Author: W B Hacker Date: To: exim users Subject: Re: [exim] OT: General question about dmz and email gateways
Kristian Davies wrote: > Just wondering what is considered best practice/thoughts of email setups.
>
> 1) SMTP gateway sits in the DMZ for the company and forwards mail
> through a pinhole to the email server in the inside network and vice
> versa. The gatway might deal with spam and av issues.
>
> 2) Machine on the inside does everything, external servers connect
> directly. Internal machine does AV/SPAM, pop3 for internal users et
> al...
>
> btw this is a 450 person company.
>
> I would have thought option two would be a 9 on the risk/load scale?
>
> Thoughts...?
>
> Cheers
> Kristian
>
Perhaps the way to go with older, less flexible MTA and the CPU speeds, and
storage limitations of years past.
But with Exim's capability set, and on any decent modern hardware, the
single-server is NOT all that risky, is far easier to set up, control, and
troubleshoot, and should be rather lightly loaded with 4,500 users, let alone 450.
As soon as you introduce an extra relay, you start having to deal with whether
both can (always) 'see' the same list of users, what happens in the way of
adding/subtracting/altering/preserving header information, how/when/if you
manage DSN/bounces, what you do about forwarding, vacation notices....
All done many times, plenty of examples here - but IMNSHO, more appropriate to
an ISP with 45,000 users than a company with 450, where even the scanning/AV
load should not pose a problem.
JMCW, but it would seem to make more sense to put similar resources into good
backup - perhaps even a 'cloned' hot-standby, and by all means RAID, even if it
is 'software' IDE RAID.
Exim doesn't need external help to filter very, very flexibly and still carry a
load well.