Implementation with a DMZ
Hi everyone, I'm new!
Please, set me in the right direction:
I'm currently looking to bring in Zimbra to replace a simple sendmail/pop3 setup. Currently everything is in the DMZ, but the general concensus here is that if Zimbra would be hosting internal documents and other sensitive, non-email items, it would be best to keep as much as possible in the internal network. We could easily allow smtp or lmtp to traverse the firewall inwards (either between the Zimbra MTA and the LMTP server on port 7025, or between an edge MTA relaying to a port 25 Postfix instance on the inside), but that fundamentally/theoretically compromises the DMZ.
The only (complicated) workaround I've thought up would be to let the edge MTA write to mbox/maildir on an nfs exported partition, mounting that partition from the inside and pulling the messages into a perl script to re-wrap them in smtp for delivery to the inside MTA. Or instead of doing this via mbox/maildir, writing a dummy smtp server that the edge mta could relay to that would accept mail and write the SMTP conversation to file on nfs, to be picked up on the other side and be simply replayed to the internal MTA. This is possible and wouldn't be too hard, but it doesn't seem like it's been done before, so it seems like it's the wrong path (and it's a serious kludge).
Has anyone faced this issue before? What is the best way to set this up securely?