SMTP mail relay from DMZ
Gerald Mattison
mail relay using Sonicwall and Linux server in a DMZ.
Thanks.
Gerald
Configuration
-------------
WAN ||
----------------------
gate.abc.com | SonicWall |
----------------------
LAN | | DMZ
---- ---
exc.abc.com |A| |B| mail.abc.com
---- ---
SonicWall is using NATting for the LAN side.
With the SonicWall model we have, all servers
in DMZ need a routable IP address.
A (exc.abc.com) is a Windows NT 4.0 running MS
Exchange server. Domain is ABC. All userids
within the Exchange Server are configured as
use...@abc.com.
B (mail.abc.com) is a Red Hat Linux Server, running
SMTP. It has a routable internet address, is within
the same subnet as the gate.abc.com, and use the
same router/WAN gateway address.
Problem's experiencing
----------------------
Internet mail is being received by the mail.abc.com
without any problem. However, I cannot figure out
how to relay the mail from the Linux server to the
Exchange Server on the LAN?
Questions
---------
1) Can mail be routed from a server with a
routable internet address to a server inside
a LAN?
2) If it cannot be routed, is the next best
approach to use something like POP3?
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
-
[To unsubscribe, send mail to majo...@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]
Basit Hussain
at http://www.sendmail.org/m4/mailertables.html
for an example.
> Get Yahoo! Mail - Free email you can access from anywhere!
Gerald Mattison
One basic question -
How does the linux server in the DMZ know
about the exchange server in the LAN. BTW,
we are using Natting with the Sonic Wall.
The situation is that the mail is received
by linux server (with a internet routable
address) and then has to be relayed to the
exchange server in the LAN.
Should I created another public internet
address like "forwardmail.abc.com" and then
map it to the exchange server?
Thanks for your help.
With best regards,
Gerald
__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
Basit Hussain
Mapping an address the way you mentioned will work of course but that is not
something you would want to do. I am not familiar with the SonicWall product
(sorry). I have a configuration similar to yours, except my internal mail
server and firewall is also linux. The mailertables are all that is needed
at that point. Does sonicwall have port forwading capabilities? If so, it
can be instructed to forward the mail from (only) mail.abc.com to
exc.abc.com.
horio shoichi
>
>
> Questions
> ---------
> 1) Can mail be routed from a server with a
> routable internet address to a server inside
> a LAN?
>
As already pointed out, use mailertable.
Use, similar to above, but more modern virtuserable.
Use aliases mechanism.
There may be others I am not aware.
However, if you use a method other than aliases, note that
internal mail hub will require the way to recognize forwarded
mails are indeed legitmate mail relay, if internal mail server
is (also) sendmail.
> 2) If it cannot be routed, is the next best
> approach to use something like POP3?
>
I don't know using MDA between dmz and internal lan is the
-next-best- approach. But it bears its own virtue, simplicity.
And simplicity is almost always the best friend of security.
That said, you have a couple of elements to consider.
MDAs are constantly an honorable member of top vulnerability list.
Messages stay on dmz for a (short ?) duration.
There is a variety of authentication methods, weak and strong.
An MDA may have preferences on MUA and MTA, and vice versa.
O.k., the bare minimum to use such MDA would be: make sure the service
ports are accessible only to internal hosts.
horio shoichi
mouss
>Mr. Hussain,
>
>One basic question -
>
>How does the linux server in the DMZ know
>about the exchange server in the LAN. BTW,
>we are using Natting with the Sonic Wall.
use an IP address between '[' and ']' instead of the hostname of the
internal host, and configure your
routes correctly, so that the DMZ host can reach the internal server.
If your NAT config doesn'talllow you to reach the internal host's address,
add a second private address to this host
from a class which you do not use and configure your routes.
for example, if you use a 192.stuff class private class, then just
configure the internal server with 10.1.2.3 for exmple.
Then use [10.1.2.3] in place of internalmailserver.abc.com.
regards,
mouss
Fredy Santana
>Questions
>---------
>1) Can mail be routed from a server with a
> routable internet address to a server inside
> a LAN?
Of course is possible do this. Use the "One-to-One NAT". You must have
another valid IP to "translate" the IP of you internal mail server (maybe
a "non valid" IP address) to this valid IP. Then in the section "Rules"
you add "Allow SMTP from DMZ (restricted to the IP address of your
external mail server) to the translated IP address of your internal mail
server.
This is the way to do this. If you have some questions don´t hesitate to
email me
Regards from Chile
>
>
Fredy R. Santana V.
Ingeniero Civil Eléctrico
Orion 2000 - Servicios Profesionales en Seguridad Informática
La Concepcion 322 piso 12, Providencia.
Santiago
Chile
Fono: 6403944 - fr...@orion.cl