Advice About Network Design and Security

Unanswered Question
Sep 18th, 2008
User Badges:

Dear All,

I have the following network scenario:

An Internal Mail server that forward the mail messages to an external sendmail server that send/receive the mails from Internet.

Between the two mails servers starting from the inside, there are a L3Switch that act like bridge among the internal networks subnets where is connected the internal mail server .161.

The L3Switch is connected to the first Pix on the inside interface, and it is connected to the second Pix inside interface by its Dmz interface.The second pix has connected on the outside interface the ISP router, and on its DMZ the sendmail server that has a public ip

My question is:

From a security point of view, how is important that the internal and external mail server do not has routing informations about the external and internal networks ?I have configured the second pix to perform a port redirection in this way:

static (dmz,inside) tcp smtp smtp netmask

The internal mail server forward the mail to the pix apply the static, perform the port redirection to

Than I have added also:

static (dmz,inside) netmask

In this way the pix perform the outside nat so the source address is changed from to,so I have configured on the external mail server the instead of the real ip.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cleidh_mor Sun, 09/21/2008 - 23:48
User Badges:


I'm not sure about best practice in this area, but I think it's safe to say that the less information that's available on your externally reachable devices, the better. I think your config is sound, but if possible, it's a good idea to retrict access to the smtp port of your external mail server to trusted hosts.



This Discussion