Conceptually, it has absolutely no impact in regard to the mail server it does matter in relation to the hosts on those segments. The ONLY reason to locate your mail server in the DMZ is that in the event of a compromise that system cannot be used to springboard into your LAN traffic (e.g. someone trying to sniff passwords and whatnot from the server). NAT provides no protection at all, whether you're translating your traffic from port 25 of WAN net to your DMZ net or WAN net to LAN net anyone can attack the service you make available at that public address on your WAN.
The best way to handle this (security-wise) is to have two mail servers, one the LAN and one in the DMZ. The idea here is to keep the corporate mail storage out of the DMZ, so in the event of compromise the only data that can be read is mail that was assumed to be insecure anyway. All outbound mail for the net gets forwarded to the DMZ server, and the DMZ server forwards to the LAN server. Now, this means ultimately your LAN server can STILL be attacked, but only from your DMZ host. There is no such thing as a "bulletproof" way to do this, but this is a pretty prudent course. In the worst case scenario most of the time only the DMZ mail server gets hosed before you notice the massive pile of rejected internet mail and have a look at it. Make a point of assuming that your DMZ gateway will go down repeatedly to attacks and script kiddies and change your (LAN+WAN) passwords anytime it gets plastered and you'll probably be ok. Hopefully this helps, Sean -----Original Message----- From: Imraan Kadir [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 8:34 AM To: [EMAIL PROTECTED] Subject: Mail server Hi There Can somebody please shed some light. Is it safer to place your mailserver in the DMZ or in your LAN (with NAT configured)? Thank you Imraan
