Quoting Kanwar Ranbir Sandhu <m3freak at rogers.com>: > 1. Should I just leave mail storage on the same box in the DMZ? > 2. If the answer to 1 is no, what's the best way to get mail from the > SMTP server in the DMZ to an IMAP server in the internal network? > Here's what I've briefly considered: The decision on having mail storage in the DMZ or not is up to you and depends on your actuall needs and security considerations (how sensitive is the content of the emails and how disciplined is the user population and/or 3rd parties in using encryption is just one thing to think about). I've read a previous response saying something along the lines "if emails are sensitive, encrypt them". Easy to say and explain to the tech person. Try it with non-tech people who don't even work at your company (since those would be emails stored on your server). If you decide you want storage inside, here's couple of tips. Note that I'm mostly sendmail guy, so you'll have to find postfix equivalents yourself. Generally, I'd use SMTP to get emails from DMZ into internal network. Not a big fan of fetchmail for this kind of stuff. Fetchmail is nice tool for individual users. But not for this kind of stuff. In the DMZ, make sure you accept email only for existing email addresses. Any rejections you make, you want to make on your border mail server. This includes non-existing email addresses, as well as rejecting spam and virus infected messages. It will also save you some bandwith, since (a) body of messages is not transmitted (non-existing users case) and (b) your border mail server doesn't need to generate delivery notifications. You can do this in many ways. At least with sendmail. I'll describe some. I'm not saying they are the best. It all depends on your local configuration and preferences. For example, you can configure border system to accept email for foobar.com. Than use virtusertables to map to some internal address so mails get pushed to the inside: user at foobar.com user at internal.foobar.com @foobar.com error:nouser No such user here Note that this will be rewriting envelope address, the one users don't see. The addresses in To/Cc/Whatever headers remain as it was. On the inside system, you'd configure it to accept email for foobar.com and internal.foobar.com. This is to avoid sending internal mail to DMZ, and than having it come back inside. Than you can use virtusertable again (optional) to map addresses to user mailboxes: user at foobar.com user user at internal.foobar.com user @foobar.com error:nouser No such user here @internal.foovar.com error:nouser No such user here Another, maybe simpler, way to do it would be using LDAP mail routing. I've no idea if postfix can do this. That way, all the information needed for mail delivery is centralized in one place, and you don't need to keep information on what email addresses exist and what mailboxes they correspond to on both internal and external server. Basically, you'd use LDAP to store information where the hack user's mailbox is. You would set mailHost attribute to point to your internal email server. You would not set mailRoutingAddress attribute. This would cause your external mail server to forward all email for existing email addresses to internal host. Your internal host will figure out that mailHost points to itself, and deliver email to the mailbox. So you don't need to rewrite email addresses like when using virtusertables. There's a lot of options when configuring LDAP routing, so if you go that way, best is to first read and fully understand documentation. Or you'll get unexpected results and will be generally dissapointed. Now, the remaining problem is, what to do for people who want to access their email from outside. You probably don't want to allow direct POP3/IMAP connections from outside to your internal mail server. You may consider here several options. Webmail would be very nice approach in many cases. If you have lots of roaming laptop users that insist on using their favorite email client from home or when on road, you might consider setting VPN for them. It kind of adds to the complexity. Especially if you don't need VPN for other stuff. On the other hand, if you already have VPN, than you have the solution for accessing email from outside, right? Another solution might be setting IMAP proxy in the DMZ. But it is almost as allowing direct connections from the outside. So I'd leave it as last resort. It's kind of longer answer. Just giving you couple of hints. At the end, you might find some solution that better fits your needs. But at least it will give you couple of ideas to explore. -- NOTICE: If you are not intended recipient, you are hereby notified that by reading this message you agreed not to disturb frogs during mating season. For more info, visit http://www.8-P.ca/