[Fwd: Re: Down the MPD road]

Bob K melange at yip.org
Mon May 12 17:04:25 PDT 2003


Made a typo in the cc: line.  Coffee time, I guess.

-------- Original Message --------
Date: Mon, 12 May 2003 19:52:17 -0400
From: Bob K <melange at yip.org>
To: Michael Collette <metrol at metrol.net>
CC: freebsd.-security at freebsd.org
Subject: Re: Down the MPD road

 > I did this, and it does correct the immediate problem.  Of course, it
 > also
 > creates a new glitchy.
 >
 > My mail server sits in the DMZ, which is of course on a different
 > subnet than
 > the secure network.  I'm bringing in those outside users directly into
 > the
 > secure network, as they very definitely need resources from there.
 >
 > Without being able to configure routing from the secure network, those
 > users
 > can't route to the DMZ.  In that DMZ I have pop3 and ldap restricted to
 > internal use only, while SMTP is opened up wide.  The problem
 > compounds a bit
 > when dealing with SMTP securities which is presently configured to
 > restrict
 > relaying to only those IPs that we own.
 >
 > So, the firewall prevents pop3 and ldap, while the mail server itself
 > restricts the relaying.  Unless the user is able to route to this
 > server via
 > the internal network this dog just don't hunt.
 >
 > Is there perhaps some part of this I'm missing?

Workaround: Take a box inside the secure network and have it NAT mail &
LDAP connections from the MPD'd range to the mail server.  Then have
your MPD'd users use that box.

You can use ipfw+natd to do this; something like:

natd -redirect_address ma.il.ser.ver 0.0.0.0

ipfw add divert 8668 tcp from mpd.ra.ng.es/bits to int.er.nal.ip \
25,110,389 in recv enet0

ipfw add divert 8668 tcp from ma.il.ser.ver 25,110,389 to int.er.nal.ip
in recv enet0

If resources aren't scarce, you could even use the box that's running
mpd to do it.

(if anyone can spot problems with this aside from the accounting
difficulties, please let me know)

A better solution, methinks, would be an internal mail/ldap server in
the secure range, with the one in the DMZ doing nothing but relaying
mail to/from the internal network.




More information about the freebsd-security mailing list