SMTP to Firewall

["Coleman,Clayton L." <lcoleman () foxboro com>]

Objective:
----------
Using current hardware, obtain a more SECURE, reliable method for delivery
of inbound mail to our company's SMTP servers.  We're looking to have
failover capability for incoming mail to the company (i.e. a 10, 20 and 30
MX record).

Equipment:
----------
Checkpoint FW-1 4.0 (Solaris Platform)
Three SMTP Servers

Current Setup:
--------------
MX record for our domain points to the external address of our firewall.
When incoming servers hit the firewall, it directs the servers to one of our
internal servers, based on a FW-1 resource.  The resource is configured with
the IP address of one of our internal SMTP servers.

->> We've come up with two options we're pursuing and I'd like to get some
other opinions on how this might be done:

Option A:
---------
1. Create a single MX entry for our domain which points to the external
address of our firewall.
2. Configure the firewall so that it can route traffic to mail servers in
the same manner that DNS does with MX records.  (we're not seeking
load-balancing, just fail-over)  I'm not even sure this can be done or what
are the security implications in such.

Option B:
---------
1. Create three MX records for our domain, pointing to three different
external IP addresses for our SMTP servers.
2. Configure the firewall w/NAT to point any of the three external SMTP IP
addresses to the proper internal servers.  This would allow our three MX
records to point to three separate servers internally (using their external
IP).

->> I'm open for suggestions.  At present we have no DMZ environment
configured for SMTP, but it's a possibility if I can give a strong argument
for one!

Thanks,

Clayton L. Coleman, Network Analyst
The Foxboro Company, Invensys IA
lcoleman () foxboro com