Re: Q: Hiding M$ Exchange behind a firewall ?
At 10:00 PM 12/22/00 +0100, Robert Waldner wrote:
On Fri, 22 Dec 2000 16:24:16 +0100, Michael Steiner writes:
<snip>
Well, the quickfix would be a virtusertable containing something like
user@official.domain user@internal.name.of.exchange
for each&every user.
Its just another damn thing for the admins to update :-\
My system at work is this
Internet --- Linux Firewall --- Internal network
The world-readable DNS says that the MX for avonside.school.nz is
avonside.school.nz preference = 10, mail exchanger = smtp-queue.ihug.co.nz
avonside.school.nz preference = 5, mail exchanger =
mail.avonside.school.nz
smtp-queue.ihug.co.nz internet address = 203.29.160.69
mail.avonside.school.nz internet address = 203.173.241.182
That IP is the only world-readable IP we have, so *everything* uses it.
Now, the firewall is configured to use port-forwarding to redirect all
connects on port 25 to the internal linux machine 192.168.1.2 (1)
This machine is called gpu and ran sendmail, and now exim as a MTA. The
same machine is also the master DNS for the internal network. The gpu dns
server knows that the MX for avonside.school.nz is 192.168.1.11 (the
exchange server) and so mail gets properly handed off.
In reverse, the exchange server is configured to use gpu as a SmartHost
(2) and the firewall knows that 192.168.1.2 is allowed full NATted
connections to whatever IP it wants, whereas the exchange server is blocked
off completely from direct access to the world. Why? cos its a hunk of
shit and I hate it. :) Furthermore I don't trust it.
(OT) If anyone has any suggestions for replacing an exchange server with
something nicer I'm listening with full attention.
(1) You could direct it straight to the exchange server if you want to, and
it is updated against any known possible exploits.
(2) Cool name for it - exchange knows it needs something smarter to
actually do the work....
--
Criggie
Reply to: