Indeed, if you're filtering in one place only, it should be the router, but if you're worried and want defence in depth (which is Mark's position) you can filter on the machine as well. Then if you've misconfigured your filtering and left a hole, there's a backstop. But, as pointed out, if you misconfigure it you also have twice as many possibilities for stopping it transporting mail.

Hello,

With all the mobile devices these days, it would be nice to be able to Push new mail to the mobile users on phones.

I guess IMAP, although I don't believe it "pushes" changes to users, it might be an alternative to getting email out to mobile users, but only having a single place to manage from all locations.

Can I use MercuryI and setup mobile devices or say home email clients to access the IMAP accounts from remote locations?

My concern would be security and opening ports on my firewall to my LAN. 

Would I need a DMZ to do this safely?

Wondering how you guys user Mercury in this type scenerio and stay safe.

Thanks much,

Mark 

> Hello,
> With all the mobile devices these days, it would be nice to be able
> to Push new mail to the mobile users on phones.
> I guess IMAP, although I don't believe it "pushes" changes to users,
> it might be an alternative to getting email out to mobile users, but
> only having a single place to manage from all locations.
> Can I use MercuryI and setup mobile devices or say home email
> clients to access the IMAP accounts from remote locations?

Yes, but it might be easier to setup something like SquirrelMail on your system and allow the users to come in with any web browser to read their mail.  This requires to add a web server (Apache, PHP, Perl is common) but this only requires opening port 80 to your system.  I find this quire handy for access when I'm on travel to remote locations where only an Internet Café is available for access.



> My concern would be security and opening ports on my firewall to my
> LAN.

Agreed, but when you have a router/firewall then opening of port 143 is no big deal.

> Would I need a DMZ to do this safely?

Nope.

> Wondering how you guys user Mercury in this type scenerio and stay
> safe.

Router/firewall, pass the required ports to the Mercury/32 system.  I run both SquirrelMail and Mercury/32 IMAP4/POP3/SMTP access to my system and it's quite safe to do this.

If you run a web server though it really needs to be locked down so it can only access the specific directories that are requires to run the system.  If you worry about this setup then I'd go with only the Mercury/32 access.  

Thomas,

So SquirrelMail and Mercury will both work, SquirrelMail requires a Web Server.

I do have an IIS Web server for my intranet, however I have never taken the step to open it up to the outside world.

I'm guessing SquirrlMail is an open source deal so PHP/Apache would be necessary there.

What about MercuryB, is that not a Web Server for access from the outside world?

Thanks much,

Mark

> Thomas,
>
> So SquirrelMail and Mercury will both work, SquirrelMail requires a Web Server.

Correct.

> I do have an IIS Web server for my intranet, however I have never
> taken the step to open it up to the outside world.

I personally would never make IIS server available to the outside world, too risky.  

> I'm guessing SquirrlMail is an open source deal so PHP/Apache would be
> necessary there.

You could use the IIS server and it probably already has PHP available.

> What about MercuryB, is that not a Web Server for access from the outside world?

Very limited and only for mailing lists.

Thomas,

I have done a bit of reading, and I seem to be an an impass. I'd really like to open IMAP to my users for remote access to their emails.

You mentioned that its quite safe to run Mercury32 with ports open (forwarded) for IMAP, POP, and SMTP. 

I did a bit of research on this and all the info I found more or less said "never leave these ports open on your firewall" and to use a DMZ or proxy for security.

My Mercury server runs an a standalone PC on my internal LAN, but the mailboxes and the Mercury32 directory itself are on servers that have other critical things on them, that Mercury must access.  I can't fully restrict access to these servers.

I'm just not getting a warm fuzzy feeling about this as I'm no security expert.

Comments?

Thanks,

Mark

Mark,

I'm trying to understand your set-up. You have a LAN, on which is a server running the Mercury process, and other servers with the mail folders? How are they connected, eg, windows shares? I'm not sure how you can have the main Mercury folder on a different box to the one Mercury is running - is that what you said? How many other machines are on the LAN? What connects the LAN to the internet, eg, a broadband router?

I think you can make it secure. This is what I do: I run Mercury on a machine I also use for other stuff. I have a software firewall on that machine. I connect to the internet through a router, and use port forwarding on that router to connect just the necessary ports to the Mercury server. Anyone who tries to access the machine via those ports can only see Mercury, and I believe David Harris has done a thorough job of making sure Mercury isn't vulnerable to being used to get into the rest of the machine. I have 2 mobiles which connect to MercuryI from the internet; they have passwords to access the mailboxes, and the firewall only allows the right range of IP addresses. I also use SSL on communication with the phones so that passwords aren't accessible, and AUTH on SMTP from the phones to Mercury. I'm also intending to set up MAC filters on the router so that traffic will only get through the forwarded ports to the mailboxes if it's from the right phones.

