[Fwd: Re: Down the MPD road]

Michael Collette metrol at metrol.net
Mon May 12 18:52:27 PDT 2003 

On Monday 12 May 2003 05:07 pm, Bob K wrote:
> Made a typo in the cc: line.  Coffee time, I guess.

Oh boy, this mail had me running for the coffee pot.

>  > Is there perhaps some part of this I'm missing?
>
> Workaround: Take a box inside the secure network and have it NAT mail &
> LDAP connections from the MPD'd range to the mail server.  Then have
> your MPD'd users use that box.
>
> You can use ipfw+natd to do this; something like:
>
> natd -redirect_address ma.il.ser.ver 0.0.0.0
>
> ipfw add divert 8668 tcp from mpd.ra.ng.es/bits to int.er.nal.ip \
> 25,110,389 in recv enet0
>
> ipfw add divert 8668 tcp from ma.il.ser.ver 25,110,389 to int.er.nal.ip
> in recv enet0
>
> If resources aren't scarce, you could even use the box that's running
> mpd to do it.

It seems I've run into a false alarm.  Turns out the user's mail box on the 
server had a dinked message which wouldn't let him pull down.  Once I fixed 
the dinked message, all was well.  Even without having remote gateway 
enabled.

A bit of a concern here, as by all reasoning it shouldn't be able to hop the 
subnet without some way to route the packets.  Seems like this is the part in 
a How-To where "something magical happens" to the packets.

Your mail did get me thinking that it might work out a bit more securely to 
have mpd running in a jail either on the gateway or on a box behind.  I can 
definitely see where you're going with your suggestion, and even though it 
doesn't seem needed now, it might still be a worthwhile lockdown to look 
into.

> (if anyone can spot problems with this aside from the accounting
> difficulties, please let me know)
>
> A better solution, methinks, would be an internal mail/ldap server in
> the secure range, with the one in the DMZ doing nothing but relaying
> mail to/from the internal network.

I do have plans to do something very similar to this in the very near future.  
I was considering having pop3 running in the DMZ with fetchmail bringing in 
from there to a server in the secure network running IMAP.  SMTP would have 
to remain in the DMZ in order to get a proper reverse DNS for them pickier 
servers out there though.

If there's a more creative means for doing this I would LOVE to hear about it.  
That, or what other folks might consider best practices for placement of the 
mail server within the topography.

Thanks again for a creative idea here.

Later on,
-- 
"Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark 
to read."
 - Groucho Marx

More information about the freebsd-security mailing list