[Solved] Mail Server on pfSense (not behind)



  • Hi,

    I recently ordered an Openvox IPC100B (1.6ghz Atom + 2GB DDR2). It should arrive shortly. I also got the pfSense guide. The box will replace my server and router, mainly to save electricity.

    I was planning to install the following:

    I have 5 mail clients and receive <100 visitors a month so load shouldn't be a problem.

    I can find nothing here on this set-up and that worries me a bit. So basically what are your thought on this? Am I wrong to think that I can follow any guide on this aimed at freebsd?

    Thanks.



  • A firewall is a firewall is a firewall (and not a server).

    While doable, i would not recommend it.
    You could run multiple virtual machines on your hardware, but you should be aware what consequences this has.



  • Hi thanks for your response.

    I am aware that this setup is not customary, but I can't see the problem from a hardware or software point of view. Is it not recommendable because of security risks? The only bad thing about this I can imagine if somebody exploits your web/mail server they gain access to your router and clients because you didn't put the server in a DMZ. But if somebody gained access to my mail server it would probably be the worst part anyway.

    Visualization is also an option I have considered. It would contain security threats and it is definitely nice to make backups and relocate the server to other hardware within minutes if the board fails.

    What would the impact on performance be running a virtual machine on this set-up (hardware + os)? In my experience with VMWare on Windows the guest PC is considerably slower. I have no experience on virtualization on bsd. I did run QEmu on Windows, but that was slow as hell.

    I am now reading up on FreeBSD jails. Seems like a perfect option. Any thoughts on this?



  • Yeah, you need a server with vmware esxi. That would seem to be the best solution.



  • Running non-essential services on a firewall is an exceptionally bad idea from a security point of view.  A security appliance is exactly that, and should be treated as such.  If you plan to use any of the following arguments

    1. Its my home network, security isn't a big concern
    2. My network is too small to be of any concern
    3. But I will use an ultra secure mail server
    4. I'm a pro sysadmin, I know what I'm doing
    5. I'll use FreeBSD jails, it'll be secure

    Then you probably shouldn't use pfSense.  I'm sure there is a Fisher Price firewall somewhere you can use.



  • Thanks for all your answers. The Fisher Price one is a classic. I know that what I am attempting is not considered good practice. However it is practical. So I won't be deserting pfSense or this option yet. I just don't think it is wrong of me to try this from an experience pov, if it blows up in my face, so be it.

    So considering I am going to be sacrilegious and give up some security and stability here; what is the best, most secure way to go about this?

    My question for now are:

    • should I run:
      o esxi and pfSense and FreeBSD (server)  as guests
      o or is there a way to virtualize the server on a pfSense host other than jail?
    • I understand that jails offer better performance over virtual machines, but are less secure, correct?

    Hardware recap: 1.6ghz Atom, 2GB RAM, plenty disk space.

    The "don't do it"/"it's an stupid idea" aka the most secure option has been covered and duly noted. I will be looking to add an Alix board as sole firewall to the setup. But I still want to see how this option plays out. And make my trade-off based on the experience of this.



  • if it blows up in my face, so be it.

    The problem is that it just doesn't blow up in your face…  Its a problem for everyone that the guy who has control of your box attacks...  With a setup like you speak of you may have no idea your box is being used by others for months...



  • @chpalmer:

    The problem is that it just doesn't blow up in your face…  Its a problem for everyone that the guy who has control of your box attacks...  With a setup like you speak of you may have no idea your box is being used by others for months...

    Thanks for your concerns, but this is neither helpful or constructive. If anyone is annoyed by my ignorance and finds that I shouldn't even try something, just because it is hold to be bad practice, please by all means don't help.

    My question remains: if I am to do this what is the most secure way to go about?



  • Start by reading the threads in the Virtualisation forum.

    Then, if you must, use VMWare (ESXi, not workstation). You will take a performance hit, as well as decrease the security of your setup (which at least you're aware of - that's more as a reminder for others who read this thread later).



