OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Is this possible with postfix?
From: Wietse Venema (wietseporcupine.org)
Date: Fri Mar 03 2000 - 16:45:17 CST

Parkhaev Vladimir:
> On Fri, 3 Mar 2000, Wietse Venema wrote:
>
> > Have the MX record point to the external host.
> >
> > my.domain IN MX 10 external.my.domain
> >
> > On the external host, use a transport map
> >
> > /etc/postfix/transport:
> > my.domain internal.my.domain

Should be: my.domain smtp:internal.my.domain

> > /etc/postfix/main.cf:
> > relay_domains = my.domain
> >
> > On the internal host,
> >
> > /etc/postfix/main.cf:
> > relayhost = external.my.domain
> > mydestination = my.domain, internal.my.domain localhost.my.domain ....
> >
> > People with firewalls do this all the time.
> >
> > Wietse
> >
>
> Hm, if I am not mistaken, with MX record pointing to external host,
> the flow of traffic will be as follows:
>
>
> +--------+ +----------+ +----------+
> Internet ---->| Public |---->| Internal |-------> | Internal |
> <----| SMTP |<----| SMTP | ------ | Client |
> +--------+ +----------+ | +----------+
> ^ |
> |_______________________|

That depends on how internal clients are set up. If you have a
router between external and internal host, then you can prevent
internal hosts from going to the external machine.

In order to make this work smoothly you use a split DNS setup.

- The internal host runs the internal DNS with an MX record that
points to the internal host, and forwards other queries to the name
server on the external host which talks to the internet.

- The external host runs the external DNS with an MX record that
points to the external host. The external host may have a resolv.conf
file that points to the internal machine, in which case you can
avoid the use of a transport table in the example above.

This is a standard example in firewalls books.

        Wietse