
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Background: MTA and SMTP Security
|
253
into a DMZ network. Now your gateway can be isolated from both the Internet and
the internal network by a firewall (see Chapter 2).
Therefore, I recommend, even to organizations with only one email server, the addi-
tion of an SMTP gateway, even if their server already has SMTP functionality.
But what if your firewall is your FTP server, email server, etc.? Although the use of
firewalls for any service hosting is scowled upon by the truly paranoid, this is com-
mon practice for very small networks (e.g., home users with broadband Internet con-
nections). In this particular paranoiac’s opinion, DNS and SMTP can, if properly
configured, offer less exposure for a firewall than services such as HTTP.
For starters, DNS and SMTP potentially involve only indirect contact between
untrusted users and the server’s filesystem. (I say “potentially” because it’s certainly
possible, with badly written or poorly configured software, to run extremely inse-
cure DNS and SMTP services.) In addition, many DNS and SMTP servers (e.g.,
BIND and Postfix) have chroot options and run as unprivileged users. These two fea-
tures reduce the risk of either service being used to gain root access to the rest of the
system if they’re compromised in some way.
SMTP Security
There