Topic: webmail etc behind a firewall

[robw]

Has anyone installed an SME server behind a third party firewall? If so, what problems did you encounter. ie. if you change the SME from gateway and server to server only, does it still provide webmail? Do you need to setup port forwarding to that server for webmail etc? Are there any other issues?

[funkusmunkus]

as long as you specify that webmail can be viewed from intire internet using https and you forward that port on the firewall to it, then it should be ok, same for other things.
i did try it, and it works just as it should.

hope that helps
cheers

[dalex]

As funkusmunkus told it works fine.

Actually this is the ONLY way i put SME to internet. I use IPCOP (for complex installations with many external IPs) or SMOOTHWALL (for simple home cases).

In the begining i were in "SERVER ONLY" mode, ALWAYS in the DMZ (orange) zone of the firewall. By the time i switched to the "SERVER-GATEWAY" mode which is safer and more flexible. You need 2 ETH cards per server...

I put the user PCs in the "GREEN" zone (hub) together with the 1st ETH of the servers (SME and more). And the 2nd ETH of the servers (no users here) to the DMZ zone (hub).

I forward SELECTED ports only to DMZ like 443 you want for https (webmail). I also use pops, imaps and smtps (ssl mail contrib). I also forward sometimes the SSH port but NOT DIRECTLY. I use another port (491 for example) and "map it" to 22 on the server (dmz). And of course 80 (http) for public web.

I have an installation with 3 IPCOPs after the ADSL router (16 internal private IPs), hosting 3 domains, 11 servers and many many users. No problem!

I also use SME on green only. I prefer to have separate servers for web and email (forward the relevant port to the proper server). It is easier to maintain, safer, and allows different user namespace in ftp/ssh amd mail. Hardware is cheap, security/flexibility no...

Hope i helped.

p.s. i use industrial boards from ICP for firewall. 300mhz geode chip, 128 Mb ram, 3 eth, serial, flash card, usb etc...

[robw]

Great replies guys. Thanks heaps. The use of the DMZ for the old public NIC makes heaps of sense and I think it's probably how I will go.

I will be doing this on the weekend so I will try to post back with my experiences to add to the knowledgebase. Thanks again.

[robw]

OK, I did this on Saturday more or less as dalex suggested and it worked just fine. Only difference is that the router didn't support DMZ as well as I would like, in that it just let everything through to the the DMZ, so I just popped the second NIC onto the private network with a new address and used port forwarding at the router to give access to just what was required and no more. This included ports 22 (admin), 25 (SMTP), 80 (http) and 443 (https - webmail). Tested from in and outside the NW and all seems fine.

If there are any big security holes anyone can see here, please let me know.

[Mumm-Ra]

so is you server in the DMZ of your router at the moment?
If it is you should be running server-gateway. it's very bad to run a server only installation in a DMZ.

[dalex]

robw
Connect router to firewall RED eth only. DMZ should be a 3rd zone on the firewall (a 3rd ETH nic):
|router|
   |
   | internet (red zone)
   |
|firewall|
|________|+--- DMZ (orange zone)
   |
   |
internal LAN (green zone)
IPCOP is very easy to setup.

[robw]

The server is running as Server Gateway. At the moment, both NICs are on the private network and I have enabled port forwarding only to the "external" NIC for the ports mentioned before. This seems to be working just fine.