OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: 2 Postfix servers (DMZ + LAN)

From: Ansgar Wiechers (listsplanetcobalt.net)
Date: Fri Oct 02 2009 - 10:10:20 CDT


On 2009-10-02 Augusto Casagrande wrote:
> My idea is to put 2 MTA's servers, one in the DMZ and the other in the
> LAN. The goal is to get security in the LAN , and only expouse one
> server to the internet. Also, i want to "decompress" the traffic ,
> between the LAN and internet.
> So far , i' ve managed to send email from myfomail.com to
> mydomain.com , and from untrusted (internet) networks to
> mydomain.com. But i cannot send from mydomain.com to untrusted
> (internet) networks ( ie : yahoo.com, gmail.com).

What route is your mail supposed to take?

Inbound: I-net --> MX --> LAN-MTA
                    DMZ-MTA

Outbound: Client --> LAN-MTA --> Smarthost --> I-net
                                  DMZ-MTA

Which server hosts your users' mailboxes?

> My DMZ Postfix postconf -d:
[...]
> And the LAN Postfix postconf -d :

Please post the output of "postconf -n" (-d will report the defaults,
which won't help much). Also please refrain from obfuscating things
unless you know exactly what you're doing.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq