Connecting to the mail server from the DMZ

Unanswered Question
spremkumar Tue, 08/22/2006 - 02:47
User Badges:
  • Red, 2250 points or more

Hi


AFAIK since DMZ is considered to be a low secured zone when compared to Inside network you need to allow/permit the SMTP traffic from DMZ to flow to inside network.


But its the other way around when you think off from Inside to DMZ in which you dont need to enable or open required ports.


regs


The MX record is resolved by using a DNS server outside of the internal network. I read the information from the link that you provided, however I don't think it explains a situation where the host computer on the dmz is trying to route e-mail to a mail server that resides on the inside interface.


Thanks for your help so far,


Joey

vijayasankar Tue, 08/29/2006 - 03:51
User Badges:
  • Silver, 250 points or more

Hi Joe,


As pointed out by the previous poster, is there proper access configured in your firewall to allow the smtp connection from the server on the DMZ to the mail server on the inside network.?

If you could provide the firewall config snapshot ( after removing the sensitive informations..public ip.etc), we would be able to have a look and help you to correct any problems in the configuration. Provide ip address details on the involved servers also.


You can quickly check whether SMTP connection to inside server is allowed from server on DMZ as follows.


On the server located in DMZ, initiate a telnet connection to the inside server ip on port 25.( telnet 25 ). If the telnet session responds then there is no issue at firewall level and you need check on the settings of mail server configurations.


HTH

-VJ


sundar.palaniappan Tue, 08/29/2006 - 14:58
User Badges:
  • Green, 3000 points or more

You are missing a few things, NAT, conduit and alias from your configuration.


You need to define a NAT rule. Conduit to allow the traffic between the servers. Alias configured to do DNS doctoring as the DMZ server tries to communicate with the inside server using the global IP address.


Can you configure the following and try.


static (inside, dmz) 172.17.17.11 172.17.17.11 netmask 255.255.255.255

conduit permit tcp host 172.17.17.11 host 172.17.16.10 eq smtp


alias (dmz) 172.17.16.10 199.199.199.70 255.255.255.255



HTH,


Sundar



Thanks Sundar,


I tried the configuration changes that you suggested. However I think the correct address for the host on the dmz should have been 172.17.17.111 and i think the conduit command should have the host addresses reversed. I tried it both ways and I still could not telnet to the mail server (172.17.16.10)using port 25 from the host on the dmz. Here is a copy of the new config with the changes that you recommended.



Attachment: 

Actions

This Discussion