Re: DMZ to LAN SMTP connections

["Kurt Buff" <kurt.buff () gmail com>]

On Fri, Mar 14, 2008 at 3:07 AM, ыфзкфт <sapran () gmail com> wrote:
> Hi list.
<snip>
>  And I wonder is that rule allowing MTAs to connect Exchange ESMTP
>  correct. I mean I heard a lot about denying connections from the
>  networks with lower security level into secured networks, LAN in this
>  case. Is this restriction to SMTP traffic only enough, or should I
>  choose some other design: NAT Exchange:25/tcp outside to DMZ, use
>  fetchmail, or something like that?
>
>  Thanks in advance for all your response.

Assuming that the DMZ is hanging off a port of your firewall, I would
think that opening port 25 from your postfix boxes (only!) to your
Exchange server (only!) is worth the minimal amount of risk,
especially if you consider the complexities in installing and
maintaining a Cygwin installation on your Exchange server. This
assumes that you've properly locked down your Postfix boxes and the OS
on which they run, and monitor them as you should.

Kurt