Loading ...
Sorry, an error occurred while loading the content.

Re: reverse proxy

Expand Messages
  • Victor Duchovni
    ... Yes, but why? ... Yes, but when Postfix is a proxy, there is no smarthost involved, that is what happens when Postfix is not a proxy. In proxy mode, all
    Message 1 of 15 , Apr 1, 2010
    • 0 Attachment
      On Thu, Apr 01, 2010 at 11:49:50AM -0600, Glenn English wrote:

      > Is it possible to use postfix as a reverse proxy for my SMTP server?

      Yes, but why?

      > I think what I'm asking is does postfix do its UBE and protocol checks
      > *before* it sends to a smarthost.

      Yes, but when Postfix is a proxy, there is no "smarthost" involved, that
      is what happens when Postfix is not a proxy. In proxy mode, all SMTP
      transactions are proxied to a fixed downstream SMTP server which ultimately
      accepts or rejects the message, but Postfix gets a chance to apply its
      policy first.

      http://www.postfix.org/SMTPD_PROXY_README.html

      --
      Viktor.

      P.S. Morgan Stanley is looking for a New York City based, Senior Unix
      system/email administrator to architect and sustain our perimeter email
      environment. If you are interested, please drop me a note.
    • Glenn English
      ... Because I was told over on the mailop list that it needs to be done for security reasons, and I m looking into whether to believe it or not. Thanks to you
      Message 2 of 15 , Apr 1, 2010
      • 0 Attachment
        On Apr 1, 2010, at 12:25 PM, Victor Duchovni wrote:

        >> Is it possible to use postfix as a reverse proxy for my SMTP server?
        >
        > Yes, but why?

        Because I was told over on the mailop list that it needs to be done for security reasons, and I'm looking into whether to believe it or not.

        Thanks to you and Noel for the speedy advice. I haven't been able to find much with google...

        --
        Glenn English
        ghe@...
      • Victor Duchovni
        ... What is the it that has to be done for security reasons . Normally Postfix is a store/forward MTA not a reverse proxy, and this is likely more secure,
        Message 3 of 15 , Apr 1, 2010
        • 0 Attachment
          On Thu, Apr 01, 2010 at 12:50:04PM -0600, Glenn English wrote:

          >
          > On Apr 1, 2010, at 12:25 PM, Victor Duchovni wrote:
          >
          > >> Is it possible to use postfix as a reverse proxy for my SMTP server?
          > >
          > > Yes, but why?
          >
          > Because I was told over on the mailop list that it needs to be done
          > for security reasons, and I'm looking into whether to believe it or not.

          What is the "it" that has to be done for "security reasons". Normally
          Postfix is a store/forward MTA not a reverse proxy, and this is likely
          more secure, because SMTP commands are fully generated by Postfix,
          rather than proxied through.

          If you don't need proxy-mode for non-security reasons, you don't need
          proxy mode.

          --
          Viktor.

          P.S. Morgan Stanley is looking for a New York City based, Senior Unix
          system/email administrator to architect and sustain our perimeter email
          environment. If you are interested, please drop me a note.
        • Glenn English
          ... Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for
          Message 4 of 15 , Apr 1, 2010
          • 0 Attachment
            On Apr 1, 2010, at 1:48 PM, Victor Duchovni wrote:

            > What is the "it" that has to be done for "security reasons".

            Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for HTTP -- ACLs based on UR* and stuff like that might make apache's life easier -- but I don't really know what good an SMTP reverse proxy would do, aside from double checking protocol.

            > If you don't need proxy-mode for non-security reasons, you don't need
            > proxy mode.

            I didn't think so (I'm a long way from needing load balancing, and postfix seems to do a pretty good job of looking out for itself), but I'm looking into it. Thanks for the vote against.

            It occurs to me to move the spam filtering to the firewall, but I don't see a lot to be gained from that. Besides, I'm a refugee from "fixup protocol smtp."

