| 1 |
On 07/03/2011 09:31 PM, Pandu Poluan wrote: |
| 2 |
> I'm just wondering... |
| 3 |
> |
| 4 |
> I'm implementing an email gateway using postfix. The gateway lives as |
| 5 |
> a VM in my ISP, and it will deliver 'accepted' emails to the company's |
| 6 |
> email server which lives in the DMZ. The email server's port is |
| 7 |
> shifted to a non-25 external port number. |
| 8 |
> |
| 9 |
> So far so good. However, a portscanner might still be able to detect |
| 10 |
> which port is open and attempt deliveries there. |
| 11 |
> |
| 12 |
> So, the question: Is it possible to configure the system in some way |
| 13 |
> so that Postfix will first perform a portknocking before attempting |
| 14 |
> delivery to the internal mail server? |
| 15 |
> |
| 16 |
> If that is not possible, what solution would you recommend to 'harden' |
| 17 |
> the non-25 mail port? |
| 18 |
|
| 19 |
What defines an "accepted" email? If they will all be coming from one or |
| 20 |
more pre-defined hosts, just add them to mynetworks: |
| 21 |
|
| 22 |
mynetworks = <whoever is allowed to send mail to you> |
| 23 |
smtpd_recipient_restrictions = permit_mynetworks, reject |
| 24 |
|
| 25 |
If they could be coming from anywhere, you can either configure SASL |
| 26 |
(easier) or certificate-based authentication (harder). I suppose you |
| 27 |
could set up a VPN that lands them within $mynetworks, too. |
Archives