> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Thom Paine > Sent: Monday, January 19, 2009 9:59 AM > To: CentOS mailing list > Subject: Re: [CentOS] Port Forwarding > > > In the case of the OP, I would urge him to evaluate if that network > > topology really makes sense. Does it make sense having two > hosts with > > two different connections? In that case, does it make sense to run > > services like mail/web servers on these hosts? Shouldn't they be > > dedicated routers/firewalls instead? And do you really need to use > > port forwarding connections to a host that is already directly > > connected to the internet? > > > > It doesn't necessarily make sense. This entire project doesn't make > sense. The issue is that we are sending confidential patient records > through a private network. --------- It does make sense to me to do it the way you describe. > Then they can check > if the receiver should be receiving email in the first place. They ----- Yes, that would be because of HIPAA Law Requirements. They have to do that whether they want to or not. See: hipaa.org and cms.hhs.gov/SecurityStandard/ > originally wanted to take control of my mail server, and I would pick > mail up from them for all my users and I said no to that. We are > retaining control of our network, and mail server and relaying all > outbound mail out this new connection. Incoming mail will transfer as > normal from all sources except from this private network which could > have confidential patient records, and it needs to come in this new > connection from an authenticated mail server to my box. ------ I hope you all are using some type of encryption. SSL? > This project has been dragging out since 2007, and it's really getting > on my nerves. They only want to deal with Exchange, and they have been > sending instructions out for exchange, even though they know I am > using Linux for my server. ---------- Probally been draging out since October 07? Exchange Server is you might as well say A lock in for the health care entities. A more of a total groupware solution for mailing calendering And sutch where sendmail is not. > I thought I was almost out of the woods until we started testing the > port forwarding, and I've run into these hangups. > > I think option 2 will work best for me. The box and connection on > y.y.y.y is strictly for communicating with this other mail server I > need to relay out, and receive only patient records mail from. If I > rewrite the packets to appear to be from 10.10.10.4 I think this will > work. ----- Forging packets is one solution to the problem but then another arises within. Sutch as Being compliant with HIPPA and packet fowarding. Although I could not find anything relating to Forwarding ""EPHI"" in HIPPA Rules, it could become a problem later on down the road if the entity gets hit with a E-Discovery for Email. I would seek legal counsel for that > What would the best option for this be? I'm thinking I will have to > stop using the gshield firewall that I used to use, and jsut write the > rules manually in iptables because there will only be 1/2 a dozen or > so and once they are wrote, they will be permament. -- Use a hardware router and firewall. Whatever you decide to do, document all of it on paper. You can get audited! > Thanks for the excellent replies. JohnStanley