            --
            Glenn English
            ghe@...
          • Victor Duchovni
            ... Were you asking about using Postfix as a proxy in front of internal SMTP servers, or using firewall reverse-proxy SMTP support to sit in front of Postfix.
            Message 5 of 15 , Apr 1, 2010
            • 0 Attachment
              On Thu, Apr 01, 2010 at 03:52:46PM -0600, Glenn English wrote:

              >
              > On Apr 1, 2010, at 1:48 PM, Victor Duchovni wrote:
              >
              > > What is the "it" that has to be done for "security reasons".
              >
              > Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for HTTP -- ACLs based on UR* and stuff like that might make apache's life easier -- but I don't really know what good an SMTP reverse proxy would do, aside from double checking protocol.
              >
              > > If you don't need proxy-mode for non-security reasons, you don't need
              > > proxy mode.
              >
              > I didn't think so (I'm a long way from needing load balancing, and postfix seems to do a pretty good job of looking out for itself), but I'm looking into it. Thanks for the vote against.
              >
              > It occurs to me to move the spam filtering to the firewall, but I don't see a lot to be gained from that. Besides, I'm a refugee from "fixup protocol smtp."

              Were you asking about using Postfix as a proxy in front of internal SMTP
              servers, or using firewall reverse-proxy SMTP support to sit in front of
              Postfix. The latter is definitely a very bad idea. The former is sometimes
              appropriate, but fairly unusual, letting Postfix operate normally with
              a store and forward queue is much more typical and usually the right choice.

              --
              Viktor.

              P.S. Morgan Stanley is looking for a New York City based, Senior Unix
              system/email administrator to architect and sustain our perimeter email
              environment. If you are interested, please drop me a note.
            • Glenn English
              ... I was asking about Postfix running as a daemon on the firewall computer that handles routing and inspecting traffic between the WAN, the DMZ, and the LAN.
              Message 6 of 15 , Apr 1, 2010
              • 0 Attachment
                On Apr 1, 2010, at 4:05 PM, Victor Duchovni wrote:

                > Were you asking about using Postfix as a proxy in front of internal SMTP
                > servers, or using firewall reverse-proxy SMTP support to sit in front of
                > Postfix?

                I was asking about Postfix running as a daemon on the firewall computer that handles routing and inspecting traffic between the WAN, the DMZ, and the LAN. This Postfix would intercept and inspect incoming SMTP connections (and drop some) before passing valid ones on to the real Postfix MTA running on a computer in the DMZ. A 3-hole PIX running Postfix, in other words.

                > The latter is definitely a very bad idea.

                Why? I can see how it'd be a duplication of effort, but I don't see how it would hurt.

                > The former is sometimes
                > appropriate, but fairly unusual, letting Postfix operate normally with
                > a store and forward queue is much more typical and usually the right choice.

                I know it's much more typical; I'd never heard of putting proxies on the firewall before (I'd never thought of the PIX stuff as a proxy, just a little content filtering (that was always getting me in trouble)). But popularity in itself doesn't make it the best way to do things.

                The argument is that a packet filter is easily made 'default deny' but a lot of cruft gets through because the packet headers may be OK, while the content is evil. An IDS/IPS is not effective because it's 'default allow' and is always chasing the latest exploit pattern. A reverse proxy, though, is an application level 'default deny'. Therefore, reverse proxy filtering can block content-based attacks that haven't been seen yet.

                (I know there's a lot more to Snort's rules than just the latest patterns, and that it's 'default allow' because that's the way the default ruleset is configured. I'm just repeating some of what they said, and I'm attracted to parts of the proxy argument.)

                --
                Glenn English
                ghe@...
              • Wietse Venema
                ... So why must this be a Postfix-as-proxy, instead of a complete Postfix-with-queue instance? Wietse
                Message 7 of 15 , Apr 1, 2010
                • 0 Attachment
                  Glenn English:
                  >
                  > On Apr 1, 2010, at 4:05 PM, Victor Duchovni wrote:
                  >
                  > > Were you asking about using Postfix as a proxy in front of internal SMTP
                  > > servers, or using firewall reverse-proxy SMTP support to sit in front of
                  > > Postfix?
                  >
                  > I was asking about Postfix running as a daemon on the firewall computer th
                  >-at handles routing and inspecting traffic between the WAN, the DMZ, and the
                  >-LAN. This Postfix would intercept and inspect incoming SMTP connections (and
                  >- drop some) before passing valid ones on to the real Postfix MTA running on
                  >-a computer in the DMZ. A 3-hole PIX running Postfix, in other words.

                  So why must this be a Postfix-as-proxy, instead of a complete
                  Postfix-with-queue instance?

                  Wietse
                • Stan Hoeppner
                  ... If you want all the edge security managed by one device, I d suggest you look here: http://www.astaro.com/ and prepare to open the corporate pocketbook
                  Message 8 of 15 , Apr 1, 2010
                  • 0 Attachment
                    Glenn English put forth on 4/1/2010 5:42 PM:

                    > I was asking about Postfix running as a daemon on the firewall computer that handles routing and inspecting traffic between the WAN, the DMZ, and the LAN. This Postfix would intercept and inspect incoming SMTP connections (and drop some) before passing valid ones on to the real Postfix MTA running on a computer in the DMZ. A 3-hole PIX running Postfix, in other words.

                    If you want all the edge security managed by one device, I'd suggest you
                    look here: http://www.astaro.com/ and prepare to open the corporate
                    pocketbook relatively wide depending on the size of your user base and WAN
                    bandwidth.

                    If you actually know enough about what you're doing, just punch a TCP 25
                    pub/priv PAT hole through your current F/W to your Postfix server and beef
                    up your AS/AV countermeasures. We've talked about a plethora of such
                    methods both here and on spam-l that you've seen. Using an SMTP proxy/relay
                    on the F/W box and sticking your Postfix server in the DNZ is a useless,
                    fruitless, labor hogging effort, complicating your network architecture and
                    introducing new troubleshooting headaches, for _zero_ security gain.

                    Proxies and DMZs look neat on paper and in theory, but in the real world,
                    for 95%+ or more of deployed applications, including SMTP mail, they create
                    far more problems than they could ever hope to solve. Any seasoned sysop
                    shuns unneeded complexity. The KISS principle applies to IT as it does to
                    most things.

                    --
                    Stan
                  • Glenn English
                    ... I don t. There s a border router with ACLs, and everybody has a reasonably intelligent packet filter. I m just trying for this one fairly fancy box in the
                    Message 9 of 15 , Apr 1, 2010
                    • 0 Attachment
                      On Apr 1, 2010, at 7:33 PM, Stan Hoeppner wrote:

                      > If you want all the edge security managed by one device

                      I don't. There's a border router with ACLs, and everybody has a reasonably intelligent packet filter. I'm just trying for this one fairly fancy box in the middle for inspection and routing around the site (3 nets). It really isn't all that complicated, I don't think. I was just told I needed to do some stuff I'd never heard of, and I'm working on deciding on whether I believe it or not.

                      > If you actually know enough about what you're doing, just punch a TCP 25
                      > pub/priv PAT hole through your current F/W to your Postfix server and beef
                      > up your AS/AV countermeasures.

                      Actually, I'm thinking that Wietse and his buds know what they're doing, and I can poke that TCP 25 hole to Postfix, and Postfix can pretty much take care of itself, as long as I keep massive trash off it.

                      > We've talked about a plethora of such
                      > methods both here and on spam-l that you've seen.

                      Yup.

                      > Using an SMTP proxy/relay
                      > on the F/W box and sticking your Postfix server in the DNZ is a useless,
                      > fruitless, labor hogging effort, complicating your network architecture and
                      > introducing new troubleshooting headaches, for _zero_ security gain.

                      Thanks, Stan. I'll keep your gently worded advice in mind :-)

                      It's actually pretty much the conclusion I was coming to anyway, except that I like having the Internet servers in the DMZ.

                      > Proxies and DMZs look neat on paper and in theory, but in the real world,
                      > for 95%+ or more of deployed applications, including SMTP mail, they create
                      > far more problems than they could ever hope to solve. Any seasoned sysop
                      > shuns unneeded complexity.

                      Certainly, although I'm far from seasoned. The hard part is defining "unneeded". I'm running a small system, but the DMZ model's never given me much trouble. I don't have a problem managing it, and it's useful in segmenting functions of the hosts (physically and mentally).

                      --
                      Glenn English
                      ghe@...
                    • Glenn English
                      ... Like I said, I m not at all sure it does. But I m told that there should be an SMTP reverse proxy running on the firewall to protect the full server from
                      Message 10 of 15 , Apr 1, 2010
                      • 0 Attachment
                        On Apr 1, 2010, at 5:36 PM, Wietse Venema wrote:

                        > So why must this be a Postfix-as-proxy, instead of a complete
                        > Postfix-with-queue instance?

