Glenn English put forth on 4/1/2010 5:42 PM: > I was asking about Postfix running as a daemon on the firewall computer that > handles routing and inspecting traffic between the WAN, the DMZ, and the LAN. > This Postfix would intercept and inspect incoming SMTP connections (and drop > some) before passing valid ones on to the real Postfix MTA running on a > computer in the DMZ. A 3-hole PIX running Postfix, in other words.
If you want all the edge security managed by one device, I'd suggest you look here: http://www.astaro.com/ and prepare to open the corporate pocketbook relatively wide depending on the size of your user base and WAN bandwidth. If you actually know enough about what you're doing, just punch a TCP 25 pub/priv PAT hole through your current F/W to your Postfix server and beef up your AS/AV countermeasures. We've talked about a plethora of such methods both here and on spam-l that you've seen. Using an SMTP proxy/relay on the F/W box and sticking your Postfix server in the DNZ is a useless, fruitless, labor hogging effort, complicating your network architecture and introducing new troubleshooting headaches, for _zero_ security gain. Proxies and DMZs look neat on paper and in theory, but in the real world, for 95%+ or more of deployed applications, including SMTP mail, they create far more problems than they could ever hope to solve. Any seasoned sysop shuns unneeded complexity. The KISS principle applies to IT as it does to most things. -- Stan
