1 |
On 07/03/2011 09:31 PM, Pandu Poluan wrote: |
2 |
> I'm just wondering... |
3 |
> |
4 |
> I'm implementing an email gateway using postfix. The gateway lives as |
5 |
> a VM in my ISP, and it will deliver 'accepted' emails to the company's |
6 |
> email server which lives in the DMZ. The email server's port is |
7 |
> shifted to a non-25 external port number. |
8 |
> |
9 |
> So far so good. However, a portscanner might still be able to detect |
10 |
> which port is open and attempt deliveries there. |
11 |
> |
12 |
> So, the question: Is it possible to configure the system in some way |
13 |
> so that Postfix will first perform a portknocking before attempting |
14 |
> delivery to the internal mail server? |
15 |
> |
16 |
> If that is not possible, what solution would you recommend to 'harden' |
17 |
> the non-25 mail port? |
18 |
|
19 |
What defines an "accepted" email? If they will all be coming from one or |
20 |
more pre-defined hosts, just add them to mynetworks: |
21 |
|
22 |
mynetworks = <whoever is allowed to send mail to you> |
23 |
smtpd_recipient_restrictions = permit_mynetworks, reject |
24 |
|
25 |
If they could be coming from anywhere, you can either configure SASL |
26 |
(easier) or certificate-based authentication (harder). I suppose you |
27 |
could set up a VPN that lands them within $mynetworks, too. |