Mailserver on a DMZ interface

Unanswered Question
Aug 22nd, 2007

What would be the advantages/disadvantages to having your internal Mailserver on the DMZ interface of an ASA5510?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
anandramapathy Wed, 08/22/2007 - 10:53

Advantage -

Your Internal Network would be secure if your rules are good. If a virus hits your mail server, your Internal network would be still secure.

Disadvantages -

If it is an exchange server, then you need to open up lots of ports to the Internal network for the Domain related communication : )

You need to take care of backup which may involve additional routing config on the server like putting 2 NIC cards.

One for internal communication & 1 for the DMZ interface.

YOu need to do some jugglery with the Static routing on the mail server.

HTH - Pls rate if this helps

kholford Thu, 08/23/2007 - 07:29

I'm jumping in on this conversation but am wondering about putting 2 NICs in the mailserver in the DMZ - one NIC to the DMZ and one NIC to the inside. If the server is going to have a connection to the inside network then why even put it in the DMZ? Wouldn't that addition create another route inside your internal network?

anandramapathy Thu, 08/23/2007 - 07:50

You are right, This is definitely not a good practice, care has to be taken that Routing between the 2 Interfaces must not be enabled.

another option is to backup through the firewall which will definitely load the Firewall.

However if you are keen on High Security, then put the mail server in the Inside & open up ports to the Internet

Another option is to use a Frontend - backend mail server config where the frontend is exposed to the Internet & placed in the DMZ.

Backend server is in the Inside which serves all the data to the Frontend.

kholford Thu, 08/23/2007 - 08:16

I like the idea of putting the mail server in the DMZ or creating a Bastion Host mail server in the DMZ and the real mail server on the inside. If you put the mail server in the DMZ you could just image/ghost it and then not back it up nightly. There really shouldn't be too much data on the server so you could just back it up monthly.


This Discussion