[CentOS] Kind of OT: internal imap server

Tue Aug 22 15:20:46 UTC 2006
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting Kanwar Ranbir Sandhu <m3freak at rogers.com>:

> 1. Should I just leave mail storage on the same box in the DMZ?
> 2. If the answer to 1 is no, what's the best way to get mail from the
> SMTP server in the DMZ to an IMAP server in the internal network?
> Here's what I've briefly considered:

The decision on having mail storage in the DMZ or not is up to you and  
depends on your actuall needs and security considerations (how  
sensitive is the content of the emails and how disciplined is the user  
population and/or 3rd parties in using encryption is just one thing to  
think about).  I've read a previous response saying something along  
the lines "if emails are sensitive, encrypt them".  Easy to say and  
explain to the tech person.  Try it with non-tech people who don't  
even work at your company (since those would be emails stored on your  
server).

If you decide you want storage inside, here's couple of tips.  Note  
that I'm mostly sendmail guy, so you'll have to find postfix  
equivalents yourself.  Generally, I'd use SMTP to get emails from DMZ  
into internal network.  Not a big fan of fetchmail for this kind of  
stuff.  Fetchmail is nice tool for individual users.  But not for this  
kind of stuff.

In the DMZ, make sure you accept email only for existing email  
addresses.  Any rejections you make, you want to make on your border  
mail server.  This includes non-existing email addresses, as well as  
rejecting spam and virus infected messages.  It will also save you  
some bandwith, since (a) body of messages is not transmitted  
(non-existing users case) and (b) your border mail server doesn't need  
to generate delivery notifications.

You can do this in many ways.  At least with sendmail.  I'll describe  
some.  I'm not saying they are the best.  It all depends on your local  
configuration and preferences.

For example, you can configure border system to accept email for  
foobar.com.  Than use virtusertables to map to some internal address  
so mails get pushed to the inside:

user at foobar.com   user at internal.foobar.com
@foobar.com       error:nouser No such user here

Note that this will be rewriting envelope address, the one users don't  
see.  The addresses in To/Cc/Whatever headers remain as it was.

On the inside system, you'd configure it to accept email for  
foobar.com and internal.foobar.com.  This is to avoid sending internal  
mail to DMZ, and than having it come back inside.  Than you can use  
virtusertable again (optional) to map addresses to user mailboxes:

user at foobar.com           user
user at internal.foobar.com  user
@foobar.com               error:nouser No such user here
@internal.foovar.com      error:nouser No such user here

Another, maybe simpler, way to do it would be using LDAP mail routing.  
  I've no idea if postfix can do this.  That way, all the information  
needed for mail delivery is centralized in one place, and you don't  
need to keep information on what email addresses exist and what  
mailboxes they correspond to on both internal and external server.

Basically, you'd use LDAP to store information where the hack user's  
mailbox is.  You would set mailHost attribute to point to your  
internal email server.  You would not set mailRoutingAddress  
attribute.  This would cause your external mail server to forward all  
email for existing email addresses to internal host.  Your internal  
host will figure out that mailHost points to itself, and deliver email  
to the mailbox.  So you don't need to rewrite email addresses like  
when using virtusertables.  There's a lot of options when configuring  
LDAP routing, so if you go that way, best is to first read and fully  
understand documentation.  Or you'll get unexpected results and will  
be generally dissapointed.

Now, the remaining problem is, what to do for people who want to  
access their email from outside.  You probably don't want to allow  
direct POP3/IMAP connections from outside to your internal mail  
server.  You may consider here several options.  Webmail would be very  
nice approach in many cases.  If you have lots of roaming laptop users  
that insist on using their favorite email client from home or when on  
road, you might consider setting VPN for them.  It kind of adds to the  
complexity.  Especially if you don't need VPN for other stuff.  On the  
other hand, if you already have VPN, than you have the solution for  
accessing email from outside, right?  Another solution might be  
setting IMAP proxy in the DMZ.  But it is almost as allowing direct  
connections from the outside.  So I'd leave it as last resort.

It's kind of longer answer.  Just giving you couple of hints.  At the  
end, you might find some solution that better fits your needs.  But at  
least it will give you couple of ideas to explore.

-- 
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season.  For more info, visit http://www.8-P.ca/