Sven Schulthei�:
Hi,
But then, you need an open port from the DMZ into your internal net. I don't think that this is a good Idea. I do. I would recommend everyone to set up a bastion host, which receives
mail for your network and relays it to your internal mailserver. You only need to open a connection from your bastion host (port above 1023) to your internal mailserver (port 25). I don't see much trouble here.
If your DMZ's Mailserver is compromised, your internal net could be compromised in an easy way. (Normaly you would have the same Mailserver/same Version with the same Bug in your internal net)
Only true if the compromise is achieved via the mailservice. Otherwise the intruder would be able to send mail via SMTP to your internal mailserver. Of course one should use a recent, secured mailserver.
Wouldn't it be possible to write a script on the internal Mailserver which fetches the Mail and run a cron job every couple of minutes to get the mail??
and how is your mail transported in this scenario? This also opens a way from the DMZ to your internal network. Peter