|
When a Mail Relay is
being used
In cases where you have a
DMZ (Demilitarized Zone) with a Mail
Relay host (i.e. Linux, Windows
2000/2003 + IIS and SMTP, a dedicated
appliance and so on) you will need to
provide the FQDN and IP address of your
Mail Relay machine, and configure the
Firewall to only allow TCP Port 25
traffic to be sent to the Mail Relay's
IP address, not to your real mail
server.
You should then configure
the Mail Relay to forward the incoming
e-mail traffic to the real mail server
(after scanning it for spam, viruses and
so on).
Let's
say you have the following LAN
configuration:
Internet
|
|
|
|
|
192.90.1.1/29 (Real IP from ISP)
|
Internet Router
|
192.90.1.9/29 (Real IP from ISP)
|
|
|
192.90.1.10/29 (Real IP from ISP)
|
Mail Relay---------------------Firewall
+ NAT
192.90.1.17/29
|
(Real IP from ISP)
192.168.0.1 (Bogus IP)
|
|
|
|
|
Mail Server----------------Switching
Hub
192.168.0.10
|
(Bogus IP)
|
|
|
|
|
|
|
Rest of internal network
In the above example you
need to give the Mail Relay's IP address
as your MX Record.
Domain name: dpetri.net
|
Record FQDN |
Record Type |
Record Value |
MX Pref |
|
mail.dpetri.net |
A |
192.90.1.17 |
|
|
dpetri.net |
MX |
mail.dpetri.net |
10 |
Note: Make sure
you properly configure the Firewall
device to forward all TCP Port 25
traffic to 192.90.1.17, and to allow
192.90.1.17 to send TCP Port 25 traffic
to your internal mail server at
192.168.0.10. Also, make sure you let
the internal mail server communicate
only with the Mail Relay device and that
you set up an SMTP Connector on the mail
server and configure it to relay all
external mail to the Mail Relay.
Note: Some
networks might use the Internet Router
as their NAT device, and let the
Firewall do just that. In those cases,
the scenario is a mixture between option
#2 (NAT) and this one. |