                        Like I said, I'm not at all sure it does. But I'm told that there should be an SMTP reverse proxy running on the firewall to protect the full server from "delivery attempts
                        to never-existed addresses (with a subclass for never-existed addresses
                        that match the format(s) of your generated Message-IDs), attempts to use
                        VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
                        spam-supporting abusers doing external SAV), and so on".

                        Just trying to decide whether I want to do it, and I think I've been convinced on this list that I don't.

                        Thanks all...

                        --
                        Glenn English
                        ghe@...
                      • Wietse Venema
                        ... Postfix can take care of that just fine, including overload-adaptive behavior. You can turn on chroot (use a *BSD machine to avoid chroot jail bloat) for
                        Message 11 of 15 , Apr 1, 2010
                        • 0 Attachment
                          Glenn English:
                          >
                          > On Apr 1, 2010, at 5:36 PM, Wietse Venema wrote:
                          >
                          > > So why must this be a Postfix-as-proxy, instead of a complete
                          > > Postfix-with-queue instance?
                          >
                          > Like I said, I'm not at all sure it does. But I'm told that there
                          > should be an SMTP reverse proxy running on the firewall to protect
                          > the full server from "delivery attempts
                          > to never-existed addresses (with a subclass for never-existed addresses
                          > that match the format(s) of your generated Message-IDs), attempts to use
                          > VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
                          > spam-supporting abusers doing external SAV), and so on".

                          Postfix can take care of that just fine, including overload-adaptive
                          behavior. You can turn on chroot (use a *BSD machine to avoid chroot
                          jail bloat) for an additional safety net.

                          Wietse

                          > Just trying to decide whether I want to do it, and I think I've been convinced on this list that I don't.
                          >
                          > Thanks all...
                          >
                          > --
                          > Glenn English
                          > ghe@...
                          >
                          >
                          >
                          >
                          >
                        • Victor Duchovni
                          ... Not everything you hear on the Internet is true, kind or wise. This said, many folks operate perimeter Postfix servers with a full queue (not reverse
                          Message 12 of 15 , Apr 2, 2010
                          • 0 Attachment
                            On Thu, Apr 01, 2010 at 08:15:29PM -0600, Glenn English wrote:

                            > > So why must this be a Postfix-as-proxy, instead of a complete
                            > > Postfix-with-queue instance?
                            >
                            > Like I said, I'm not at all sure it does. But I'm told that there
                            > should be an SMTP reverse proxy running on the firewall to protect the
                            > full server from "delivery attempts to never-existed addresses (with a
                            > subclass for never-existed addresses that match the format(s) of your
                            > generated Message-IDs), attempts to use
                            > VRFY and EXPN, attempts to use RCPT that are aborted (likely indicate
                            > spam-supporting abusers doing external SAV), and so on".

                            Not everything you hear on the Internet is true, kind or wise.

                            This said, many folks operate perimeter Postfix servers with a full queue
                            (not reverse proxies) in the DMZ. There is nothing wrong with DMZ Postfix
                            servers, if your network architecture is more conducive to a deployment
                            of this type.

                            --
                            Viktor.

                            P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                            system/email administrator to architect and sustain our perimeter email
                            environment. If you are interested, please drop me a note.
                          • Glenn English
                            ... But I m assuming you are all three :-) ... Yeah. That s what I ve had for a long time. Works fine, and I d never allow an Internet connection to anything
                            Message 13 of 15 , Apr 2, 2010
                            • 0 Attachment
                              On Apr 2, 2010, at 12:33 PM, Victor Duchovni wrote:

                              > Not everything you hear on the Internet is true, kind or wise.

                              But I'm assuming you are all three :-)

                              > This said, many folks operate perimeter Postfix servers with a full queue
                              > (not reverse proxies) in the DMZ. There is nothing wrong with DMZ Postfix
                              > servers, if your network architecture is more conducive to a deployment
                              > of this type.

                              Yeah. That's what I've had for a long time. Works fine, and I'd never allow an Internet connection to anything on the LAN. That's the whole purpose of the DMZ, as I understand it.

                              This suggestion was to run an SMTP reverse proxy on the firewall. I'm thinking about maybe doing that for HTTP because it'd be pretty easy to filter based on what would be legit HTML requests, but not for much else.

                              Thanks for the info...

                              --
                              Glenn English
                              ghe@...
                            Your message has been successfully submitted and would be delivered to recipients shortly.