From owner-freebsd-security@FreeBSD.ORG  Mon May 17 16:41:31 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1C69016A4CE
	for <freebsd-security@freebsd.org>;
	Mon, 17 May 2004 16:41:31 -0700 (PDT)
Received: from testequity.com (mach2.testequity.net [205.147.14.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB7543D39
	for <freebsd-security@freebsd.org>;
	Mon, 17 May 2004 16:41:30 -0700 (PDT)
	(envelope-from metrol@metrol.net)
Received: from metwork.priv.testequity.com [192.168.3.50] by testequity.com
	with ESMTP
	(SMTPD32-7.13) id AC84B46D00B2; Mon, 17 May 2004 16:36:36 -0700
From: Michael Collette <metrol@metrol.net>
To: freebsd-security@freebsd.org
Date: Mon, 17 May 2004 16:39:08 -0700
User-Agent: KMail/1.6.2
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200405171639.08701.metrol@metrol.net>
Subject: Mail Server in the DMZ question
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2004 23:41:31 -0000

Been trying to puzzle through a firewall layout here involving E-Mail.  Would 
have thought this was a more common kind of scenario, but I haven't been able 
to Google me up an answer to this one.

At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing 
mail into my secure network.  This is a less than optimal setup simply due to 
having to allow traffic from the DMZ into my secure network without a 
proceeding request for that data.

I want to have all the mail held on the server in the DMZ, then have it be 
pulled into the secure network for all my users by some means.

Originally I thought I could just setup a multi-drop box, pull in the mail 
with Fetchmail, then have it delivered to my internal server for processing.  
Seems that there are way too many pitfalls for this setup to reasonably 
support all my users.

I then looked into configuring the DMZ server to hold all mail, then release 
on an ETRN request.  From what I've read on this I'm really no better off, as 
I still have to allow port 25 requests into my secure network.

Thanks,
-- 
"In theory, there is no difference between theory and practice.
In practice, there is."
- Yogi Berra