[Mailman-Users] mailman installation with DMZ

Brad Knowles brad at shub-internet.org
Sun Jun 24 06:56:43 CEST 2007

On 6/23/07, Nick Airey wrote:

>  Any thoughts would be much appreciated. I'm leaning towards switching
>  to option (b), but I'm not sure exactly how to split the installation.

The reality is that there is no one single "Best Practice" for this 
situation.  What is Best Practice for your site might be considered 
totally unacceptable somewhere else.

For example, the Mailman code is written in such a way as to be as 
robust as it can be in the face of whatever potential additional 
problems that using NFS might present.  So, in theory, putting all of 
Mailman on NFS should "just work".

But I know plenty of people who would run screaming in terror at the 
thought of running NFS in their DMZ.  If that works for you, then you 
should be okay.  But other sites might feel differently.

My personal suggestion would be to have a minimal MTA+Mailman+web 
server on the machine in the DMZ, and tightly control the inputs and 
outputs from the machine in both directions, perhaps with a front-end 
web proxy that is appropriately secured, application-level gateway 
filter for the incoming and outgoing mail, etc....

But just because that's my personal preference doesn't necessarily 
make that a "Best Practice" that should be implemented everywhere -- 
other sites might prefer the NFS solution, or maybe something else.

Brad Knowles <brad at shub-internet.org>, Consultant & Author
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
Slides from Invited Talks: <http://tinyurl.com/tj6q4>

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

More information about the Mailman-Users mailing list