You should place your mail forwarders/scrubbers (ideally one for inbound and one for outbound - increased load balancing, fault tolerance, security) on the DMZ and have your mail server on the inside. The mail forwarders can scan for virus' etc before they enter your environment or leave your environment. No one on the internet should have direct access to your internal network. That is what the DMZ is for. The internet should have access to the mail forwarders over certain ports (eg 25) at that's it. The forwarders then would have access to your internal mail server only over port 25 or whatever you want. This way, if your forwarders are compromised, they still don't have access to your internal network. It adds another layer of security. And of course use NAT between all the interfaces.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...