On 2009-10-04 Sahil Tandon wrote: > On Sun, 04 Oct 2009, Ansgar Wiechers wrote: >> On 2009-10-04 Sahil Tandon wrote: >>> On Sun, 04 Oct 2009, Ansgar Wiechers wrote: >>>> On 2009-10-04 mouss wrote: >>>>> anyway, it is ok to relay mail from the DMZ to the LAN. >>>> >>>> No. >>> >>> Why? >> >> Because violating the DMZ is never okay without a Damn Good Reason(tm). >> That's firewalling 101. If you allow inbound connections from untrusted >> to trusted networks, there's no point in having a DMZ in the first >> place. > > I appreciate the adherence to Firewalling 101 (something you have > preached before on security-basics), but common sense and practical > issues might impel one to make an exception and allow port 25 *only* > from Outside Postfix -> Inside Postfix.
I have yet to see what "common sense" or "practical issues" would "impel" someone to make this exception. You may want to elaborate on that one. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
