[Mimedefang] Locking down sendmail from behind a filtering gateway
Jan-Pieter Cornet
johnpc at xs4all.nl
Wed Feb 18 06:59:13 EST 2015
On 2015-2-17 18:19 , John Von Essen wrote:
> I have two filtering gateways, on a public WAN, they receive the raw
> email, filter it, then relay it to my main mail server - which also
> sits on the same WAN. All three machines are publicly accessible and
> running no firewall. For performance reasons, I’d like to not run a
> software firewall on the mail server.
Erm... what sort of "performance reason" is that? Sendmail happily forks for every incoming connection, thinking "oh joy it's another email, that's probably important so I'd better fork". Anything you do afterwards to reject the connection is going to be very costly because of the fork, no matter how you solve it.
Doing the same with iptables is practically a no-brainer for the kernel. Simply drop the SYN packet. Software firewalls do not put a big load on servers, unless you're doing something silly (eg: do not use connection tracking. You wouldn't need to in this case).
Or as others have suggested, use rfc1918 non-routable IP space on a separate vlan interface to shield your internal mail server.
--
Jan-Pieter Cornet <johnpc at xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 971 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20150218/46cc1075/attachment.sig>
More information about the MIMEDefang
mailing list