Originally posted by t_enriquez: What are the pros & cons on placing the email server on the internal network or DMZ?
Depends on the type of mail server ;-)
Some don't work very well in the DMZ *cough* Exchange *cough*
Also depends whether you are going to use the SMTP proxy to hand off all mail to and have all mail sent to or whether you are going to open ports up.
If you use the SMTP proxy I believe its pretty safe to have the mail server in the Internal network, and if its Exchange its really the only thing you can do.
Definitely put it behind the firewall. you do not have to use the mail functions on ASL, just open port 25 to your server.
There are lots of attacks against servers that can disable them. Protecting servers from these attacks is why we install firewalls. Application level activities are a secondary use of firewalls.
BTW, I have been involved with running firewalls since '93 and the basic functions have remained constant.
Thanks for the replies! I should have been more specific. (Sorry Bob) I want to use the SMTP proxy capability w/in ASL. I'm just not sure if I should place the mail server (Sendmail/Linux) on the service network, or internal network. I didn't mean the DMZ.
IN the 'classic' Bellovin/Cheswick sense, the DMZ is the network between the ISP router and the firewall.
Later, media people like me!!! defined the a quorentined network connected to a separate interface as the DMZ.
Given the later definition, I would recommend the DMZ. Particularly when you say you are running a Unix mail server (if you run any PROCMAIL stuff, you could get hit with a mail bomb, for example).
A compromised mail server could then launch attacks against internal systems.
IN the 'classic' Bellovin/Cheswick sense, the DMZ is the network between the ISP router and the firewall.
Later, media people like me!!! defined the a quorentined network connected to a separate interface as the DMZ.
Given the later definition, I would recommend the DMZ. Particularly when you say you are running a Unix mail server (if you run any PROCMAIL stuff, you could get hit with a mail bomb, for example).
A compromised mail server could then launch attacks against internal systems.
Originally posted by t_enriquez: Thanks for the replies! I should have been more specific. (Sorry Bob) I want to use the SMTP proxy capability w/in ASL. I'm just not sure if I should place the mail server (Sendmail/Linux) on the service network, or internal network. I didn't mean the DMZ.
Tony
If its Sendmail/Linux then you would be safest putting it in the DMZ. Then it will be as protected as it can be and it will protect other internal systems from it if it is compromised.
But if you are going to use the SMTP proxy you stand probably less of a chance of it being compromised.
