Sahil Tandon:
> On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
>
> > On 2009-10-04 Sahil Tandon wrote:
> > > On Sun, 04 Oct 2009, Ansgar Wiechers wrote:
> > >> On 2009-10-04 mouss wrote:
> > >>
> > >>> anyway, it is ok to relay mail from the DMZ to the LAN.
> > >>
> > >> No.
> > >
> > > Why?
> >
> > Because violating the DMZ is never okay without a Damn Good Reason(tm).
> > That's firewalling 101. If you allow inbound connections from untrusted
> > to trusted networks, there's no point in having a DMZ in the first
> > place.
>
> I appreciate the adherence to Firewalling 101 (something you have
> preached before on security-basics), but common sense and practical
> issues might impel one to make an exception and allow port 25 *only*
> from Outside Postfix -> Inside Postfix.
>
> IMHO, of course. YMMV, TMTOWTDI and all other disclaiming acronyms.
If they really want no open ports, they can run UUCP between inside
and outside machine, where inside polls the outside machine.
Wietse
