Topic: just email server?

[dwater]

Hi,

I want to set up an email server on the internet for our organisation. I don't want any lan access, only from the internet.

Am running SME on our local network in gateway/server mode, and I like the simple web-based interface, so that is why I am thinking of SME for this too.

I want it to have POP/IMAP/SMTP *all* with SSL, and I want to disable the non-SSL services. Web mail would be good too, but only through https. The insecure services (w/o SSL) should be disabled.

Some questions :

Is SME suitable for this setup? The modes I see all assume there is a LAN. Any 'better' s/w more suitable for email only?

Do I have to have two NICs to run in this mode, even though nothing would be connected to the one associated with the LAN?

Any other concerns?

Max.

[MSmith]

As for the email server part of things, that'll run fine in "server only" mode, i.e. part of your LAN.  If you receive incoming SMTP traffic, just use the email delegation on the first SME server to pass the traffic to the second, server-only machine.  If it's POP retrieval, no problem, the email server will connect through the gateway/router server.

[dwater]

As for the email server part of things, that'll run fine in "server only" mode, i.e. part of your LAN.  If you receive incoming SMTP traffic, just use the email delegation on the first SME server to pass the traffic to the second, server-only machine.  If it's POP retrieval, no problem, the email server will connect through the gateway/router server.

...but I don't have a LAN. This server will go straight on the internet, so I have to have some kind of firewall, and make sure there are no ports open that aren't necessary and that don't require encryption.

I'm thinking of following these instructions :

<http://www.linuxdevcenter.com/pub/a/linux/2003/09/25/advanced_mail_server.html?page=2>

since it looks like it provides exactly what I want and need, and a nice web interface too.

Max.

[raem]

dwater

> The modes I see all assume there is a LAN.

Sounds like you are meaning to use it in server/gateway mode.

sme server is primarily designed for this type of usage ie firewall and connected to a LAN.

In your case just don't plug anything into the LAN NIC.

You will save around $50 by not putting in a second NIC for the LAN to use (if there was a LAN there).
It may be useful for connecting a notebook, to do on site maintenance rather than using the text based console & server manager.

I'm not sure what happens if you don't put 2 NICs in. I have done it but wasn't concerned as I was testing only. You can swap the allocation of the NICs, so one will still probably work OK, just set it as the external NIC.

The sme server provides a variety of services including a mail server. Just use the parts you want and don't use the other parts. You can disable services, but be careful not to shut yourself out of the box. All ports that are not being used are closed by default. If you disable other services then the respective ports will be closed.

6.0.x with add on SSL contrib will do all you are asking.
6.5RC1 has all of that built in.

You can choose any server software you prefer, you know your requirements, if sme has the feature set you require then I'm sure it will do the job securely.

[dwater]

dwater
I'm not sure what happens if you don't put 2 NICs in.

I guess that's my real question...I guess I can just try it

Thanks!

Max.

[cc_skavenger]

if you only put in one nic, you really can only run in server only mode.  When in this mode, the firewall is disabled (stinks and has been raised before).  I would put some kind of router in front of the server for security sake and portforward ports 25 (smtp), 110 (pop), 80 (http), 443 (https), 22 (ssh) and any other ports you may need.
My mail server is setup this way, the only downfall I would warn about is using a crappy router in front of the server.  

HTH

[MSmith]

No firewall in server-only mode ... why does this "stink"?  It's working as designed, so there's no bug.  Server-only mode is designed to be a LAN server, not provide services to the Internet.  If you want that, there are many distributions that can be hardened for Internet-facing use, so why pick on SME for not being able to do something it wasn't designed to do?

Personally I'd be very aggravated if I had to disable a firewall in server-only mode!  It's so quick and easy to set up a fileserver using SME for a LAN, why ruin a good thing?

[cc_skavenger]

Personally I'd be very aggravated if I had to disable a firewall in server-only mode!  It's so quick and easy to set up a fileserver using SME for a LAN, why ruin a good thing?

This is very true.  What I guess I meant was that there was not a way to turn on a firewall when in server-only mode.  I have several installs where the wan IP subnet needs to be local to handle mail for that subnet.  The only way I have been able to do this is to setup the server in server-only mode and stick a hardware router in front of it.  Who knows, maybe I am doing something wrong.