Install with 2 NICs

[dougp23]

I want to setup my mailserver with 2 NICs.

One internal (since 90% of the use will be internal users emailing each other on the LAN)
One external (so we can send/receive mail with the outside world)

Any ideas what my smtpd.cfg should look like? Firewall settings? RHEL4.

My internal static IP: 192.168.40.100
My external IP: 63.102.189.44 (made that up, but you get the idea!)

What if someone takes their laptop home? They would not be able to send (let's assume they are using Outlook at home too, poor soul). Can I turn SMTP AUth on for just one NIC??

Thanks.

[kanderson]

Most people setting this up have significant difficulties as you'll see throughout this forum. If possible, I'd recommend a firewall separate from the mail server. That's best practice, as a firewall should only be a firewall.

Having said that, You'll want sendmail to listen only on Localhost. For the external side, you'll need port 25 to listen so you can recieve email, which should happen automatically.

From there, it'll depend on your clients. Port 80 provides Webclient, and the Management Console. You'll likely want it open on both sides. I'd recommend port 5729 be open on both sides, that allows MAPI connections for Outlook or Evolution. Port 110 is POP, port 143 is IMAP, I'm not sure if you need them or not or on which side they should be available. Do be aware that at least port 143 will need to be listening, as The Web Client uses IMAP. This is personal choice, but I'd leave port 22 open for SSH, both internal and external.

Kev.

[dougp23]

So Kev are you saying to just shut off the firewall on the server?

My external static IP would be plugged into the DMZ on my Cisco PIX.

Can you point me to a few threads on this matter? I have searched the forum but maybe I'm just not grepping the right words....

Thanks.

Doug

[kanderson]

I'm saying that it would be far easier to have a single NIC in the server, and then forward the necessary ports straight through so that they are accessed the same from both sides. Since this makes your security footprint smaller, it's more likely that things won't be missed/forgotten/screwed up.

Is this the most secure solution possible? Perhaps not, but since you'll need most of those ports open from both internal and external, why use a second NIC? I guess I just don't see the benefit of increasing the complexity while not changing things from a security standpoint. For the firewall, with 2 nics (3 including Localhost), the script will be far more complex (read error prone). Additionally, troubleshooting it will be harder. And since the same ports are open for both Nics, I fail to see any benefit.

So open ports 22, 25, 80, 110, 143, 5729 on the firewall to your server Plug it into your DMZ, (or simply leave it in your LAN and forward the above ports as pinholes). Then from internal, traffic should go through the PIX to the server in your DMZ. Similarly, from external, inbound traffic should go to the server in the DMZ as well (though you may want to stop port 22 and/or others from outside).

That's easy to understand and follow, easy to set up, easy to troubleshoot. And it doesn't offer any additional points of entry as opposed to multi NIC. Since it's easier to understand, the likelihood of a mistake is smaller, and I'd argue that would probably lead to a more secure setup, as my experience has repeatedly shown that complexity breeds mistakes. Mistakes are Security's enemy.

Kev.

[dougp23]

Kev,

Thanks for the input. I see your point.

I was just thinking (and now that I think a bit more, I realize it's kind of erroneous) that if I only have one NIC, and it's (let's say 67.78.99.23 on my DMZ) that all my internal people (192.168.x.x) would have to go to the Internet to hit my mail server. But since the PIX is the default gateway, traffic would hit there, the PIX would know the address is on the DMZ, and just send it there.

I agree, complexity Kills!!

Thanks.