You can turn on chroot (use a *BSD machine to avoid chroot jail bloat) for
                          Message 12 of 15 , Apr 1, 2010
                          • 0 Attachment
                            Glenn English:
                            >
                            > On Apr 1, 2010, at 5:36 PM, Wietse Venema wrote:
                            >
                            > > So why must this be a Postfix-as-proxy, instead of a complete
                            > > Postfix-with-queue instance?
                            >
                            > Like I said, I'm not at all sure it does. But I'm told that there
                            > should be an SMTP reverse proxy running on the firewall to protect
                            > the full server from "delivery attempts
                            > to never-existed addresses (with a subclass for never-existed addresses
                            > that match the format(s) of your generated Message-IDs), attempts to use
                            > VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
                            > spam-supporting abusers doing external SAV), and so on".

                            Postfix can take care of that just fine, including overload-adaptive
                            behavior. You can turn on chroot (use a *BSD machine to avoid chroot
                            jail bloat) for an additional safety net.

                            Wietse

                            > Just trying to decide whether I want to do it, and I think I've been convinced on this list that I don't.
                            >
                            > Thanks all...
                            >
                            > --
                            > Glenn English
                            > ghe@...
                            >
                            >
                            >
                            >
                            >
                          • Victor Duchovni
                            ... Not everything you hear on the Internet is true, kind or wise. This said, many folks operate perimeter Postfix servers with a full queue (not reverse
                            Message 13 of 15 , Apr 2, 2010
                            • 0 Attachment
                              On Thu, Apr 01, 2010 at 08:15:29PM -0600, Glenn English wrote:

                              > > So why must this be a Postfix-as-proxy, instead of a complete
                              > > Postfix-with-queue instance?
                              >
                              > Like I said, I'm not at all sure it does. But I'm told that there
                              > should be an SMTP reverse proxy running on the firewall to protect the
                              > full server from "delivery attempts to never-existed addresses (with a
                              > subclass for never-existed addresses that match the format(s) of your
                              > generated Message-IDs), attempts to use
                              > VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
                              > spam-supporting abusers doing external SAV), and so on".

                              Not everything you hear on the Internet is true, kind or wise.

                              This said, many folks operate perimeter Postfix servers with a full queue
                              (not reverse proxies) in the DMZ. There is nothing wrong with DMZ Postfix
                              servers, if your network architecture is more conducive to a deployment
                              of this type.

                              --
                              Viktor.

                              P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                              system/email administrator to architect and sustain our perimeter email
                              environment. If you are interested, please drop me a note.
                            • Glenn English
                              ... But I m assuming you are all three :-) ... Yeah. That s what I ve had for a long time. Works fine, and I d never allow an Internet connection to anything
                              Message 14 of 15 , Apr 2, 2010
                              • 0 Attachment
                                On Apr 2, 2010, at 12:33 PM, Victor Duchovni wrote:

                                > Not everything you hear on the Internet is true, kind or wise.

                                But I'm assuming you are all three :-)

                                > This said, many folks operate perimeter Postfix servers with a full queue
                                > (not reverse proxies) in the DMZ. There is nothing wrong with DMZ Postfix
                                > servers, if your network architecture is more conducive to a deployment
                                > of this type.

                                Yeah. That's what I've had for a long time. Works fine, and I'd never allow an Internet connection to anything on the LAN. That's the whole purpose of the DMZ, as I understand it.

                                This suggestion was to run an SMTP reverse proxy on the firewall. I'm thinking about maybe doing that for HTTP because it'd be pretty easy to filter based on what would be legit HTML requests, but not for much else.

                                Thanks for the info...

                                --
                                Glenn English
                                ghe@...
                              Your message has been successfully submitted and would be delivered to recipients shortly.