On Tue, 2004-02-17 at 11:12,
elemint@hotpop.com wrote:
> I want to install a Linux email gateway in front of our Lotus Notes
> email server.
>
> While most of the users are internal some of them are external and use
> pop to download email and SMTP to send email from home using the Lotus
> Notes server as the SMTP server.
>
> If the email gateway is placed in front of Lotus Notes server to send
> and recieve email via pop would there be any foreseeable problems?
> Basically they connect to the email gateway there password is checked
> and if good then they can download email via pop or send email via
> smtp.
---
if the 'email gateway' as you describe it were in front of the Lotus
Notes server, they wouldn't reach the Lotus Notes server to get pop mail
unless you forwarded - in which case, it wouldn't have an impact.
---
>
> This email gateway is going to be for smtp messages sent to our domain
> and we want to use it for users checking via pop and sending messages
> via smtp.
>
> Can a Linux email gateway be prompted to only allow through email once
> they have authenticated via pop or to prompt for a username and password
> and it could use the same username and password they are using for pop.
---
I would suppose that this email gateway can be configured to do most
anything that you want it to do - provided that you either write the
code or adopt other peoples code.
POP before SMTP is the phrase that I think of when reading your
questions and that is somewhat out of vogue as a method of securing
email - it's not very effective. In fact, I have stopped allowing remote
users access to pop3/imap/ altogether and simply provide web mail access
for them. This allows me to enforce SSL connections for remote users.
Yes, you can generate certificates and require pop3s and imaps
connections from remote hosts but the thought of having to support that
for remote users is just too chilling.
I guess the point is that I no longer look at these things in
isolation...pop3/imap/telnet/etc. but rather look at the overall system
and have come to the conclusion that everything except that which is
essential is dropped by the firewall (instead of rejecting), and only
port 22, 25, 80 & 443 are typically allowed in, pings are dropped too.
Everyone gets a /bin/false shell unless they need some other access, but
as a measure to make sure that I don't slip up, no plain text logins
occur through insecure (i.e. the internet) channels.
Craig