Am So, den 22.08.2004 schrieb Sanjay Arora um 19:02: > - What are the risks associated with Directed Pinholing? > - I assume as IPs can be spoofed but in that case cannot be routed back > to the hacker, unless he has gotten root access on the DMZ server and > has setup a reverse proxy of some sort? Especially, as the DMZ > mailserver is in private address space 192.168.x.x and the firewall is > port forwarding the smtp & http packets. > > People, please comment on this option. If you have a "real" DMZ, your DMZ server is protected by a filtering router (at least). IP spoofing should be handled by that machine. A problem may arise when someone succeeds in compromising your DMZ host. You can restrict incoming traffic on the firewall by originating IP (in your case: DMZ server only), the port number, the protocol (UDP/TCP) and the destination host (your green mail server) and some more subtle criteria (e.g. handling of truncated packages). So just in case someone can compromise your DMZ server the possible damage might be quite limited. You can narrow it down further if you don't use a monolithic smtp server (like sendmail) on the green server. Nevertheless, weather to open the firewall a little bit or not is a matter of risk management and risk evaluation. If your green server is a controller for nuclear weapons at the same time, it might be a good idea not to open it even just a little bit. In most other cases, even in case of a business with a stronger security demand, the very limited risk should be tolerable, compared to the problems with mail access and others. By the way, the configuration described by Garry is a usual / standard configuration with a DMZ host which is the only one allowed to pass the firewall using well defined ports and destinations. Usually you establish a DMZ just for that purpose. Nevertheless (again), if the fetchmail solution as outlined by Steve does fulfill your needs it might be a good idea not to "pinhole" your firewall - just in case .... Peter