On 05/11/05, Sanjay Arora <[EMAIL PROTECTED]> wrote: > > Nobody would trust such advertisements - I presume you meant the EHLO > > argument - hence you will need to actually put your outgoing SMTP > > server on the IP address which points to calvin.mydomain.com. > > > I didn't exactly get this. Let me tell my setup. I have a IPcop firewall
Every mail server has two bits of information to identify a connecting client. 1. The argument the connecting client presents with the SMTP EHLO command. While the RFCs require this to be the FQDN of the connecting client, this can be easily spoofed by the client. No self-respecting server will use this bit as the sole source for client identification. 2. The IP address from where the client is connecting from. This cannot be spoofed, hence this is what most servers rely on. Mail servers of busy ISPs require that this IP address has a valid reverse DNS entry. (We are talking only of the connection setup; I know there is SMTP AUTH etc. to identify the client once the transaction is in progress). > distro running on a machine using 3 network interfaces...one uses the > public Ip and is connected to the ISP, second uses 192.168.x.x and has > the web-server (also the incoming mail server..as I propose to firewall > outgoing connections on SMTP port on this machine) and the third is the > local network with IP range 192.168.y.x. > > I have a server on the internal network that again hosts a webserver for > the intranet and I propose to use this as outgoing mail server. This is > the only machine on the whole network whose outgoing SMTP port will not > be firewalled. Technically, what I am trying to do is make the machine > on the internal network to be the only outgoing email gateway of my > network, with anti-virus & content filter etc. The outgoing connection > of course will be natted and with reverse dns, should be acceptable. If I read that correctly, you plan to have two websites and two mail servers on two servers - one in your DMZ and one inside your LAN. Why don't you put both these servers on the DMZ and merge your two websites into one server by Apache virtual hosting, and use the other server for emails in both directions? I'd expect it to be a cleaner design. You will open up port 80 inbound on the webserver machine, port 25 inbound and outbound on the mail server machine. Further, you will use Apache's mod_access to restrict your intranet to your internal LAN (or run your intranet on a different port and do port translation on your firewall). Your basic design is sound - you have clearly demarcated your Trust, Untrust and DMZ security zones. But after that you seem to have faltered - by putting machines that should go on the DMZ into your Trust zone. I am not familiar with IPCop, but any decent firewall will let you map IP:port1 to one server in your DMZ, and IP:port2 to another. Binand ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ linux-india-help mailing list linux-india-help@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-india-help
