Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Mailserver Behind Firewall

To: "'Wolfgang Kueter'" <[email protected]>, [email protected]
Subject: RE: [FW1] Mailserver Behind Firewall
From: "Juppunov, George" <[email protected]>
Date: Mon, 6 Aug 2001 10:34:02 -0700
Sender: [email protected]

Wolfgang,

What you describe is a mail relay. It's the first time I've heard this
referred to as a mail proxy, but if it makes you happy, I'm not going to get
into an argument over that.
As far as holding the MX record, sure, I meant that the MX record should be
assigned to the mail relay server on the DMZ. But I was thinking from the
mail architecture 
point of view, so it's the server that holds the MX record for my entire
setup. Perhaps, poor choice of word order and voice.

Other than the semantics, I was making the same point you are, albeit not in
as much detail. :)

Cheers.
George 

 -----Original Message-----
From: 	Wolfgang Kueter [mailto:[email protected]] 
Sent:	Friday, August 03, 2001 5:24 PM
To:	[email protected]
Subject:	Re: [FW1] Mailserver Behind Firewall

George Russell Juppunov wrote:
>
> I'm not sure I understand what you refer to as Mail Proxy, but I'm
> guessing you are talking about a mail relay.

A Mail proxy is a store & forward smtp server, usually placed in the 
DMZ that handles all incoming and outgoing smtp traffic. It recieves 
mail from external hosts via smtp, ignoring harmful smtp commands like 
debug and verfy  and sends the mail further to the internal mail 
Server. Mail coming from the internal mailserver has to pass it too and 
is relayed. The headers of outgoing mails should be rewiritten to hide 
the architecture and adresses of the internal network. You need to do 
some easy and harmless DNS tricks for such a configuration. You can 
either use a special smtp proxy like the Open Source smtpd (source 
package beeing just 260 kB, binary very small too. small code, few 
possibilities for bugs and security holes) for that or configure a 
secure smtp server like qmail to operate as an smtp proxy. The only 
service running on that machine should be smtp and since it is 
configured as a bastion host, so the the internal mailserver can trust 
it. At least it can be trusted a little more than all other smtp 
servers in the whole net.

Lets make a model:

Internet
|
router
|
|
|
FW-external_interface official IP Adress a.b.c.d/30
|
|
|         official a.b.c.d/29         official a.b.c.d+1/29
FW---dmz_interface----------dmz_smtp_store_&_forward_proxy
|                                             mail.any-domain.tld
|
|
FW-internal_interface 192.168.x.y/24
\ 
  \
    \
   internal_smtp_server 192.168.x.y
    mail-internal.any-domain.tld

The MX record in the DNS would announce mail.any-domain.tld as the mail 
server for that particular domain, while the machine itself knows that 
it is not, but mail-internal.any-domain.tld shall get the mail. You 
simply don't have a connection from your internal mail server to any 
other mail server exept the mail proxy.

> If you are referring to a mail relay on the DMZ, then that's what I
> meant as well. I didn't think I had to go deeper
> into this mail architecture, but sure. You want to have a mail relay
> or relays that will hold the MX record(s) for
> your company, and you should probably have those on your DMZ. 

Mail relays don't hold MX records. DNS servers hold MX records.

regards
Wolfgang

============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====

_____________________________________________________________________ 
IMPORTANT NOTICES: 
          This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.

         Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.

         BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] IP650 crashing / FIN_WAIT_1
Next by Date: [FW1] S/Key, IKE and FW-1 SP4 (Linux)
Previous by thread: Re: [FW1] Mailserver Behind Firewall
Next by thread: RE: [FW1] OWA 2000 behind https security server
Index(es):
- Date
- Thread