Thanx for the reply. The reason for the secondary DNS is purely for
redundancy purposes - I do see your point about not letting anyone connect
to the firewall however and will keep that in mind.
I use MS Exchange both inside and outside - comments welcome
-----Original Message-----
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: 07 March, 2000 15:06
To: Ferdi Retief
Cc: '[EMAIL PROTECTED]'
Subject: Re: The best way to do smtp
On Tue, 7 Mar 2000, Ferdi Retief wrote:
> What is the best way to handel incomming smtp.
>
> I have a smtp server that receives messages on the outside of my firewall.
> When this server is not available, email will go to the outside interface
of
> my firewall. The "email hub" then automatically forward all email to the
> outside interface of my firewall which then proxies it to a inside server
> via the smtp proxy.
I'm a big fan of this approach, external MTA <=> Proxy <=> internal MTA
>
> I am however getting messages that gets stuck on the outside "email hub"
> although it is set to forward all messages to the firewall.
That sounds like a configuration problem on the external MTA, not a
problem with the architecture.
> What is the best way to do this - do I need a outside "email hub" or
should
> I let my firewall receive all email?
Personally, I'd use Postfix (http://www.postfix.org) externally, and take
the secondary MX record for the Firewall's external interface out of the
DNS. Then I'd block SMTP to the firewall from anything but the external
MTA. Postifix is well-behaved enough that it won't flood the firewall
even under a heavy deluge of mail from the outside, it's got good
anti-relay and anti-spamming features, and it's fairly easy to configure
as a relay host. My second choice would be Qmail. Both are capable of
handling significant volumes of mail.
For incomming services, I think that having a hardened host both inside
and outside the firewall to relay the traffic at the application layer (I
typically do the same for DNS) increases security and stability
significantly (assuming the hosts are well-built.) I've never
particularly cared for the world at large initiating connections to the
firewall though.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
