Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio Mailserver on LAN exposed to WWW?
  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
I'm the firewall guy. We were looking at Exchange with OWA in the DMZ. Now we are looking at Kerio.

My security training tells me that all Internet facing machines should be in the DMZ with Firewall rules limiting access both to the LAN and the WWW. Kerio->Lan would be restricted to port 389 to the AD servers for LDAP lookup, and the LDAP user would have read only rights. Kerio would send e-mail to the SMTP server in the DMZ. The LAN and WWW would have IMAPS and HTTPS access to the server.

My folks that want to set this up want it on a Windows 2003 server on the LAN & a member of the domain (AD), with port 443 exposed to the Internet. That doesn't seem like a good idea to me. I am aware of numerous vague vulnerabilities in the webmail piece over the years, as well as TCP/IP & SSL vulnerabilities in Windows itself.

Does Kerio not have some sort of proxy piece for the DMZ? Are others really exposing themselves this way? Or are folks putting the entire server in the DMZ as my training tells me should be done?

Thanks!
  •  
willowsv

Messages: 119
Karma: 0
Send a private message to this user
Our server is Firewalled along with every other machine on the network.

All machines have no restrictions on outgoing ports but all incoming pors are blocked.

You only need to forward the ports you need to the Mail Server to ensure operation.

default http/https/imap/smtp/pop etc should be all you need for every service you activate forward a port.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
willowsv wrote on Mon, 06 November 2006 18:08


Our server is Firewalled along with every other machine on the network.

You only need to forward the ports you need to the Mail Server to ensure operation.

default http/https/imap/smtp/pop etc should be all you need for every service you activate forward a port.

This is exactly why a DMZ is 'needed'. Your Mail Server is not firewalled, it is directly reachable over the Internet (on a selected number of ports). If a vulnerability exists on services on one of those forwarded ports, your KMS server could be jeopardized just as easy as any fully connected Internet server. Then you would have a compromised machine on your unprotected LAN (fully controllable by the hackers from the Internet over the forwarded port(s)).

So, in theory, all machines directly reachable from the Internet (even if only on 1 port) must be assumed to be vulnerable to attack and therefore they must not be in the LAN, but in the DMZ. Then, a compromised server would still not pose a risk for your LAN.

Of course, that's the theory. In the end it's all a matter of how protected you want to be. Because in theory, the data store should also not be on the DMZ. But Kerio is not capable of using a remote database for it's mail store. And perhaps we would not even want a remote database, because of the increased latencies. Etc. etc. Theory is all good and well, but should not be blindly copied into practice.

[Updated on: Mon, 06 November 2006 18:59]

  •  
tpalmer

Messages: 61
Karma: 0
Send a private message to this user
I am also a firewall guy, and my experience is that if you put a Windows machine on a DMZ, and want full domain connectivity (generally against all security rules and sense), you have to swiss cheese the DMZ -> LAN rules so much its pointless.

Of course its possible to proxy everything coming into the mail server, but the admin overhead is likely to create more problems than it solves. Depends totally on the details of the implementation.

But no, KMS doesn't have any proxy stuff built in. I suspect most of us are just living on the low end of the paranoia curve (like so many mail admins in general). I use a non-Windows platform, so that makes me feel a little better :)
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
tpalmer wrote on Tue, 07 November 2006 20:21

I suspect most of us are just living on the low end of the paranoia curve

So true :)
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
I am another firewall type guy, and my advice would be as above. Windows boxes in a domain are best kept out of the dmz, unless you are just using AD for authentication, your server is kept fully patched, and your passwords are secure.

[Updated on: Mon, 13 November 2006 12:42]

  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
Why does the Kerio server need to be a domain member? Doesn't it just need access to the LDAP port 389? Also, I was unaware that a Linux machine could be a member of a domain. I'll have to check into that. If we put Kerio on Linux then we must make it a domain member to get AD authentication?

A bit confused.
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
Nixs wrote on Mon, 13 November 2006 15:32

Why does the Kerio server need to be a domain member? Doesn't it just need access to the LDAP port 389? Also, I was unaware that a Linux machine could be a member of a domain. I'll have to check into that. If we put Kerio on Linux then we must make it a domain member to get AD authentication?

A bit confused.



I thought that's what your people wanted to do as per your first post. You are correct though, the kerio server doesn't need to be a domain member.

Linux can participate in a windows domain to some extent, but it would probably suit your purposes to just use ldap.
  •  
tpalmer

Messages: 61
Karma: 0
Send a private message to this user
Kerio itself doesn't really care about the domain membership of its host, at least on OSX. Authentication is configured and accomplished completely within Kerio (ok, it might use some libraries from the OS). My OSX machine isn't tied directly to our AD in any way. One of our email domains is configured to use AD (via Kerio admin UI) and it works very nicely.
  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
Thank you. This clears things up for me a lot. My folks were wanting it to be on the LAN, a domain member. Security is my responsibility, however. If we did put in the DMZ I would not make it a domain member. I would just open up LDAP for them -- knowing what I know now.

Again, thank you. While it may not have everything that Exchange has, Kerio Mail Server is showing itself to be a nice mail server with a lot of thought put into it and at a much better price. We've tested some failure scenarios between our test server and clients and it handled everything exactly how we were hoping it would. It also seems to be the only mail server outside Exchange to support active sync over the air.
  •  
tpalmer

Messages: 61
Karma: 0
Send a private message to this user
Nixs wrote on Mon, 13 November 2006 20:32

Thank you. This clears things up for me a lot. My folks were wanting it to be on the LAN, a domain member. Security is my responsibility, however. If we did put in the DMZ I would not make it a domain member. I would just open up LDAP for them -- knowing what I know now.

Again, thank you. While it may not have everything that Exchange has, Kerio Mail Server is showing itself to be a nice mail server with a lot of thought put into it and at a much better price. We've tested some failure scenarios between our test server and clients and it handled everything exactly how we were hoping it would. It also seems to be the only mail server outside Exchange to support active sync over the air.


Yup, its not bad, and getting better. Two years ago (6.0.3 <shudder>), it was a disaster. Now its creeping up on Way Cool. When KOC Offline mode and body searching is in (hey - how about a GUI for grep?), I'll be pretty happy. Oh, and an interface to SpamAssassin config. Oh, and snmp query ability. OK, the requests never stop, but the core is solid, support is excellent and the price is right.
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
You probably know this, but you also want to limit what information from AD is allowed over that connection, depending on what they are using AD for.
  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
And how do you limit what they can query? Are you referring to making them generic users with limited rights in the AD? Or is there something more to this I am unaware of? Thanks.
  •  
Nixs

Messages: 159
Karma: 0
Send a private message to this user
I have an issue setting this up. The Server is not a member of the domain. It is in the DMZ and a member of a workgroup by a different name. The LDAP works. We can see groups and users and configure them.

The problem comes with logging in. It keeps saying that the users password is not valid. We found a document that states that Kerio must be a member of the domain. Why? If you simply open an LDAP connection using the users id and password you can tell if it's a valid userid /pwd combo or not.

How do you get active directory authentication in Kerio without making it a domain member?
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
It's simple. Active directory mapping in KMS is using Kerberos for user authentication. Current Kerberos authentication requires a ticket for Service Principal Name (SPN) host/servername. The SPN is created automatically when the computer joins an AD domain.
Previous Topic: spamassassin
Next Topic: PHP Fatal Error
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 00:28:03 CET 2017

Total time taken to generate the page: 0.00511 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.