Internal vs external email
gabe at gundy.org
Wed Jan 25 20:34:51 MST 2006
On Wed, 2006-01-25 at 18:02 -0700, Stephen Smith wrote:
> I'm running a helpdesk application that uses email for notification.
> However, the company does not want all users to have email or internet
> access outside of the private net (too much time wasted on
> non-business activities).
Your mail and web traffic problems should be addressed individually.
The only way to handle them together requires that your firewall filter
based on the IP address of the inside host. While that is certainly
possible, most people would feel like it's inadequate and not very
flexible. What if your user hops on another PC? How do you keep them
from wasting time on web-based email like Gmail or Hotmail? How do you
allow them to check the web during lunch or after hours?
> I've been toying with the idea of a second firewall that isolates the
> external email server from the internal users, then using iptables to
> block access beyond the firewall for all unauthorized users. But, I'm
> not sure how to set up an interal mail servers to handle replies to
> both internal emails and external emails for authorized users. Don't
> know if it is even possible.
Set up a Postfix mail server that acts as a transport to the existing
(and now internal) mail server. Create maps that allow certain users to
send and receive mail out the gateway and leave the mail server inside
wide open so the internal users can email each other.
Firewalls are to low-level to know or care about who is sending mail on
port 25. That stuff rises to the SMTP level. So don't forward port 25.
Answer on that port and forward the actual mail (based on your maps) to
you internal server.
> Is there a way of setting up an internal mail server to support
> inter-office messaging and our helpdesk app yet allow selected users
> to forward email to the company email server for delivery to/ receipt
> from the net? External use should be transparent to those users that
> need it.
See above. It fixes the problem but by adding a server on the networks
edge and pulling the existing one in.
> It would be relatively easy if there was a mail client that allowed
> the use of different outgoing mail servers on a per account basis
> rather than one for all. Is there such a client available?
This seems like a bit of a bandage while ignoring the real problem.
Thunderbird and Evolution allow this. I'm sure any client worth the
space it occupies on disk does also.
As for the web access control that you mentioned earlier, nothing beats
the control Squid gives you. Like the mail deal above, if you are only
forwarding ports you have very little control. With Squid you get
custom ACLs and RULES to your heart's content. Add to that caching and
logging. Now forwarding port 80 doesn't look so elegant.
Good luck and let us know what you do.
More information about the PLUG