On Thu, May 09, 2002 at 12:58:45PM -0500, Steve Bremer wrote: > > > > The usual way to configure mail infrastructure in most small-to-medium > > sized businesses is to have a mail gateway (sometimes known as a relay > > server) in the DMZ, and your production mail server in the LAN. > > I would tend to agree with Kurt on this. That way you can use > something really secure like qmail as your mail gateway. This > prevents your internal, possibly less secure, (e.g. exchange) mail > server from being directly exposed to the Internet. > > Just my opinion.
And a good one it is! In my real job, for a .gov, we have a machine set up just like this. Hardened OS, dual NIC, all mail must pass through this machine. That gives us full header tracking, ability to block mail from things like SPAMmers on an enterprise scale, header mangling, etc. The gateway is sacrificial. When it ever gets compromised, 15 minutes later it's back up, built from a pristine image. Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer (at home) >< Coastal Internet,Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED][EMAIL PROTECTED] >< (631)924-3728 (888) 924-3728 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
