From owner-freebsd-security@FreeBSD.ORG Mon May 12 17:04:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFB6B37B401 for ; Mon, 12 May 2003 17:04:24 -0700 (PDT) Received: from tomts21-srv.bellnexxia.net (tomts21-srv.bellnexxia.net [209.226.175.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCA9643FA3 for ; Mon, 12 May 2003 17:04:23 -0700 (PDT) (envelope-from melange@yip.org) Received: from lust.inside.int ([65.95.44.178]) by tomts21-srv.bellnexxia.netESMTP <20030513000422.UGVD15637.tomts21-srv.bellnexxia.net@lust.inside.int> for ; Mon, 12 May 2003 20:04:22 -0400 Received: from yip.org (localhost.inside.int [127.0.0.1]) by lust.inside.int (8.12.9/8.12.7) with ESMTP id h4D075eH031705 for ; Mon, 12 May 2003 20:07:08 -0400 (EDT) (envelope-from melange@yip.org) Message-ID: <3EC03726.105@yip.org> Date: Mon, 12 May 2003 20:07:02 -0400 From: Bob K User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: [Fwd: Re: Down the MPD road] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2003 00:04:25 -0000 Made a typo in the cc: line. Coffee time, I guess. -------- Original Message -------- Date: Mon, 12 May 2003 19:52:17 -0400 From: Bob K To: Michael Collette CC: freebsd.-security@freebsd.org Subject: Re: Down the MPD road > I did this, and it does correct the immediate problem. Of course, it > also > creates a new glitchy. > > My mail server sits in the DMZ, which is of course on a different > subnet than > the secure network. I'm bringing in those outside users directly into > the > secure network, as they very definitely need resources from there. > > Without being able to configure routing from the secure network, those > users > can't route to the DMZ. In that DMZ I have pop3 and ldap restricted to > internal use only, while SMTP is opened up wide. The problem > compounds a bit > when dealing with SMTP securities which is presently configured to > restrict > relaying to only those IPs that we own. > > So, the firewall prevents pop3 and ldap, while the mail server itself > restricts the relaying. Unless the user is able to route to this > server via > the internal network this dog just don't hunt. > > Is there perhaps some part of this I'm missing? Workaround: Take a box inside the secure network and have it NAT mail & LDAP connections from the MPD'd range to the mail server. Then have your MPD'd users use that box. You can use ipfw+natd to do this; something like: natd -redirect_address ma.il.ser.ver 0.0.0.0 ipfw add divert 8668 tcp from mpd.ra.ng.es/bits to int.er.nal.ip \ 25,110,389 in recv enet0 ipfw add divert 8668 tcp from ma.il.ser.ver 25,110,389 to int.er.nal.ip in recv enet0 If resources aren't scarce, you could even use the box that's running mpd to do it. (if anyone can spot problems with this aside from the accounting difficulties, please let me know) A better solution, methinks, would be an internal mail/ldap server in the secure range, with the one in the DMZ doing nothing but relaying mail to/from the internal network.