Re: [IMail Forum]

Mon, 09 Oct 2000 13:42:06 -0700 


>Let's, for instance, say a foolish fellow was told by his boss to 
>install an IMail server immediately, no delay,

"no relay" do you mean?  vbg

>and had no access to the firewall (no DMZ, two ether ports only, 
>doing NAT) at the time to create the necessary paths through.  This 
>said, he placed the IMail server in the outside address space, 
>physically located outside the firewall.
>
>Now that this has all been running for a while and the boss has 
>granted the foolish IT guy time to do the things that should have 
>been done months ago, he now wants to move the IMail server to the 
>inside (NAT) network.  Is this a move that has a future?  Should the 
>foolish IT guy just give up?

maybe, maybe not.

>Maybe someone knows of a easy way to set up a method of firewalling 
>the server right where it is without restructuring the IP scheme?  Help!

Yes, dead simple (in some contexts):  run IMGate on the outside as 
your "bastion SMTP host" and have it send/receive all Internet mail 
on behalf of Imail on the inside.  This will give you great 
protection and reduced traffic across NAT since Imail won't have to 
do DNS lookups and full SMTP protocol + delays thru NAT.

You only have to punch a whole in the firewall for IMgate's ip 
address, and Imail only delivers to IMGate's ip, and IMGate only 
relays (inbound) to Imail's ip.

A weak point arises if you are doing dial-ups + SMTP AUTH, and that 
IMGate doesn't do. But if all your users on the "inside", you're 
fine. Plus you get the anti-spam, anti-relay, global filtering, msg 
size policy enforcment, DNS MX lookups, outside the firewall, keeping 
all that junk out of the firewall traffic.

Otherwise, if your NAT box is "good", then "port forwarding" can be 
made to work without the outside IMgate box.

Len


http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5  installable binary for NT4
http://IMGate.MEIway.com:  Build free, hi-perf, anti-spam mail gateways

Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to