I did a bit of research on this and all the info I found more or

less said "never leave these ports open on your firewall" and to use a

DMZ or proxy for security.

As long as the system itself is not talking directly to the internet, i.e. No router/firewall, leaving these posts open are no big deal.  The nay sayers generally do not want any ports open but if you are running a mail server then you must open these ports to the outside world.  You just do not want any MS system talking directly to the internet.

My Mercury server runs an a standalone PC on my internal LAN, but

the mailboxes and the Mercury32 directory itself are on servers that

have other critical things on them, that Mercury must access.  I can't

fully restrict access to these servers.

But these ports are not accessing anything but the mercury/32 server.  There is nothing that a hacker can do if they are accessing the system via a router since it cannot connect to any ports other than the one that are passed by the router to the system.

I'm just not getting a warm fuzzy feeling about this as I'm no security expert.

It's no big deal. Thousands of people run mail servers on MS Windows systems without any problems at all.

Chris,

My setup is as follows:

Internet - > My DSL modem -> My Firewall -> Router/Switch -> Lan

On my Lan I have a single machine that RUNS loader.exe from a Mercury install ON ANOTHER SERVER. (I did this to mirror my Netware setup)

My users mailboxes are on yet another server.  So Mercury RUNS on M-SERVER, The install directory is on T-SERVER, and mail boxes are on S-SERVER. 

This is 3 different servers, M-Server has some access to all the other servers via shares/mapped drives.

I have done it this way to prevent losing the install and mailboxes in the event of system failure and also to back up everything properly.

I have tested MercI on my system, it works. 

My port forwarding is going to M-Server only, where Mercury actually runs.

I can see there is some HYPE from those who post their oppinions about port security, and I suppose due to the nature of my less than normal setup, I have more concern than normal.

I guess I'm just used to the daily "security holes" in everything, that I'm expecting Mercuy to possibly have some too. 

Hence my concern.

I can see your 3 fold security measures, and that makes me feel a little more warm and fuzzy.

May I ask what software firewall you are using?

Its seems to me that your router is only doing the port forwarding (and will do MAC filtering as well), and the software firewall is allowing only say entire ranges of IP's from your Telecom providers.

On the SSL side of things, how did you impliment? 

It appears that for Mercuy to do SSL with Outlook, you need to setup some other SSL tools (http://community.pmail.com/forums/thread/7330.aspx or something)  to actuall use it?

Are you using these other tools to get SSl to work correctly?

Thanks much,

Mark

In the latest version of Mercury (v4.72), MercuryI will allow direct IMAP SSL connections on port 993 for Outlook and other clients, so you won't have to use stunnel for that.

Mark,

Apart from being split over several servers, and having a [hardware?] firewall between your DSL modem and your switch, your network is similar to mine. I have a DSL modem and a switch, both with firewall facilites. I haven't had any security issues. 

Since your port forwarding is only going to M-Server, and you are only forwarding the ports Mercury needs, you are not exposing anything except those ports. All the traffic between your servers should be internal to your LAN and has no connection to the internet.

 I'm using ZoneAlarm Pro, just the Firewall, not the suite. What you say about my router and firewall is correct.

 I use direct SSL over port 993. It was just a matter of trying different flavours until I found something that worked on both Mercury and the phone. The main reason I use SSL is to hide the Mercury passwords; the body of the mail has travelled over the net unencrypted already.

I'm using Thunderbird,  with no extra tools. I can't comment on Outlook, I've never used it (and don't wish to)

Chris, Thomas, Paul,

Thank you for your help on this issue.  I'm going to test this all out, try SSL and even put a Software Firewall on the machine as a little extra protection. 

I just MUST give my users access from remote locations, and on phones etc.  Thanks for helping me get over my fear!  I'm just chicken when it comes to certain things.

Thanks again,

Mark

[quote user="Mrpush"]and even put a Software Firewall on the machine as a little extra protection. [/quote]

A firewall will not give you any extra protection, as the only external ports forwarded to your server should be the mail ones, and you will need to open those in you software firewall anyway. It offers no benefit and is something else to go wrong.

A software firewall can offer extra protection; mine is currently set up to only allow traffic on the IMAP ports if it comes from the LAN or from the external IP range used by our mobiles. It's arguable whether it's necessary, and it is something else to set up but if you're worried it may help.

Fair enough, but if it were me, I would say the filtering of the IMAP traffic should be done at the router.