Any reason not to NAT an externally accessible mail server install?
NAT is an IP conservation scheme, could be a "obscurity" tactic, but it's not a security tactic. And static NAT + port forwarding that you need for servers is even less of a "security by obscurity" tactic.
It's always a more of a pain to admin servers behind NAT (confusion, reverse DNS). Much better to put bastion hosts and proxies (SMTP, DNS) on public IPs in a DMZ. As a general rule, you want as few connections as possible between your private NATted network and Internet.
From the POV of SMTP traffic, an SMTP proxies like IMGate + DNS in the DMZ will keeps tons of traffic out of your inner firewall (rejected SPAM, DNS lookups) and greatly simplify your firewall rules.
That's the ideal, but of course many are forced away from the ideal: colo and ded servers running naked in a hosting shop, or you have no control over the edge router (managed by your WAN link provider) and its ACLs (router as outer firewall), your mass market low-end "firewall" doesn't have a DMZ interface, you only have one public IP for your entire operation, etc, etc.
Len
_____________________________________________________________________ http://MenAndMice.com/DNS-training: New York; Seattle; Chicago IMGate.MEIway.com: anti-spam gateway, effective on 1000's of sites, free
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
