An Internal Mail server that forward the mail messages to an external sendmail server that send/receive the mails from Internet.
Between the two mails servers starting from the inside, there are a L3Switch that act like bridge among the internal networks subnets 172.16.0.0/22 where is connected the internal mail server .161.
The L3Switch is connected to the first Pix on the inside interface, and it is connected to the second Pix inside interface by its Dmz interface.The second pix has connected on the outside interface the ISP router, and on its DMZ the sendmail server that has a public ip 188.8.131.52/29.
My question is:
From a security point of view, how is important that the internal and external mail server do not has routing informations about the external and internal networks ?I have configured the second pix to perform a port redirection in this way:
In this way the pix perform the outside nat so the source address is changed from 184.108.40.206 to 172.26.243.1,so I have configured on the external mail server the 172.26.243.1 instead of the real ip.
I'm not sure about best practice in this area, but I think it's safe to say that the less information that's available on your externally reachable devices, the better. I think your config is sound, but if possible, it's a good idea to retrict access to the smtp port of your external mail server to trusted hosts.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...