On Thu, Apr 01, 2010 at 03:52:46PM -0600, Glenn English wrote:
>
> On Apr 1, 2010, at 1:48 PM, Victor Duchovni wrote:
>
> > What is the "it" that has to be done for "security reasons".
>
> Reverse proxy-ing servers on the firewall. The idea, as I understand it, is
> to keep badness from getting to the servers. I can kinda understand that for
> HTTP -- ACLs based on UR* and stuff like that might make apache's life easier
> -- but I don't really know what good an SMTP reverse proxy would do, aside
> from double checking protocol.
>
> > If you don't need proxy-mode for non-security reasons, you don't need
> > proxy mode.
>
> I didn't think so (I'm a long way from needing load balancing, and postfix
> seems to do a pretty good job of looking out for itself), but I'm looking
> into it. Thanks for the vote against.
>
> It occurs to me to move the spam filtering to the firewall, but I don't see a
> lot to be gained from that. Besides, I'm a refugee from "fixup protocol smtp."
Were you asking about using Postfix as a proxy in front of internal SMTP
servers, or using firewall reverse-proxy SMTP support to sit in front of
Postfix. The latter is definitely a very bad idea. The former is sometimes
appropriate, but fairly unusual, letting Postfix operate normally with
a store and forward queue is much more typical and usually the right choice.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
