Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Mailserver Behind Firewall

To: [email protected]
Subject: Re: [FW1] Mailserver Behind Firewall
From: Wolfgang Kueter <[email protected]>
Date: Sat, 4 Aug 2001 02:24:10 +0200
In-reply-to: <8CB4116D1D6BD411A19900508B6FA9E605FA7474@sf-exch-1.montgomery.com>
Organization: SHLINK Internet Service
References: <8CB4116D1D6BD411A19900508B6FA9E605FA7474@sf-exch-1.montgomery.com>
Sender: [email protected]

George Russell Juppunov wrote:
>
> I'm not sure I understand what you refer to as Mail Proxy, but I'm
> guessing you are talking about a mail relay.

A Mail proxy is a store & forward smtp server, usually placed in the 
DMZ that handles all incoming and outgoing smtp traffic. It recieves 
mail from external hosts via smtp, ignoring harmful smtp commands like 
debug and verfy  and sends the mail further to the internal mail 
Server. Mail coming from the internal mailserver has to pass it too and 
is relayed. The headers of outgoing mails should be rewiritten to hide 
the architecture and adresses of the internal network. You need to do 
some easy and harmless DNS tricks for such a configuration. You can 
either use a special smtp proxy like the Open Source smtpd (source 
package beeing just 260 kB, binary very small too. small code, few 
possibilities for bugs and security holes) for that or configure a 
secure smtp server like qmail to operate as an smtp proxy. The only 
service running on that machine should be smtp and since it is 
configured as a bastion host, so the the internal mailserver can trust 
it. At least it can be trusted a little more than all other smtp 
servers in the whole net.

Lets make a model:

Internet
|
router
|
|
|
FW-external_interface official IP Adress a.b.c.d/30
|
|
|         official a.b.c.d/29         official a.b.c.d+1/29
FW---dmz_interface----------dmz_smtp_store_&_forward_proxy
|                                             mail.any-domain.tld
|
|
FW-internal_interface 192.168.x.y/24
\ 
  \
    \
   internal_smtp_server 192.168.x.y
    mail-internal.any-domain.tld

The MX record in the DNS would announce mail.any-domain.tld as the mail 
server for that particular domain, while the machine itself knows that 
it is not, but mail-internal.any-domain.tld shall get the mail. You 
simply don't have a connection from your internal mail server to any 
other mail server exept the mail proxy.

> If you are referring to a mail relay on the DMZ, then that's what I
> meant as well. I didn't think I had to go deeper
> into this mail architecture, but sure. You want to have a mail relay
> or relays that will hold the MX record(s) for
> your company, and you should probably have those on your DMZ. 

Mail relays don't hold MX records. DNS servers hold MX records.

regards
Wolfgang

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- RE: [FW1] Mailserver Behind Firewall
  - From: "Juppunov, George" <[email protected]>

Prev by Date: RE: [FW1] PIX to FW-1 IKE..
Next by Date: RE: [FW1] CP 4.1; logging messages through another Nokia.
Previous by thread: RE: [FW1] Mailserver Behind Firewall
Next by thread: RE: [FW1] Mailserver Behind Firewall
Index(es):
- Date
- Thread