From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Thu Apr 01 2010 - 17:05:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 01, 2010 at 03:52:46PM -0600, Glenn English wrote:

>
> On Apr 1, 2010, at 1:48 PM, Victor Duchovni wrote:
>
> > What is the "it" that has to be done for "security reasons".
>
> Reverse proxy-ing servers on the firewall. The idea, as I understand it, is to keep badness from getting to the servers. I can kinda understand that for HTTP -- ACLs based on UR* and stuff like that might make apache's life easier -- but I don't really know what good an SMTP reverse proxy would do, aside from double checking protocol.
>
> > If you don't need proxy-mode for non-security reasons, you don't need
> > proxy mode.
>
> I didn't think so (I'm a long way from needing load balancing, and postfix seems to do a pretty good job of looking out for itself), but I'm looking into it. Thanks for the vote against.
>
> It occurs to me to move the spam filtering to the firewall, but I don't see a lot to be gained from that. Besides, I'm a refugee from "fixup protocol smtp."

Were you asking about using Postfix as a proxy in front of internal SMTP
servers, or using firewall reverse-proxy SMTP support to sit in front of
Postfix. The latter is definitely a very bad idea. The former is sometimes
appropriate, but fairly unusual, letting Postfix operate normally with
a store and forward queue is much more typical and usually the right choice.

--
        Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]