Naresh Narang <[EMAIL PROTECTED]> wrote:
> Mike,
>
> Though I agree that moving sendmail to DMZ is a good idea, but
> nothing prevents a hacker to reach your mailserver in DMZ.
Harden that machine and use a secure MTA (qmail, postfix) or an smtp
proxy in the DMZ. The machine should only offer one single service that
is smtp.
> May be if you would want to run some SMTP proxy on firewall.
Hm, you can do that, but I don't recommend ist. I find it far more
secure to have a separate machine in the DMZ that can be a reached on
port 25 than have that port open on the firewall itself. If the daemon
in use (whatever ist is) turns out to be vulnerable the other day only
the machine in the DMZ can be attacked but not the firewall.
Again:
Basic Rule No1 in all firewalling:
Best is to have just no open ports on your firewall/packet filter.
Wolfgang
--
Wolfgang Kueter Netzwerkadministration & Security
SHLINK Internet Service http://www.shlink.de [EMAIL PROTECTED]
Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany
Telefon: +49 4121 269 006 Fax: +49 4121 269 007
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
