mailman installation with DMZ
Hi Everyone,
I would like some advice on the best way to set up a mailman installation in the presence of a DMZ, ie. I have a webserver in the DMZ which is accessible to the public. The MTA, however, is in the safe zone.
The public needs access to the mailman web interface, implying that this should be run from the webserver in the DMZ. However the MTA in the safe zone needs to make a pipe connection to mailman, which (I assume) in turn needs access to the disk partition where the mailman files are stored. Hence mailman needs to be co-located with the MTA.
As a quick fix:
(a) I setup mailman and its web interface completely in the safe zone, and set the webserver in the DMZ to proxy URI "/mailman/*", to the internal webserver. This works, but I'm not sure if this is the ideal solution. I'm also not crazy about parts of an internal webserver being accessible to the internet.
Other possibilities I considered were:
(b) split the mailman installation, run the web part in the DMZ, accessing an NFS mounted disk on an internal machine. The MTA part of mailman running in the safe zone, can then access the same disk and process mail as normal. Worst case scenario, if the disk mount becomes unmounted (or otherwise unwritable), the web interface is unusable. However the MTA part (sending, receiving mails) still keeps working.
(c) run mailman completely in the DMZ, and run a MTA on the DMZ, which can relay to the MTA in the safe zone for delivery. I don't really like this for a few reasons involving mail security and policy of running "minimalist" machines in the DMZ.
Any thoughts would be much appreciated. I'm leaning towards switching to option (b), but I'm not sure exactly how to split the installation.
I would also be willing to document this as a "best practice" for the mailman documentation. (I'm sure this question must come up all the time for fresh installations)
Nick
On 6/23/07, Nick Airey wrote:
Any thoughts would be much appreciated. I'm leaning towards switching to option (b), but I'm not sure exactly how to split the installation.
The reality is that there is no one single "Best Practice" for this situation. What is Best Practice for your site might be considered totally unacceptable somewhere else.
For example, the Mailman code is written in such a way as to be as robust as it can be in the face of whatever potential additional problems that using NFS might present. So, in theory, putting all of Mailman on NFS should "just work".
But I know plenty of people who would run screaming in terror at the thought of running NFS in their DMZ. If that works for you, then you should be okay. But other sites might feel differently.
My personal suggestion would be to have a minimal MTA+Mailman+web server on the machine in the DMZ, and tightly control the inputs and outputs from the machine in both directions, perhaps with a front-end web proxy that is appropriately secured, application-level gateway filter for the incoming and outgoing mail, etc....
But just because that's my personal preference doesn't necessarily make that a "Best Practice" that should be implemented everywhere -- other sites might prefer the NFS solution, or maybe something else.
-- Brad Knowles <brad@shub-internet.org>, Consultant & Author LinkedIn Profile: <http://tinyurl.com/y8kpxu> Slides from Invited Talks: <http://tinyurl.com/tj6q4>
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
participants (2)
-
Brad Knowles
-
Nick Airey