How is internal mail channeled through an enterprise firewall?
If public mail servers are located in a DMZ, what is the procedure for channeling internal mail through the firewall?
To channel internal mail through the firewall, many organizations use a Simple Mail Transfer Protocol (SMTP
) relay server in the DMZ
. The enterprise email server (e.g. Microsoft Exchange) sits on an internal network and interacts with users. External parties wishing to send email via SMTP can connect to the SMTP relay system in the DMZ, which is listed as the mail exchanger in DNS. The SMTP relay then accepts -- or denies, according to policy -- inbound messages and relays them to the internal mail server.
Similarly, when the internal mail server receives a message destined for an external network, it accepts the message from the client and then passes it to a DMZ's SMTP relay. The relay then forwards the message to the destination server. This architecture prevents direct connections from the Internet to the internal mail server, providing a layer of isolation.
As an added bonus, you can use a spam-filtering device as your SMTP relay. Devices like SendMail's Sentrion appliances and the Barracuda spam firewall are popular tools that can reduce the spam-filtering burden on clients.
More information:Learn more about how to configure a DMZ.
When it comes to a DMZ setup, learn where enterprise users belong.
This was first published in August 2007