PMDF Installation Guide
OpenVMS Edition


Previous Contents Index

10.1 Before You Begin

First, before concerning yourself with the setup of e-mail control and restrictions, i.e., an e-mail firewall, you should have a basic Internet firewall setup in place, i.e., TCP/IP level controls in place for functions such as FTP access and remote login access. E-mail is generally much less of an overall security concern than such lower level access issues.

Next, you should consider establishing e-mail policies for your site, taking the next step along the lines of the general security policies you presumably considered and established when setting up your Internet firewall. For instance, depending upon your site, you might want to have explicit policies regarding mail spoofing, the sending of harassing e-mail, list subscriptions, the sending of virus-infected PC executable programs, the use of e-mail for personal business, etc.

What is appropriate policy for your site will depend upon your site's goals and needs and what can be reasonably expected from your users. Your greatest aid in good e-mail security, as in other security, is users who are educated as to your policies and committed to implementing them. With the tightest security procedures in the world, if your users do not understand the reasons for your policies and practices or find them overly burdensome, sooner or later some users will disregard or circumvent them.

Then gather any information you will need to provide as input to the firewall configuration utility. Prior to running the automatic configuration generator, you should have a good idea of your network configuration. Note that PMDF CONFIGURE FIREWALL will attempt to provide default values to its prompts. These defaults are picked up, whenever possible, from your system environment.

The PMDF System Manager's Guide discusses issues to consider and approaches that can be used to implement an effective e-mail firewall. Either before or after running the firewall configuration utility, you might want to look over the description contained there to better understand the details of your firewall configuration and what additional features beyond those generated automatically by the firewall configuration utility you might want to implement.

In particular, note that in a firewall configuration you usually want the PMDF firewall system to have a good idea of the names or domains and IP numbers of all of your internal systems. In a regular PMDF configuration, PMDF is generally not configured to make much if any distinction between "internal" and "external" addresses and messages; as long as the address is a valid address, PMDF will handle the message. However, one of the fundamental features of a firewall configuration tends to be a desire to distinguish between "internal" and "external" addresses and messages; this requires that you provide PMDF with more information as to just which addresses, system and domain names, and IP numbers are to be considered "internal" versus "external".

Another issue to consider is how regularly e-mail system maintenance checks will be performed on a firewall system.

For instance, Internet domains are required to have a postmaster address which accepts mail. Therefore you must have a postmaster address "on" (at least apparently) the firewall system. Since a postmaster address is the one address that must always be able to accept mail, it is usually wise to have postmaster mail delivered as simply and directly as possible to some account, without forwarding or additional network or mail system hops that present additional possible points of failure. However, in the case of a firewall which will be operating essentially unattended for long periods of time, some sites might decide to forward postmaster mail to an account on a different system; if you choose to do this, be sure to forward the mail over a reliable connection, not subject to frequent or unexpected failures, and do keep in mind that an interruption in this connection can lead quickly to mail system problems.

Another issue related to maintenance of the firewall system is logging. PMDF has detailed logging which can be enabled. Such logging can be useful in gathering message traffic statistics and in tracking down problems. However, if you enable such logging, you should also have a plan for periodically logging on to the firewall system to check on and truncate, or save to tape, or delete, as you prefer, the PMDF cumulative log file. PMDF never does anything with the mail.log itself, other than continue to append to it.


Previous Next Contents Index