Hi so currently I am running a working email server postfix/dovecot. No relay simply has NAT/ACL on my Cisco.
What I am wanting to do on the Cisco is create a DMZ and in the DMZ making a email server to receive email from internet and then to relay (?) that to my LAN (existing) email.

I guess what I’m confused over is, what changes do I make on my existing non-DMZ postfix configuration. Would I enable relay? And that ip is now the DMZ email ip? Or does existing stay the same? Sorry I know it seems stupid but really I’m having major brain freeze.

I'b a bit confused, do you have only ONE email server or SMTP Gateway also ? If you describe you setup will be better.

Hmmm.

So I have a static ip, x.x.x.180 and a registered domain (WAN) that gets translated in the Cisco to 192.168.1.180 to my Slackware email server. Just one email server. Simple.

I am wanting to mess around on the Cisco ISR with “zone based firewall” and create a DMZ. I wanted to make an email server on the DMZ as an “out of network” server 172.16.1.180 and then as a relay to my existing email server 192.168.1.180. So I was wondering what all I needed to do in current email config. Currently it’s just listening to incoming smtp from the outside, but am wondering if I just add in the relay address 172.16.1.180?
Sorry I’m not good at explaining

I suppose that the whole point of this is that your router has a static IP addres or at least some kind of dynamic DNS feature that allows you to have some official MX record on internet?

If this internet DNS MX record points to your routers public IP address your router can forward incoming traffic on port 25 to your SMTP server in your DMZ.

However, then I get the impression that you really would prefer to have mail routed from your DMZ SMTP server to the SMTP server of your LAN. That can of course also be accomplished if you configure your router to once again do port forwarding from the routers DMZ IP address to the machine of your choice in your LAN.

The next question is about outgoing mail, I suppose that both your DMZ SMTP server and your LAN SMTP server has free access to internet. It would be possible to configure your LAN SMTP server to use the DMZ SMTP server as a smart relay, but I don't really se the point of doing so.

Having your own SMTP server connected to internet might be fun, but it also comes with a great deal of responsibility. A misconfigured or hacked SMTP server will soon be used to relay spam. Relying on the mail server functionality of a Web Hotel is an easy way out of that responsibility.

regards Henrik

I am sorry I am terrible at explaining.
I have a block of 8 static ips [6 usable] and have one of them, x.x.x.180 assigned a domain name from dotster. All the Mx, reverse and forward dns all set up. At home I have my Cisco ISR which connects to my Cisco FPR and then to my SG Switch; 192.168.1.180 resides there and hosts my own email server, all of it, from there.
What I was wanting to do, more so out of curiosity and boredom, was to move the server from my SG LAN and create a DMZ email server (172.16.1.180) on the ISR. Have that be the first point of contact and then my current/existing email server connect to that new one (on DMZ) via relay address 172.16.1.180
That way DMZ email server is locked down completely and only has Internet access for email, but my current email server is LAN side and connects to email with this new relay/dmz server.

Or am I missing how this works?

I agree that it might be a good idea to have your internet facing SMTP server in a DMZ, and that it should be fully possible to use it as a relay from your LAN SMTP server.

If your LAN seems to come from another public IP address than your DMZ it might be a really good idea to use your DMZ SMTP server as outgoing relay to not confuse internet SMTP servers about how valid your LAN SMTP server is.

regards Henrik

Morning. I think that may be some of where I get confused... CURRENTLY [Non-DMZ] email server is on LAN 192.168.1.180 with a WAN STATIC IP x.x.x.180 with simple NAT translation. IN creating this DMZ w/ email Server 172.16.1.180... Does DMZ use the same x.x.x.180 WAN IP or does the existing 192.168.1.180 use it, or can I NAT Both? This is sort of what confuses me.

As simple NAT firewall/router will allow machines in a LAN or DMZ to reach servers on internet through a public IP address on the firewall/router. However, machines on internet will not be able to initiate connections to machines in LAN or DMZ, they will only be able to reach the public IP address(es) of the firewall/router.

For machines on internet to be able to connect to machines in LAN or DMZ you will need to configure port forwarding in the firewall/router. This port forwarding makes your firewall/router listen on chosen tcp and/or udp ports on the internet interface and then forwards any connections to your chosen internal LAN or DMZ IP address(es) and possibly another port number on that machine.

