DMZ to LAN SMTP connections

["ыфзкфт" <sapran () gmail com>]

Hi list.

I would appreciate any response on my email system security
configuration. I mean it would be great to know your opinion on how
secure it is and what best practises are.

I have an Exchange 2003 server. It resides on dedicated server VLAN
and serves local users' Outlooks and OWA logins using integrated
authentication. Of course, all this is the AD domain.

I have settled two Postfix MTAs on DMZ and allowed Internet to connect
them to 25/tcp and vice versa. Also I have allowed MTAs to request DNS
servers anywhere on the Internet. Exchange may connect MTAs and uses
them as smart hosts for outgoing mail. MTAs may only connect Exchange
to send it emails addressed to my mail domain. I administer those MTAs
from LAN using SSH. So, the firewall policy looks like below. Consider
DMZ-based hots are provided with public IPs and all other traffic is
denied by default.

Internet:any/tcp ---> DMZ-based MTA:25/tcp
Internet:25/tcp <--- DMZ-based MTA:any/tcp
Internet:53/udp <--- DMZ-based MTA:any/udp
DMZ-based MTA:22/tcp <--- LAN-based admin host:any/tcp
DMZ-based MTA:25/tcp <--- LAN-based Exchange:any/tcp
DMZ-based MTA:any/tcp ---> LAN-based Exchange:25/tcp

And I wonder is that rule allowing MTAs to connect Exchange ESMTP
correct. I mean I heard a lot about denying connections from the
networks with lower security level into secured networks, LAN in this
case. Is this restriction to SMTP traffic only enough, or should I
choose some other design: NAT Exchange:25/tcp outside to DMZ, use
fetchmail, or something like that?

Thanks in advance for all your response.

-- 
sapran