Re: [exim] infrastructure design and security

On Sat, 2004-09-11 at 15:35 +0200, wrote:
> 2. Since machines in the outer DMZ can be potentially hacked, putting
> the virus scanner there instead of the inner DMZ, seems risky to my
> friend. Because if the virus scanner on the exim machine gets hacked, it
> can be manipulated to never detect any virus, and then he would have no
> protection against email-borne viri.

there is no reason you can't set up virus checking both in DMZ and
internally.

I once set up a system where the server running in DMZ simply put the
accepted messages into an UUCP queue. the internal server ran UUCP over
ssh to DMZ to pick up (and submit) new messages once a minute. this
means we could block _all_ inbound connections to the internal server,
everything was initiated from the inside.

the main issue is keeping the mail address lists up-to-date in DMZ.
this can be done using periodic rsync over ssh or similar.

in such a system you would of course block ssh to DMZ from other hosts
than the internal hosts.

> Still, judging from reading the list, it seems that the concept of
> running exim plus sa and clamav on one box accessible from the big bad
> internet seems a common approach.

yes, all my servers are fully accessible. if you can't trust your
software without a firewall protecting it, you really shouldn't be
running the software :-).

> How do you guys address my friend's concerns? What countermeasures do you take?

I and my colleagues follow security announcement lists and take action
when required.

> Is anybody aware of an exploit of exim?

of course not, they would be fixed within hours. there was a potential
security leak in Exim a few months ago (you could make it crash from
external systems), but I never heard of anybody actually finding a way
of exploiting it.

--
Kjetil T.