Firewall Wizards mailing list archives
Re[2]: Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe)
From: "Dustin D. Trammell" <dtrammell () cautech com>
Date: Sun, 5 Aug 2001 18:55:57 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Saturday, August 04, 2001, 10:06:59 AM, R. DuFresne wrote: RD> On Thu, 2 Aug 2001, Dustin D. Trammell wrote:
With this, I usually forward all e-mail to the network's internal smtp gateway, who has proper access to send outbound mail to the Internet. Works well since there's minimal configuration on the webserver, and no additional configurations to my network policies. I rarely run into networks that do not have a designated internal smtp gateway or proxy of some form.
RD> Does this not make your DMZ a indirect email relay? I'm not sure exactly what your asking, but the smtp gateway in the DMZ does relay e-mail outbound for all hosts in the DMZ and the internal network's smtp gateway, and it relays e-mail inbound for domains that have MX's in the DMZ or are reachable on the internal via the the internal smtp gateay's NAT address. The point is to make the smtp gateways the ONLY relays for e-mail in and out of the network so that all e-mail traffic can be logged and accounted for, and so that mail connections adhere to policy. The firewalls between the Internet and the DMZ and between the DMZ and the Internal Network enforce policy providing that only port 25 comes into the smtp server from the Internet and that the smtp gateway can only initiate connections to the internal smtp gateway NAT address (obviously it must also be able to connect outbound to port 25 anywhere to send the mail out properly). All internal and DMZ hosts relay mail directly to their respective segment's smtp gateway in order to send outbound e-mail. This way, unless I'm setting up another smtp gateway for some reason, there is no firewall or network policy that needs to be changed in order for a new host to route it's mail outbound. All hosts hand off their mail to the smtp gateway where it is logged and then it is sent on it's way. Of course there are secondary/tetriary smtp gateways, but I won't go into the topology of my smtp setup. - --- Dustin D. Trammell Information Security Analyst CAU Technologies, Inc. 214.392.7903 - http://www.cautech.com -----BEGIN PGP SIGNATURE----- Version: 2.6 iQEVAwUAO23dGv+CyKiIr8NJAQEICggAvdrSfOILCtxslgM/+hhQTaCz91+LtZmg hFSl0q8EPnzPjuQd0DlUr+dDk/pybNGf5hKOYi8sidbfoQoVgmIOz3efWvNTws9K /8GHPIXrpTjwZPTjpfsR+5rIf73fJhwY1KrOhSISqIGvTOx70hVDZqThWGyfZ3Vk lyZPEdtiyfEjkXlMJeSajEelKCCIgNzCJYAF0kKt3KKt5fDAef8KjKMlRDUqEPyn g7wtHMsy9zgdwytHfHFmJ/dyRPq5Kmvry9YTJ7cIoHC5nAhohx5rV1G1vy8CWt2q m6HdE2mRYOqi0EAPhPIx84UwtT4lbQNvGnnvPKYhg/CcMjXYESoCaw== =bXyd -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe) Joseph Steinberg (Aug 02)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Bob Washburne (Aug 04)
- Re: Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe) Dustin D. Trammell (Aug 04)
- Re: Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe) R. DuFresne (Aug 05)
- Re[2]: Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe) Dustin D. Trammell (Aug 05)
- Re: Re: Code Red: What security specialist don't mention in warnings (Frank Knobbe) R. DuFresne (Aug 05)