[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Mailserver Behind Firewall
Wolfgang, What you describe is a mail relay. It's the first time I've heard this referred to as a mail proxy, but if it makes you happy, I'm not going to get into an argument over that. As far as holding the MX record, sure, I meant that the MX record should be assigned to the mail relay server on the DMZ. But I was thinking from the mail architecture point of view, so it's the server that holds the MX record for my entire setup. Perhaps, poor choice of word order and voice. Other than the semantics, I was making the same point you are, albeit not in as much detail. :) Cheers. George -----Original Message----- From: Wolfgang Kueter [mailto:[email protected]] Sent: Friday, August 03, 2001 5:24 PM To: [email protected] Subject: Re: [FW1] Mailserver Behind Firewall George Russell Juppunov wrote: > > I'm not sure I understand what you refer to as Mail Proxy, but I'm > guessing you are talking about a mail relay. A Mail proxy is a store & forward smtp server, usually placed in the DMZ that handles all incoming and outgoing smtp traffic. It recieves mail from external hosts via smtp, ignoring harmful smtp commands like debug and verfy and sends the mail further to the internal mail Server. Mail coming from the internal mailserver has to pass it too and is relayed. The headers of outgoing mails should be rewiritten to hide the architecture and adresses of the internal network. You need to do some easy and harmless DNS tricks for such a configuration. You can either use a special smtp proxy like the Open Source smtpd (source package beeing just 260 kB, binary very small too. small code, few possibilities for bugs and security holes) for that or configure a secure smtp server like qmail to operate as an smtp proxy. The only service running on that machine should be smtp and since it is configured as a bastion host, so the the internal mailserver can trust it. At least it can be trusted a little more than all other smtp servers in the whole net. Lets make a model: Internet | router | | | FW-external_interface official IP Adress a.b.c.d/30 | | | official a.b.c.d/29 official a.b.c.d+1/29 FW---dmz_interface----------dmz_smtp_store_&_forward_proxy | mail.any-domain.tld | | FW-internal_interface 192.168.x.y/24 \ \ \ internal_smtp_server 192.168.x.y mail-internal.any-domain.tld The MX record in the DNS would announce mail.any-domain.tld as the mail server for that particular domain, while the machine itself knows that it is not, but mail-internal.any-domain.tld shall get the mail. You simply don't have a connection from your internal mail server to any other mail server exept the mail proxy. > If you are referring to a mail relay on the DMZ, then that's what I > meant as well. I didn't think I had to go deeper > into this mail architecture, but sure. You want to have a mail relay > or relays that will hold the MX record(s) for > your company, and you should probably have those on your DMZ. Mail relays don't hold MX records. DNS servers hold MX records. regards Wolfgang ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== _____________________________________________________________________ IMPORTANT NOTICES: This message is intended only for the addressee. Please notify the sender by e-mail if you are not the intended recipient. If you are not the intended recipient, you may not copy, disclose, or distribute this message or its contents to any other person and any such actions may be unlawful. Banc of America Securities LLC("BAS") does not accept time sensitive, action-oriented messages or transaction orders, including orders to purchase or sell securities, via e-mail. BAS reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the BAS e-mail system. ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|