Re: [squid-users] Sendmail behind SQUID is it possible ?

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Wed, 04 Apr 2001 10:40:34 +0200

At 01:52 AM 4/4/01 +0530, senthil wrote:
>Hi all
>
>I want to put a mail server behind the firewall system which is also running
>SQUID. My doubt is that my router which is configured to forward all the
>traffic coming for my IP address of my WAN port to one particular IP address
>in my lan. Like for example what ever request comes for 203.xxx.xxx.12 will
>be translated to 192.xxx.x.3. Now I sould use IP masquerading in my firewall
>to give my Mail server access to the out side world.But what about the
>incoming traffic will it be able to flow inside my lan only to the
>particular IP address in my Lan. Is there any changes to be made in my SQUID
>configuration or not.

First sendmail and Squid should be treated independently. Squid will not
use the masquerading because this is working as a proxy service on your
firewall. I have strong doubts about this approach though because Squid is
*NOT* a trusted application suitable for a firewall (although it is not
easy to misuse it, it can be done). What you need to do if you want to
support also SMTP is to add a SMTP tunnel or better a SMTP proxy in your
firewall. Start looking at the TIS firewall toolkit. This has a good
implementation of a trustworthy SMTP proxy. I suggest you also move Squid
away from the firewall and install it on a separate machine and let the
firewall be a firewall. Installing large beasts on a firewall is generally
bad practice. If you look at genuine firewall proxies they are pretty slim.
That means that it is easy(er) to prove that they are without security
flaws. A large code-base (like Squid and Senmail) is difficult.

I suggest you approach the firewall thing in a few steps:

1) Do any filtering on IP,UDP and TCP on the device that is best suited for
this purpose. The router.
2) Maintain strict access controls to your servers.
3) Be very sure that your servers are secure. A firewall does not help much
if the services on your servers can be mis-used. (I have an E-mail Trojan
concept that will get access to systems trough almost all firewalls)
4) If you still have to, add a good firewall that you understand/trust.
5) Never forget to install logging tools on your router, firewall and
servers that log on an isolated 99.999% safe server (read no other
services) that stores the logs for a long time.
6) Read the logs and assess what is happening (build scripts to help you)
7) Finally assess your security policy regularly and update security if needed.

>This mail may seam annoying to lot of you people but I have a difficult
>situation to handle so I request the kind hearted people to help me out of
>this situation. If there is any HOW TO pages for these kind of situations
>please can u tell me ?
>
>
>thanx in advance
>
>Senthil Marian

--------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
Tel: +31 70 3142454
E-mail: marc.van.selm@nc3a.nato.int (PGP capable)
--------------------------------------------------------------------
Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm
Received on Wed Apr 04 2001 - 02:40:37 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:08 MST