From owner-freebsd-questions  Sun Aug 17 23:13:42 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id XAA28904
          for questions-outgoing; Sun, 17 Aug 1997 23:13:42 -0700 (PDT)
Received: from verdi.nethelp.no (verdi.nethelp.no [195.1.171.130])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id XAA28867
          for <freebsd-questions@FreeBSD.ORG>; Sun, 17 Aug 1997 23:13:08 -0700 (PDT)
From: sthaug@nethelp.no
Received: (qmail 3601 invoked by uid 1001); 18 Aug 1997 06:12:38 +0000 (GMT)
To: jerryk@iquest.net
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: sendmail on a firewall box
In-Reply-To: Your message of "Sun, 17 Aug 1997 23:04:57 -0500"
References: <33F7C9E9.167EB0E7@iquest.net>
X-Mailer: Mew version 1.05+ on Emacs 19.28.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Mon, 18 Aug 1997 08:12:38 +0200
Message-ID: <3599.871884758@verdi.nethelp.no>
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> This is probably a loaded question and I'd bet that I'll get responses
> on both sides but I'm going to ask this question anyway:
> 
>   1) is it a major security hole to run sendmail on a firewall box?
> 
> Okay, there, I said it. In the economy of a small business, it is not
> always practical to have several servers providing services such as
> firewalling and mail hosting. So, for my business, I want to set up a
> FreeBSD box to act as the Internet access point and provide things like
> DNS, mail hosting, NTP, and firewalling. I really don't have the dollars
> to build a separate box for the firewall although I know that security
> purists will frown and make some comments that security isn't cheap
> anyway.
> 
> I just want one box that provides the services to my small LAN. I want
> that box to be the mail host for my company and also provide a
> firewall/proxy service.

Sounds like you should buy a Whistle Interjet :-) (www.whistle.com)

Anyway, given sendmail past history I'd feel very uncomfortable with
sendmail in any sort of security-related function. Why don't you look
at qmail (www.qmail.org) instead? This was written with security in
mind.

I hope by "Internet access point" you don't mean for users to actually
login to the firewall box? This is generally considered a bad idea.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no