|
Let's try to verify this before I implement it: Check the logic of my madness.
I own an ISP and have dial-up customers and customers that use my email server as their SMTP outbound server. Simple enough but I have a firewall running NAT at the border, the dial-up customers are within that NATted environment, and the traffic flows to another firewall running NAT again, which in turn forwards the traffic to my Web and Email servers. Spamfilter and the email application are on the same server.
So for email the flow is as such:
WEB email (25)--Firewall 1(NAT)(25)---Firewall 2(NAT)(25)---SPAMfilter(26)----Email
The problem I am running into is when my external customers want to relay I would efectively have to know each of their external IP addresses and place them in the Whitelist. This is of course unacceptable as IP addresses change for external customers. So I am proposing this solution:
Routing the external IP of my mail server on Firewall 1 from port 25 to port 26 of the NATted mail server ip on Firewall 2 where Spamfilter process and forwards to port 25 of the same server. That takes care of the inbound mail.
I would also take the external IP of another of my servers NOT running SMTP and on Firewall 1 port redirect that IP on port 25 requests to the NATted mail server ip on Firewall 2. The next step is to have my external customers that use my mail server as their outgoing SMTP server change their outgoing SMTP server ip address to this ip address. (the ip of the server NOT running SMTP). This way the customers are logging directly into the SMTP server and bypassing the Spamfilter for relay.
As for the dial-up customers they don't have to change anything as they route directly to the mail server on port 25.
So the new flow would be as such:
external (25)--FW1(26)----(26)FW2(26)---SPAMfilter--Mail Server
and
external (25)--FW1(25)----(25)FW2(25)----Mail Server
Any thoughts?
-------------
Access International
|