  • @i_magnific0:

    Thanks for your concerns, but this is neither helpful or constructive. If anyone is annoyed by my ignorance and finds that I shouldn't even try something, just because it is hold to be bad practice, please by all means don't help.

    My question remains: if I am to do this what is the most secure way to go about?

    I think your taking the criticism the wrong way…    I believe it is helpful but maybe not in a way that you want...

    No one is annoyed by ignorance, but only when advice is ignored and passed over as unimportant will you usually see annoyance..

    So to answer your question- There is probably not a secure enough method to do what you want to, that you should be comfortable with trying to use.

    My point is how is your compromised mail server and router any less of a concern to me or anyone else than say the fortune 500 company in Los Angeles that just fired their I.T. Admin for incompetence?  We still have to deal with you both the same way costing us time and resources when either of your boxes launch an attack at our houses...

    Obviously you must have some form of a desktop on your lan?  Windows box? Why not install your mail server on that desktop and let it run that way?

    Take a look at hmail.   I run this at a couple locations spread out as my primary and backup email servers to my domain on Windows boxes, server 2008 and XP…

    What I do find funny is the link you provided is an "untrusted connection" according to Firefox...

    "wiki.bsdroot.lv uses an invalid security certificate.

    The certificate is not trusted because it is self-signed.

    (Error code: sec_error_untrusted_issuer)"



  • chpalmer:  ;D on the certificate, I saw it as well. I guess I understood you wrong, thanks for clarifying. I understand your concern, but my server to you is basically as big a risk on or off the firewall. And it is the main reason I am having this discussion in the first place.

    My points is that I hope that with enough care, maintenance and monitoring I can still have a secure setup. Imho it is not so black/white and although it is against the principal philosophy of a firewall, the practical outcome of this is probably far less horrific than some make it seem. Even such a setup can be reasonably secure properly done and having a no non-sense firewall setup isn't going to make you 100% safe.

    I currently have a mail server on Windows and am also familiar with hmail. The reason I want this solution to work is that it is wasting a lot of electricity and therefor money. A all-in-one system sounds perfect from a space/money/consumption point of view. The only downside is the security.

    Havok: thanks, I have been reading up on this whole afternoon now. I think my system is not really suitable to run this. I have found some other Atom people that reported that esxi is just really slow on their system. I doubt Hyper-V is going to be much better.

    I get the sense that jails are really not that secure. I think local exploits might still be able to break free from jail ;). But I haven't found much comparing jails to esxi security wise. Any one with experience between these?



  • FreeBSD jails are trivial to break out of, this has been documented fact in security for quite some time.  Virtualized containers are generally more difficult, although not impossible to break out of, although this is largely dependent on the system being used.  As far as I am aware, there are no current attacks against ESXi which can perform this, although what is known and what isn't reported are two entirely different things.

    In short, a FreeBSD jail adds no security, only the illusion of security.  Virtualized containers do add a layer of security according to common practice, although there are plenty of talented security practitioners who advise against using virtualization as a security modifier.



  • Chroot - trivial to break out of, no meaningful security
    Jails - trivial to break out of, no meaningful security
    Some VMs - possible to break out of, some security
    Other VMs - not known to be possible to break out of, reasonable security

    The biggest problem with a VM (which apply to chroot and jails) is that you've added complexity, which makes the probability of an exploitable vulnerability higher. If the VM platform wasn't designed with security in mind then that gets a massive boost in the insecurity department. Worse, if/when somebody gains access to your guest they can trivially identify what platform you're running and then use that knowledge, along with the vulnerabilities, to gain access to the host. With access to the host they have full control of every VM - and if your firewall is a VM they can trivially bypass it.



  • Many thanks for all your answers I really have learned a lot.

    My solution is just to not do to have the all-in-one machine. The penalty in either security or performance is too big. I have ordered an Alix 2D2 (for firewall+router) and it will sit beside my Openvox in the IX110 housing.

    On a side note: I did install some services using jails on pfSense just for now (it is not connected the modem yet :)) just to get some experience. I can really say that I love pfSense and FreeBSD. I didn't have any experience with any of the BSDs but it feels so much more solid than linux (or windows).


Log in to reply