Quoting Kanwar Ranbir Sandhu <m3freak at rogers.com>:
> 1. Should I just leave mail storage on the same box in the DMZ?
> 2. If the answer to 1 is no, what's the best way to get mail from the
> SMTP server in the DMZ to an IMAP server in the internal network?
> Here's what I've briefly considered:
The decision on having mail storage in the DMZ or not is up to you and
depends on your actuall needs and security considerations (how
sensitive is the content of the emails and how disciplined is the user
population and/or 3rd parties in using encryption is just one thing to
think about). I've read a previous response saying something along
the lines "if emails are sensitive, encrypt them". Easy to say and
explain to the tech person. Try it with non-tech people who don't
even work at your company (since those would be emails stored on your
server).
If you decide you want storage inside, here's couple of tips. Note
that I'm mostly sendmail guy, so you'll have to find postfix
equivalents yourself. Generally, I'd use SMTP to get emails from DMZ
into internal network. Not a big fan of fetchmail for this kind of
stuff. Fetchmail is nice tool for individual users. But not for this
kind of stuff.
In the DMZ, make sure you accept email only for existing email
addresses. Any rejections you make, you want to make on your border
mail server. This includes non-existing email addresses, as well as
rejecting spam and virus infected messages. It will also save you
some bandwith, since (a) body of messages is not transmitted
(non-existing users case) and (b) your border mail server doesn't need
to generate delivery notifications.
You can do this in many ways. At least with sendmail. I'll describe
some. I'm not saying they are the best. It all depends on your local
configuration and preferences.
For example, you can configure border system to accept email for
foobar.com. Than use virtusertables to map to some internal address
so mails get pushed to the inside:
user at foobar.com user at internal.foobar.com
@foobar.com error:nouser No such user here
Note that this will be rewriting envelope address, the one users don't
see. The addresses in To/Cc/Whatever headers remain as it was.
On the inside system, you'd configure it to accept email for
foobar.com and internal.foobar.com. This is to avoid sending internal
mail to DMZ, and than having it come back inside. Than you can use
virtusertable again (optional) to map addresses to user mailboxes:
user at foobar.com user
user at internal.foobar.com user
@foobar.com error:nouser No such user here
@internal.foovar.com error:nouser No such user here
Another, maybe simpler, way to do it would be using LDAP mail routing.
I've no idea if postfix can do this. That way, all the information
needed for mail delivery is centralized in one place, and you don't
need to keep information on what email addresses exist and what
mailboxes they correspond to on both internal and external server.
Basically, you'd use LDAP to store information where the hack user's
mailbox is. You would set mailHost attribute to point to your
internal email server. You would not set mailRoutingAddress
attribute. This would cause your external mail server to forward all
email for existing email addresses to internal host. Your internal
host will figure out that mailHost points to itself, and deliver email
to the mailbox. So you don't need to rewrite email addresses like
when using virtusertables. There's a lot of options when configuring
LDAP routing, so if you go that way, best is to first read and fully
understand documentation. Or you'll get unexpected results and will
be generally dissapointed.
Now, the remaining problem is, what to do for people who want to
access their email from outside. You probably don't want to allow
direct POP3/IMAP connections from outside to your internal mail
server. You may consider here several options. Webmail would be very
nice approach in many cases. If you have lots of roaming laptop users
that insist on using their favorite email client from home or when on
road, you might consider setting VPN for them. It kind of adds to the
complexity. Especially if you don't need VPN for other stuff. On the
other hand, if you already have VPN, than you have the solution for
accessing email from outside, right? Another solution might be
setting IMAP proxy in the DMZ. But it is almost as allowing direct
connections from the outside. So I'd leave it as last resort.
It's kind of longer answer. Just giving you couple of hints. At the
end, you might find some solution that better fits your needs. But at
least it will give you couple of ideas to explore.
--
NOTICE: If you are not intended recipient, you are hereby notified
that by reading this message you agreed not to disturb frogs during
mating season. For more info, visit http://www.8-P.ca/