Reverse Proxy appliance to offload IDS and AV.
Question asked by John Reid - February 9, 2017 at 10:31 AM
We have a dedicated server hosted at GoGrid as our mailserver. It is a rather active mail server that seems to be the constant target of would be hackers, and the server load at peak times is great enough that ClamAV always times out rather than scanning.
I have an idea and I wanted to pose it here to get opinions. I need to evaluate this idea to determine if it will work, and what the potential pitfalls might be. So the more conversation I can get from this group the better.
I recently discovered that Nginx not only acts as a reverse proxy for http and httpd, but it can do so for IMAP, POP3, and SMTP as well. My thought is to put all of our public IP addresses on a separate box, which would communicate with the backend SmarterMail box only on Private IP. In addition to the reverse proxy, this (Linux) box would take care of the IDS with similar rules as to SmarterMail, but also have the additional benefit of the other SNORT rules for non-mail protocol bad traffic. It would also be the front end Firewall, allowing me to remove the thousands of firewall rules from the Windows firewall. Finally, the ClamAV install could be moved to this box and rather than interrupting the spool, it could do the scanning inline before it even hits SmarterMail. As an option I might even make it an initial SPAM prefilter (I am running Declude with MessageSniffer right now.)
Nginx can make rule based decisions. So if in the future we need to scale to a second SmarterMail box on the backend, I am hoping to be able to create rules based on the domain, to point the mail at the correct box and prevent my having to change the thousands of MX records I maintain for clients. We host > 4000 accounts and an unknown number of aliases. A single domain accounts for almost 1500 of those accounts. So one box could host that domain, while another hosts the remainder.
So, has anybody else done this or anything similar? Do any of you have experience with using Nginx as a frontend and have any advice? What are the potential pitfalls you suspect we might have.
We are also discussing the possibility of moving the MailServer away from GoGrid and bringing it in house. We have the infrastructure in place to do this. However the IPs belong to GoGrid, and there is the matter of all of those DNS records again. If this solution were to work, as long as the reverse proxy were at GoGrid, the mail server should(?) be able to reside anywhere. If you know why that scenario would work well or not work, please chime in.
Thank you all.

Reply to Thread