ME020359 - INF: How to use MailEnable in a Firewalled DMZ / Back-End Server Scenario


SUMMARY

Some organizations will require that any data entering an organization must pass through a proxy server configured in a De-Militarized Zone (DMZ) that is managed by one or more firewalls. This means running a copy of the mail server on the public side of the organizations firewall(s) and having this server pass mail on to the internal mail server through a private separate network.

DETAIL

The simplest way to use MailEnable in a DMZ is to simply smarthost the domains (or entire connector) on the front-end (DMZ) server to the IP address of the back-end server. The issue here is that the front-end server will pass on any mail for the smarthosted domains (rather than just those addresses that have been mapped to mailboxes). As such, any mail sent to bogus addresses will bounce when the front-end server attempts to deliver them to the back-end server. To overcome this, the front-end server
would be configured not to generate NDRs or Delivery Delay notifications (under the Properties of the SMTP connector).

The alternative/extension of this is to replicate some of the configuration from the backend server to the front-end server, hence allowing the front-end server to reject attempts to send to invalid domain addresses.

This is achieved as follows:

1. Configure the respective postoffices and domains on the front-end (DMZ) server (Note: do not configure any mailboxes/addresses for the domains).

2. Initially (and periodically) copy the CONFIG\ADDRESS-MAP.TAB file to the front-end server (hence allowing the front-end server to know the addresses configured under the back-end server).

3. Once this is done, the front end server will try to deliver to the local message store (via the postoffice connector). To prevent this, force/relay messages outbound via the SMTP connector. This can be done using the force route utility  to force the delivery of local domains to the backend server.

MORE INFORMATION

MailEnable cannot authenticate with SMTP through CISCO PIX Firewalls: Article ME020159

How to configure the infrastructure required to host a mail server: Article ME020047



Product:MailEnable (All Versions)
Module:General
Keywords:firewall firewalled dmz back end backend back-end front end front-end dmz de
Class:INF: Product Information
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable