Reverse Proxy appliance to offload IDS and AV.
Question asked by John C. Reid - 2/9/2017 at 10:31 AM
We have a dedicated server hosted at GoGrid as our mailserver. It is a rather active mail server that seems to be the constant target of would be hackers, and the server load at peak times is great enough that ClamAV always times out rather than scanning.
I have an idea and I wanted to pose it here to get opinions. I need to evaluate this idea to determine if it will work, and what the potential pitfalls might be. So the more conversation I can get from this group the better.
I recently discovered that Nginx not only acts as a reverse proxy for http and httpd, but it can do so for IMAP, POP3, and SMTP as well. My thought is to put all of our public IP addresses on a separate box, which would communicate with the backend SmarterMail box only on Private IP. In addition to the reverse proxy, this (Linux) box would take care of the IDS with similar rules as to SmarterMail, but also have the additional benefit of the other SNORT rules for non-mail protocol bad traffic. It would also be the front end Firewall, allowing me to remove the thousands of firewall rules from the Windows firewall. Finally, the ClamAV install could be moved to this box and rather than interrupting the spool, it could do the scanning inline before it even hits SmarterMail. As an option I might even make it an initial SPAM prefilter (I am running Declude with MessageSniffer right now.)
Nginx can make rule based decisions. So if in the future we need to scale to a second SmarterMail box on the backend, I am hoping to be able to create rules based on the domain, to point the mail at the correct box and prevent my having to change the thousands of MX records I maintain for clients. We host > 4000 accounts and an unknown number of aliases. A single domain accounts for almost 1500 of those accounts. So one box could host that domain, while another hosts the remainder.
So, has anybody else done this or anything similar? Do any of you have experience with using Nginx as a frontend and have any advice? What are the potential pitfalls you suspect we might have.
We are also discussing the possibility of moving the MailServer away from GoGrid and bringing it in house. We have the infrastructure in place to do this. However the IPs belong to GoGrid, and there is the matter of all of those DNS records again. If this solution were to work, as long as the reverse proxy were at GoGrid, the mail server should(?) be able to reside anywhere. If you know why that scenario would work well or not work, please chime in.
Thank you all.
John C. Reid  / Technology Director
John@prime42.net  / (530) 691-0042
1300 West Street, Suite 206, Redding, CA 96001

3 Replies

Reply to Thread
Gerardo Altman Replied
Hey John

how did you go with this setup?

i stumbled across your post as its something i've been looking at.

Douglas Foster Replied
The first step should be to separate incoming mail filtering from your primary mail sever.   A second box running SmarterMail as an incoming gateway will spread your workload and simplify your defenses.

I am pessimistic about NGinx.  My limited attempts at reverse proxy (on other applications have been frustrated by false positives and the difficulty of verifying true positives.   Additionally, the webmail interface uses a mix of html and web sockets, so I don't think SmarterTools has ever documented a supportable way to implement reverse proxy.   If you succeed, please post the results.

Gerardo Altman Replied
Hey Douglas 

We have already tested a similar setup on exchange and it's working as expected.

Minus SMTP, IMAP and pop.

Also looking at haproxy as another potential reverse solution which we will try to test soon.

Unfortunately exchange is more vulnerable than SM :(

Will report back once we've finished our testing.


Reply to Thread