George Russell Juppunov wrote:
>
> I'm not sure I understand what you refer to as Mail Proxy, but I'm
> guessing you are talking about a mail relay.
A Mail proxy is a store & forward smtp server, usually placed in the
DMZ that handles all incoming and outgoing smtp traffic. It recieves
mail from external hosts via smtp, ignoring harmful smtp commands like
debug and verfy and sends the mail further to the internal mail
Server. Mail coming from the internal mailserver has to pass it too and
is relayed. The headers of outgoing mails should be rewiritten to hide
the architecture and adresses of the internal network. You need to do
some easy and harmless DNS tricks for such a configuration. You can
either use a special smtp proxy like the Open Source smtpd (source
package beeing just 260 kB, binary very small too. small code, few
possibilities for bugs and security holes) for that or configure a
secure smtp server like qmail to operate as an smtp proxy. The only
service running on that machine should be smtp and since it is
configured as a bastion host, so the the internal mailserver can trust
it. At least it can be trusted a little more than all other smtp
servers in the whole net.
Lets make a model:
Internet
|
router
|
|
|
FW-external_interface official IP Adress a.b.c.d/30
|
|
| official a.b.c.d/29 official a.b.c.d+1/29
FW---dmz_interface----------dmz_smtp_store_&_forward_proxy
| mail.any-domain.tld
|
|
FW-internal_interface 192.168.x.y/24
\
\
\
internal_smtp_server 192.168.x.y
mail-internal.any-domain.tld
The MX record in the DNS would announce mail.any-domain.tld as the mail
server for that particular domain, while the machine itself knows that
it is not, but mail-internal.any-domain.tld shall get the mail. You
simply don't have a connection from your internal mail server to any
other mail server exept the mail proxy.
> If you are referring to a mail relay on the DMZ, then that's what I
> meant as well. I didn't think I had to go deeper
> into this mail architecture, but sure. You want to have a mail relay
> or relays that will hold the MX record(s) for
> your company, and you should probably have those on your DMZ.
Mail relays don't hold MX records. DNS servers hold MX records.
regards
Wolfgang
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
