So i've been asked for some time to transfer an internal server from windows server to openbsd('cause someone told them it's secure). I've finally transfered the whole database over to mysql.
So i've got running SSH(for remote administrating) with root user login disabled but a normal user added to the wheel group. Both hold very strong passwords.
MySQL/Apache server configured and secured and accessible to internal IP's only.Firewall is up and running as it should be.Some paranoid kernel flags are in place along with an equally strange fstab table. Overall as an operating system it stands well fortified.
Now here's the problem, this system is the one that will be serving e-mail aswell. Otherwise the database and website is used for internal jobs only and could very well be not connected to the internet. I'm thinking of using sysjail (the equivalent of freebsd jails) to run the postfix server etc. to reduce the chance of anyone managing access to the mail server escalating into the internal one. And yes the guys that asked me to do this cannot afford an extra machine to serve their emails so it basically HAS to be like this. Currently the mail server is running on the same machine as the public webserver but they asked (more like put a gun to my face) to transfer the mail server to give the webserver some breathing space. I know it's not ideal and personally I'd leave the bloody mail server where it is right now and leave the internal system safe. I've expained the dangers to them etc. etc. but they seem to stand by their decision no matter what.
Anyway the question being, sysjail is the way to go imho. Do you have anything else to suggest instead of that?