On 2009-10-02 Augusto Casagrande wrote: > Sorry my mistake , it was actually postconf -n (as you can see , there > are no default options). > > The users mailboxes are in the LAN MTA > > The route for inbound is : Internet->MX->DMZ MTA->LAN MTA
Is your DMZ server supposed to be the MX or do you have a third server that is acting as MX? Anyway, I'd strongly discourage using a setup where a DMZ server relays mail to an internal server, because that would effectively break the DMZ. An (IMHO) better approach would be to make the DMZ server the endpoint for inbound mail, and then have your LAN server pull the mail from it. If you absolutely must relay mail from the DMZ to your LAN, at least make sure that the DMZ server is thoroughly hardened. After these general DMZ/firewall considerations back to Postfix configuration. To avoid generating backscatter you need to make sure that your MX only accepts mail for valid recipients. You could use the reject_unverified_recipient restriction [1]. Personally I'd prefer to use relay_recipient_maps [2] and maintain a list of valid recipients, though. Depending on your environment, that list can be generated and pushed to the MX automatically. > For Otubound : Clnt->LAN MTA->DMZ MTA Configure the LAN server to relay all mail through the DMZ server [3]. [1] http://www.postfix.org/postconf.5.html#reject_unverified_recipient [2] http://www.postfix.org/postconf.5.html#relay_recipient_maps [3] http://www.postfix.org/postconf.5.html#relayhost Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
