On Sun, 04 Oct 2009, Ansgar Wiechers wrote: > On 2009-10-04 Sahil Tandon wrote: > > On Sun, 04 Oct 2009, Ansgar Wiechers wrote: > >> On 2009-10-04 mouss wrote: > >> > >>> anyway, it is ok to relay mail from the DMZ to the LAN. > >> > >> No. > > > > Why? > > Because violating the DMZ is never okay without a Damn Good Reason(tm). > That's firewalling 101. If you allow inbound connections from untrusted > to trusted networks, there's no point in having a DMZ in the first > place.
I appreciate the adherence to Firewalling 101 (something you have preached before on security-basics), but common sense and practical issues might impel one to make an exception and allow port 25 *only* from Outside Postfix -> Inside Postfix. IMHO, of course. YMMV, TMTOWTDI and all other disclaiming acronyms. -- Sahil Tandon <sa...@tandon.net>
