Quote:
Originally Posted by BAcidEvil
Broken Record Here.
So your 2 examples..
Internet —> Relay (DMZ) 172.16.1.180 —> SMTP (LAN) 192.168.1.180
Is this literally setting up DMZ how I would on the LAN but adding the relay ip address to it?
I ask because your suggesting SMTP on LAN, does that mean I remove that “code” from the DMZ Postfix?
SMTP (LAN) 192.168.1.0 —> Internet
SMTP is “outgoing” right? I guess I am confused on how #1 DMZ relays (what’s it relaying? Incoming IMAP?) and #2 Are both DMZ and INSIDE Postfix set up the same, but DMZ has the “relay address” added to it? It would seem
that DMZ would run Postfix only, whereas INSIDE would run the Dovecot setup?
I see it as: Email comes from Internet and goes to DMZ 172.16.1.180 and relays it to INSIDE (192.168.1.180) and then when I send Email, it sends straight out from INSIDE to Internet. So DMZ is for Incoming?
I am sorry… I am just for some reason slow as HELL with this I’m beside myself how it isn’t clicking!!! Be continue to be patient .
|
I talk from a network point of view. I don't know to much about SMTP config but sure it is possible.
Quote:
Is this literally setting up DMZ how I would on the LAN but adding the relay ip address to it?
|
No. The Relay DMZ config is not the same as SMTP on LAN.
https://stackoverflow.com/questions/...pecific-domain
Quote:
does that mean I remove that “code” from the DMZ Postfix?
|
What code?
Quote:
I see it as: Email comes from Internet and goes to DMZ 172.16.1.180 and relays it to INSIDE (192.168.1.180) and then when I send Email, it sends straight out from INSIDE to Internet. So DMZ is for Incoming?
|
Yes.
To make it easy,
The first point is to have SMTP LAN server on a separated segment of the net. Like Inside_SMTP_DMZ, SMTP_DMZ or SMTP_LAN, the name is as you want only for manage. DMZ is a network convention name. If you have a big network with external and internal segmentation you need that convention names.
The second point is, need the Mail server to be overprotected? or it has overload?, or need 24/7, clustering? ...
Then you need play with relays, clusters, Load balancing ...
Think about more complex, more work to manage, more vulnerable points and more risk. A relay will be fine, it is the first line of protection, similar to a proxy (EDITED:WAF) for web application, but is not a magic solution. You will need to monitor 2 machines: the relay and the mail server.
So, from mi point of view, when you have the 1st point accomplished, you can mount a DMZ and put a relay.
From the need to send the output mails through the relay. Why? If you have a SPAM filter or some kind of config that can't run on the primary server because of the load, go through relay. If not, don't overload the relay by the way.
Well if you trust your LAN network users you can send mails direct to back-end. Or config it through the relay too.
From your first post.
Quote:
I am wanting to mess around on the Cisco ISR with “zone based firewall” and create a DMZ. I wanted to make an email server on the DMZ as an “out of network” server 172.16.1.180 and then as a relay to my existing email server 192.168.1.180. So I was wondering what all I needed to do in current email config. Currently it’s just listening to incoming smtp from the outside, but am wondering if I just add in the relay address 172.16.1.180?
Sorry I’m not good at explaining
|
You are right, but not at all. Mount a new server on a separated network segment with the same config, then move your actual mail to other segment, and then play with relay to leave the front-end as relay and the back-end as server.
There are 100 ways to do it. You will have to look for what you see safe, that you can carry out and keep you without complicating much.
Hope that helps you from mi little knowledge, don't expect to tell you the exact mail configuration, It is not my knowledge and I would not feel comfortable. Maybe when you are clear, others can help you more in concrete parameters.
These comments are provided in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. XD
I hope I have clarified the doubts.
Viel.