Example: I have a public IP address xxx.xxx.xxx.47 on my Asus router. This asus router has an internal IP address 192.168.67.1 on a network with both some wired equipment and WLAN. As I don't trust wlan as much I have a second wired firewall with external IP address 192.168.67.2.

Any connection to tcp port 2222 on my public xxx.xxx.xxx.47 address is forwarded to port 2222 on my internal firewall with IP 192.168.67.1.

My internal firewall has two more NICS, 192.168.43.1 is for my LAN and 192.168.17.2 is for my DMZ. Any connection to port 2222 on 192.168.43.1 is forwarded to port 22 on 192.168.17.1 which is a raspberry pi in my DMZ.

This raspberry pi monitors any attempts to connect by ssh to the non standard port 2222. At the time of this writing 56351 different IP addresses on internet has failed connecting by ssh. Some typical attempts looks something like this:

An attempt to draw a one-line "image" of the setup:

xxx.xxx.xxx.47:2222 -> 192.168.67.1:2222 -> 192.168.17.1:22

I am not familiar with your cisco systems and cant say for sure if also you like me will need to configure port forwarding on two different NAT firewalls.

regards Henrik

I have my NAT/Firewall set to allow [outside -to- in] access to my Email Server in the "DMZ". Where I am failing to grasp is the Internal LAN Email Server. Does this get configured to 'relay 172.16.1.179:Port' for it to receive email fro DMZ to LAN?

If you want emails to your domain to end up in your LAN server you will need to configure your DMZ SMTP server to relay incoming emails to your domain to yor LAN SMTP server and you will need to configure your firewall(s) to somehow (possibly with port forwardning) allow such a connection.

If you want your LAN SMTP server to send outgoing mails through your DMZ SMTP server you will need to configure it to relay outgoing emails to your DMZ SMTP server. Your firewall is probably configured to allow all traffic from your LAN to your DMZ.

Both of these configurations are kind of optional. Maybe you would prefer to have your email clients reading mail from the DMZ server instead of opening up port 25 in your firewall from the DMZ to your LAN. Maybe you would prefer to let your LAN SMTP server send emails directly to internet SMTP servers.

regards Henrik

I really don’t know what I want, or which option to choose. It all started “you should run your email server in a DMZ separate from your LAN”. So now googling this and that am I’m like, well, ok, but still missing some components in theory and topology. I guess the issue is, I don’t know what I want or the correct way to implement. I mean, do I want to relay I coming and outgoing through the DMZ? Like I feel I’m getting a hammer to my head cause I’m not grasping WHAT I should do, or just leave it as it is. Email server on LAN.

If you want a secure server, then you use port forwarding on the router and firewall rules on the server to only allow what ports/addresses you need.
DMZ by definition allows all. But that's just my opinion, you do what you want with your server.

Well that is how it currently is. The Email resides in the LAN and ONLY, ONLY mail server port and ssh are open to it. LAN of course has access as it’s on LAN. So really by moving it to DMZ I’d be opening it.

Again, I would recommend to rely on the SMTP service of some Web hotel. But if you feel confident on how to configure a secure SMTP server which does not end up relaying spam on internet or becoming a backdoor to your network and also think that it is a nice hobby to 24/7 be prepared to quickly apply security patches then running your own email server might be a good idea.

regards Henrik

Hi,

I am not the best security expert but, the purpose of running in a DMZ is in case of compromise don't affect entire LAN.
It is recommended to run servers on separated DMZ's and isolated to minimize the compromise of others servers in the same DMZ or LAN ...

Different config different purpose, price, work, ...

You can put your server in a DMZ and only have it. Like now in LAN but isolated from LAN. Or isolate it with VLANS. Seems not you are looking for.

You can put a relay front-end on DMZ and a back-end on LAN. If DMZ compromised they can relay but no all mail data affected. But if you can't early detect the compromised relay ... , you know.

So running a relay can be dangerous, you need to relay only for your domains and to inside and block OUTSIDE. Then the back-end can send emails from Lan to internet directly, from more secure to less secure, same config like now.

Not to much knowledge on manage SMTP but just add the relay address on the back-end will work.

From Internet --> Relay on DMZ --> SMPT on LAN.

FRom SMPT LAN --> To Internet.

EDIT: SMPT on Lan, different from users LAN if possible.

Tip: Different systems,distributions on relay and SMPT for best security. Like openbsd and slackware.

Hope that help.

Viel.