Question related to DMZ

[k_k]

Hi,

in our current setup, mail server is connected in internal network as mentioned below :


internet request --> Firewall --> Network load balancer --> zimbra mail server.


Our client are using outlook + zimbra web mail.

below ports are open on internet :
25
465
993
995
443 --> for webmail
80 --> for antivirus update

We are supporting 1000 users with 2 different domains on single server installation...and may be in future we will migrate to multi-server installation for horizontal scalability.

Now our architecture team is suggesting to move mail server to DMZ network.
I gone through few DMZ related post in this forum..

I just need to understand is this a best practice ? And which things we need to consider as per security aspect ??

Please help.


Thanks in advance.

[k_k]

can anyone please guide me for the same ?

[phoenix]

Quote:

Originally Posted by k_k

can anyone please guide me for the same ?

Why not ask your architecture team why they want to do that? As far as I'm concerned putting any server in the DMZ is the same as putting it on an exposed internet IP address and totally insecure, you need to (very) carefully consider what needs to be done. If you don't know what you're doing I'd advise you to get some expert advice on setting-up a server in a DMZ.

You could also start with some articles from the internet:

SolutionBase: Deploying a DMZ on your network
+"best practice" +dmz +"mail server" - Yahoo! Search Results

[uxbod]

If you are wishing to use a DMZ then go for a multi-server setup and proxy connections through to the backend. I am guessing your architecture team are trying to eliminate an attack vector by moving the server outside of the internal network.