You'll need to set up a "split" DNS. It's actually two DNS
servers, one running on the firewall and one running internally.
The DNS server on the firewall:
1) is used by the outside world.
2) contains an MX record that tells the rest of the world
to deliver all mail to the firewall.
3) contains only the entries that you want the outside
world to see.
The internal DNS server:
1) is used by all internal hosts, including the firewall (I
know, that point is confusing, more about this below)
2) contains an MX record which points at the actual
internal mail server
3) should contain all the entries that you want your internal
users to see
4) has a forwarding statement in its named.boot file (the
config file for the internal DNS) which points at the DNS
on the firewall. This causes the interal DNS to forward
any queries that it can't answer to the firewall's DNS
which is able to talk to the outside world. (i.e., queries
get "forwarded").
The firewall itself:
1) is set up to use the internal DNS so that it knows about
the internal hosts (example below).
2) is set up to accept mail for all "domains" which are
internal and have mail servers.
Example:
1) [EMAIL PROTECTED] composes a message to [EMAIL PROTECTED]
2) when he hits send, his MUA (mail user agent) hands
the message of to my MTA (mail transfer agent)(could
be a mail server, could be a firewall, etc.).
3) my MTA looks at the domain portion of your address,
"your.com", consults the DNS and determines that
your DNS is located at the IP address of your firewall.
4) my MTA asks your firewall's DNS for the MX (mail
exchanger) record for "your.com".
5) your firewall's DNS returns the IP address for the MX
for "your.com" (basically, the external DNS names the
firewall as the external mail server for "your.com").
6) my MTA connects to your MTA (in this step, the smtp
program on your firewall --> smap) and hands the
message off to your firewall.
7) smap dumps the program in the /var/spool/smap directory
8) periodically the firewall will run sendmail against any
messages located in the /var/spool/smap directory
9) sendmail picks up the message and consults the internal
(remember the firewall is set up to resolve off the internal
DNS) for the MX record for "your.com"
10) the internal DNS returns the IP address for your internal
mail server
11) the MTA on the firewall (in this step it's sendmail) hands
the message to the MTA on your mail server (sendmail or
MSExchange or some other SMTP compliant program)
which tucks it away in your private mail spool.
The example above is somewhat simplified (I admit to glossing
over a couple points!) but should give you an idea about how it
works. It may be a little hard to wrap your brain around the idea
of running a split DNS but once you've got it, it's somewhat
obvious. (Drawing it out on paper may help.)
If you're going to be doing this for a living, you should purchase/
borrow a copy of "DNS and Bind" [1] which is published by
O'Reilly and Associates.
Hope this helps,
Tim Kramer
ITDN Dam Neck
[1] Got up to look at the book for the authors' names and came
to the sudden realization that both it and the new guy have gone
missing!!!
[EMAIL PROTECTED] wrote:
> Hello all,
>
> I'm a newbie and would like to learn about firewall stuff.
> I download a copy of TIS firewall and get stuck in setting
> up the mail proxy. The document that I can find only tell
> me about the netperm-table. But how about the mail servers
> or DNS?
>
> I managed to get two mail servers running on both sides of
> the network (internal and external), and able to send and
> receive mail on its own network (internal to internal, ext
> to ext). Both of these mail servers have the MX record point
> to the firewall sitting in the middle, but the problem is
> I can't get the mail across from internal to external, and
> vise versa. I'm not using any split DNS, no named running
> on the firewall, but I do have entries of external and
> internal DNS in my resolv.conf file.
>
> What did I do wrong? Did I miss something? Do I need to
> modify my sendmail.cf file?
>
> Please help!
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
