Hi again: First of all, thanks marco and compdoc for the answers.
May be I explained the situation not so well as I must, but in my defense I must say that I wrote the mail aprox at 02:30 am, and I'm not so young :P Well, I will explain with more specific examples and the procedure to solve this, immo, at least as 'bypass' by now, while I make the necessary changes to get a stable/final solution: I've 2 servers, one in orange and one in green ( historical infrastructure that can't be changed by now ) This servers give http, smtp and dns service in internet. For the majority virtual domains inside the mail servers, our dns servers are the authoritative answer =>but not for 100% of the mail domains we host<= Each mail server has is own fixed public IP *The actual situation: - EFW has is own fixed public ip NOT reflected in dns records - EFW has alias for the 2 public mail server addresses - By now smtp proxy not enabled and we have a nat rule for each pair of mail server public/internal IP ( one rule for smtp, another for http, etc... ) Then EFW only routes packets from outside to inside and viceversa, applying firewall rules. *The needed situation by now: - Enable smtp proxy from incoming mail ( outside2inside ) BUT NOT for outgoing mail ( inside2outside) . We HAVE well defined the mail domain/internal_server_ip in proxy -> SMTP -> Domains - Disable the actual defined DNAT rule for mail traffic ( to prevent the bypassing of the proxy when enabled, of course ). - Maintain or create a SNAT rule for the mail traffic for each mail server. Then: incoming mail from internet should be cached by the proxy, processed and delivered to the defined internal mail server ( proxy -> SMTP -> Domains ), BUT, when each internal mail server will send outgoing mail, the delivery must be done by it, not by EFW, 'cause the public mail server ip ( SNAT ) will be the same actually informed in dns registers, and the receiver will not complaint about the connection ( actually - with the nat rules - is how it works, and all mail is well delivered ) The tests made were a total failure :( In EFW NAT rules seems to be only created from Red to inside ( DNAT ), creating an inherent SNAT rule for the inside2outside traffic for the defined ip I need to 'break' this, disabling the DNAT rule but mantaining the SNAT rule Hope that now I've explained better thje situation. I understand that the better solution is to define the public EFW in the dns registers as you told before, but it's a solution to be implemented when we will talk with the dns admins that manage the records of some mail domains hosted by us. Until we can assure that all dns info is OK, we need to solve this situation, afaik, using the method mentioned before ( enable smtp proxy for incoming mail but apply a SNAT rule for the outgoing mail traffic generated from the internal mail servers, to present the connection with the public ip address of the mail server, not the EFW machine ) Take in mind that at least one of the internal mail servers processes 100.000 mails each 24 hours ( more than 75% is spam :/ and is sad to see how the process capacity is dedicated to 'read mail, is spam, to trash', etc... bothering the legitimate mails/clients ) and is not a powerful machine, having high cpu iowat and constantly all 'reserved' smtp daemons/sockets loaded with connections The idea is to unload the mail server load, blocking spam in the EFW layer, as you can suppose Thanks again for your time D. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
