[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Mailserver Behind Firewall
George Russell Juppunov wrote: > > I'm not sure I understand what you refer to as Mail Proxy, but I'm > guessing you are talking about a mail relay. A Mail proxy is a store & forward smtp server, usually placed in the DMZ that handles all incoming and outgoing smtp traffic. It recieves mail from external hosts via smtp, ignoring harmful smtp commands like debug and verfy and sends the mail further to the internal mail Server. Mail coming from the internal mailserver has to pass it too and is relayed. The headers of outgoing mails should be rewiritten to hide the architecture and adresses of the internal network. You need to do some easy and harmless DNS tricks for such a configuration. You can either use a special smtp proxy like the Open Source smtpd (source package beeing just 260 kB, binary very small too. small code, few possibilities for bugs and security holes) for that or configure a secure smtp server like qmail to operate as an smtp proxy. The only service running on that machine should be smtp and since it is configured as a bastion host, so the the internal mailserver can trust it. At least it can be trusted a little more than all other smtp servers in the whole net. Lets make a model: Internet | router | | | FW-external_interface official IP Adress a.b.c.d/30 | | | official a.b.c.d/29 official a.b.c.d+1/29 FW---dmz_interface----------dmz_smtp_store_&_forward_proxy | mail.any-domain.tld | | FW-internal_interface 192.168.x.y/24 \ \ \ internal_smtp_server 192.168.x.y mail-internal.any-domain.tld The MX record in the DNS would announce mail.any-domain.tld as the mail server for that particular domain, while the machine itself knows that it is not, but mail-internal.any-domain.tld shall get the mail. You simply don't have a connection from your internal mail server to any other mail server exept the mail proxy. > If you are referring to a mail relay on the DMZ, then that's what I > meant as well. I didn't think I had to go deeper > into this mail architecture, but sure. You want to have a mail relay > or relays that will hold the MX record(s) for > your company, and you should probably have those on your DMZ. Mail relays don't hold MX records. DNS servers hold MX records. regards Wolfgang ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|