Simple and easy MTA for 2.3.1?

  • Hello,

    I have been using exim under pfsense <2.3… but, 2 days ago my pfsense totally broke and i reinstalled it to the new version.
    and was surprised, that now```

    so, question is: what do you recommend?
    I was using MTA on pfSense for alerts from internal network as open relay.

  • Rebel Alliance Developer Netgate

    We recommend not running an MTA on the firewall.  ;D

  • @jimp:

    We recommend not running an MTA on the firewall.  ;D

    What is the logic behind the recommendation? If a bunch of spam can be cut down right at the perimeter, why not?

    What else do you not recommend running on the firewall: IDS/IPS, DNS?

  • Rebel Alliance Developer Netgate

    The logic is, as always: For best practices and higher security, we recommend keeping the services on the firewall to a minimum – doubly so for public services.

    MTA with spam filtering tacked on are huge, complex, beasts that have a history of security issues, and they are less suited to being at the perimeter of the network. You can route mail wherever you want, so route it to a dedicated mail filtering VM/appliance if you must. It doesn't have to be at the edge like an IDS.

    DNS services are less clear. A caching resolver for clients is good, but a public authoritative server is not.

    So basically, anything you can run elsewhere, should be run elsewhere, if you have a choice.

    And just because we have a package for something doesn't always mean it's a good idea to run it on an edge firewall. Classic security vs convenience trade-off.

  • Thank you for the detailed explanation. I appreciate your effort.

    What follows are some theoretical ramblings on the subject.

    Grass always seems greener on the other side. It seems like virtualizing everything is a safer way to go, but on my recent memory there have been two serious hypervisor breakout vulnerabilities.

    In the cloud space, these days, lightweight Docker containers are all the rage. This is a technology that is loosely based on FreeBSD Jails. Perhaps, if pfSense packages were running inside the jails it would help to thwart some of the security risks; by stopping heap memory corruption attacks from affecting the whole system, for example.

    Ok. Thank you for reading. I am off to build a rack of servers. See you later.  :)

  • moving up topic.

    maybe someone has solution?

Log in to reply