OT: Setting up a forwarding mail domain in DMZ without pinhol e.

Cowles, Steve steve at stevecowles.com
Sun Aug 22 13:28:58 UTC 2004


Sanjay Arora wrote:
> Hmmm...dont like to tamper with firewalls...reason they are there is
> that there is risk involved...dont make sense that I increase
> perceived risk even for small timeslots, just to impose what I think
> should happen.
> 
> Guess will implement mailboxes on DMZ and Green both, scripted to
> download mail from one to the other or some similar permutation. Any
> idea on how to broadly do it. Dont need to give me the installation
> details...just an idea how to set it up...Anyone?
> 
> Thanks again, Peter.
> Sanjay.

Without relaxing your security policy between dmz->green (even during a
specifed timeslot), I don't see that you have much choice but to use a
program like fetchmail to pull (download) your e-mail from the DMZ server.

If I had to deal with a security policy such as yours, I would look at
configuring the DMZ mail server to store all inbound e-mail in a single
mailbox (single password vs. multiple), then use fetchmail's multi-drop
feature to retrieve e-mail from your DMZ server and then store the retrieved
e-mail in individual mailboxes on the green server. See "man fetchmail" for
examples of using multi-drop and especially the USER AUTHENTICATION AND
ENCRYPTION section for password encryption between the green server and DMZ
server. Another option might be to create an SSH tunnel between the
green->DMZ server to pull your queued e-mail.

You know, if you were willing to relax your security policy for a given
timeslot (like a cronjob), you could configure your DMZ MTA to use a
"deferred" queue, then issue an ETRN (during the cronjob) to release/deliver
your e-mail to the green server.

--Steve Cowles





More information about the fedora-list mailing list