[PLUG] Re: [eug-lug]Spam Filtering With Remote Access
Cooper Stevenson
cooper at cooper.stevenson.name
Fri Jul 18 10:45:03 UTC 2003
This:
"I simply will configure "plain text" communication..."
Should have read:
"I simply will not configure "plain text" communication..."
-Cooper
> On Fri, Jul 18, 2003 at 09:45:37AM -0700, Cooper Stevenson wrote:
> > The Goal: build a server that will effectively filter spam, deliver
> > email, and provide convenient remote access to corporate data. The
> > server may or may not be behind a firewall, so security is of primary
> > importance.
> > The Solution:
> >
> > Postfix + Spamassassin + UW IMAP + Samba + Apache Web Server +
> > SquirrelMail
> Without another firewall, the server itself should be the firewall by
> compiling in netfilter. Netfilter should be here in order to block
> ports that are not allowed open, even if the daemon needs to be running.
>
> > This configuration allows business travelers and office workers alike
> > the ability to access their email and server file shares from anywhere
> > on the Internet, including their homes. Please refer to the following
> > links:
> Accessing a samba share across the internet is not secure. Since you
> mention it may not be behind a firewall, this means samba is available
> to the internet. Bad idea. This is because LM and NTLM are not secure.
> The former is easily crackable and both are replayable. I would not
> implement this over the public internet if I were you. NTLMv2 which
> uses 128bit encryption and negotiated keys should be required and all
> lesser protocols refused. This means specially configuring each win9x
> client to support ntlmv2 (installing new patches) and configuring nt/2k
> clients to only send ntlmv2 and configuring samba to use only ntlmv2.
> However Samba 2.2.8a does not support it yet! Therefore you cannot do
> this securely.
>
> If you want remote clients to access samba remotely then freeswan
> should be compiled into the kernel as well and each client should have
> an ipsec client. These come with windows 2000, but for home cable users
> a linksys that supports ipsec is excellent. Also accessing windows
> shares across 256kb or less is too slow to be practical. Remote access
> like vnc is much better for accessing browesable windows shares.
>
> Next netfilter is used in conjunction with the vpn so that only packets
> authenticated by ipsec are allowed to samba services. Otherwise it
> is perhaps just a mail/imap/web server.
>
> > using SpamAssassin. Now, while the 'images' directory is a sub-folder
> > under my home directory, there is absolutely no reason why this could
> > not be a Samba share pointing to a remote Linux or NT server. This means
> > in effect that business travelers can access their email and files
> > centrally through their email client. Doing so negates the need for a
> > VPN within the scope of these accesses. The user need know only how to
> > set their account up through their email client. Security is handled via
> > Secure Socket Layer (SSL).
> This is true, relying on imap/ssl could provide secure remote access
> without a vpn, however only with imap minus ssl disabled.
>
> > While totally conjecture at this point, I see no reason why the web
> > server and the mail server need be on the same computer.
> No longer is it conjecture, I've done it. It is not necessary for them
> to be the same machine with the applications you have suggested. In
> fact nearly all of the applications can reliably be on separate servers
> with the exception of apache+squirrelmail and postfix+imapd. The rest
> of it looks good.
>
> > I can build install, and document these and other servers at your
> > facility if you are interested.
> So is this a question or an ad?
>
> Cory
--
--------------------------------------------------------------
| Cooper Stevenson | Em: cooper at cooper.stevenson.name |
| Open Source Consultant | Ph: 541.924.9434 |
--------------------------------------------------------------
More information about the PLUG
mailing list