Hello, A few things that may already be apparent. If you do reverse NAT and redirect port 25 traffic to an internal mail host, then you open your inside network to potential issues if the MTA is compromised. Sure you may not be able to initiate a normal login to the machine after adding your root kit via sendmail, but non the less it is possible to blindly hack. You are much better off designing a distinction between your internal hosts and your public services. If for the sake of argument you had reasons to do reverse NAT and only have a limited number of public addresses visible, then you would still want to have a DMZ network that contained your public services. The most common approach is to run a very basic and limited MTA facing the public that does nothing but listen on port 25, queue mail, and deliver it internally to another more complex MTA. For example you may run smtpd or smap on your publicly announced mail server. You then might have that mail delivered to a more complex MTA like qmail or sendmail. cheers, .truman.boyes. On Fri, 16 Mar 2001, Rick Lim wrote: > Hi there, > I just wanted to ask a few question, I'm looking for the same > setup, the questions I have is, with the port 25 forwarded to the > internal mail hub is the 'hole/tunnel' thru the firewall 'safe'? > Does this just shift the security risk to internal mail server? > Also doesn't the internal mail server just send mail out the firewall > via NAT the the firewall provides and it just appears as if its from the > firewall? > There fore you would not need to forward the port 25 from the internal mail > server from the internal to the outside. Just from the outside to the > inside. > > firewall port 25 ---port forwarded---> internal mail server,outgoing mail > ^ | > \<--------<outgoing mail sent via NAT on firewall<--------------/ > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Jose Nazario > > Sent: Friday, March 16, 2001 7:38 AM > > To: Hans Scheffers > > Cc: Firewalls-Digest (E-mail) > > Subject: Re: iptable / NAT > > > > > > On Fri, 16 Mar 2001, Hans Scheffers wrote: > > > > > Do I need a sendmail on my firewall, when I do a forward of port 25 > > > from the outside to the inside and inside -> outside? > > > > no, you do not need an instance of sendmail on your firewall if you have > > an internal SMTP server. you *can*, if you want, put a mail hub on your > > firewall and enhance it with, say, content screening, but that's not > > needed. just allow SMTP traffic to the proper servers. > > > > ____________________________ > > jose nazario [EMAIL PROTECTED] > > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 > > PGP key ID 0xFD37F4E5 (pgp.mit.edu) > > > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
