Actually, a PIX box already simplifies your filter rules, because you do
not have to worry about incoming socket #s....the PIX box maintains a
"state" table of all outgoing requests to match against when an incoming
socket is received......
----- Original Message -----
From: "Len Conrad" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, October 30, 2000 12:27 PM
Subject: Re: [IMail Forum] IMail server behind a PIX firewall
>
> >We are running IMail 6 and recently placed our mail server behind a
> >PIX firewall. When we look at the IMail Log files, every 30 minutes
> >we see MANY idle timeout messages.
>
> "SMTP-" sending? "SMPTD" receving? (actually, I don't care. see below)
>
> >Is there anyone else on the list with an IMail server behind a PIX
> >firewall? Any help is greatly appreciated.
>
> You asked for it: think "outside the box"
>
> ie, run a "bastion mail host" outside the firewall. This greatly
> offloads SMTP traffic from the firewall (no DNS lookups, no mail
> delivery retries). It also greatly simplies your packet filtering
> rules, which means better security (less human mistakes), less
> maintenance, and reduced rule processing PIX load.
>
> Bastion mail hosts stop 10% - 20% of total outside of the firewall
> because it's junk mail, again liberating that very expensive firewall
> (it's just a PC with Cisco badge) from processing junk, doh. Bastion
> mail hosts are free. The bastion host becomes part of your total
> firewalling tactics.
>
> Len
>
>
> http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 & 8.2.3 T6B for NT4 & W2K
> http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
