Hi everyone.

I have a question about a possible scenario on setting up a email server on our company's network.

I had a long meeting today with management and they decided they wanted to have me try and setup a email server, with a twist.

Basically, what they want to do is setup our web server to be able to forward email requests to our internal mail server. They decided that they do not want to stick the mail server on our DMZ, but instead, use our web server on the DMZ and set it up to act as a 'middle man' sort a speak.

First, is that possible?
Second, is it even a good idea/bad idea?

Third, does anyone have any suggestions to a possible alternative to this if this is not a good idea? Or, suggestions for something I can setup to appease managment here?

Lastly, any links on where I can find this out at?

Im still fighting with managment on what type of program to use for email. I cringe at using sendmail, but they want to use it for a variety of reasons.

Well, im eager to get some feedback on this.
Thanks everyone.

Tarballed

A few things:
If you handle firewall rules properly then why can't it go on the DMZ?
Why do you need it to be on the DMZ? It will run on the LAN.

In saying all that - you can use sendmail or qmail to act as a relay.

You could also use Postfix if you can convince them. Postfix is a little easier to wrestle with and you could pitch it as a good way to encorporate spam filtering with Spamassassin. See the link in my sig for instructions. Works like a charm..

Well, that is the thing. The firewall the company uses is built for a medium sized companies and has a built in interface and features to use a DMZ.

Now, as far as why they dont want it on the DMZ, I can only guess. Here is the short version:

They wanted to have a few other services running on the mail server. Specifically, DNS some fax software stuff as well. I told them that, for the most part, it is a good idea to seperate services from one another in case one of them gets hacked.

They originall wanted to combine the mail server and web server into one and I really had to argue that one down.

So, ya, for the most part, I do not know what the thinking is behind this is.

I could stick the mail server on the DMZ, who knows though.

Does anyone have any recommendations on this particular setup and possibly a alternate setup?

Lastly, anyone know where I can find a good article that discusses sendmail and postfix? Im trying to find all the advantages and disadvantages of using either of these two email servers.

Any thoughts?

Thanks guys.

Tarballed

With sendmail you should just need to add your domain to:
/etc/mail/relay-domains

Then add a line to /etc/mail/mailertable:
.yourdomain.com smtp:[ip.of.real.server]

Obviously you'll need to make the MX record point to the web server too.

And don't forget to test your new mail server to prevent an open relay. http://ordb.org will test it for you, but will put your server on a blacklist until it tests clean.

Thanks guys. I really appreciate your input. I will definitely check to make sure my server is NOT an open relay.

Also, if I might add. I would really like to find out more about sendmail and postfix and using them as a mail server.

Does anyone have any reviews or comments of some sort, where I can see what is good and what is bad?

Anyone care to share personal experiences?

Which of the two is more robust? Can I add Anti-virus scanners to both sendmail and postifx? Spam? etc...the list goes on.

Oh, one last thing.

From this proposed 'solution' management derived, what are your personal thoughts about it? Let me put it this way. If it was up to you, what would you do?

Im trying to gather as much data as I can so I can make better decisions and less hassle in the long run.

Thanks guys!

Tarballed

Anytime that you get the opportunity to add another layer of security, jump on it.

I wouldn't discount sendmail as a solution right away. When properly configured, sendmail is stable and reliable. I've setup sendmail for a couple of clients in just the configuration you describe to protect some some common groupware applications from direct attack.