From: Wietse Venema (no email)
Date: Fri Jan 02 2004 - 20:27:06 EST
Thor Skaalheim:
> Greg A. Woods wrote:
> >Personally I would never ever even dream of running a mail server
> > behind a NAT. This is far from the only problem you'll encounter.
>
> Every mail server I've ever run has been behind a NAT. What problems
> should I be afeared of?
And I am glad to say that I operated all mail servers without NAT.
With NAT, things become interesting when you provide backup MX
service, and end up connecting to your own public address when the
primary is because you didn't bother to set up a split DNS for
lookups by internal and external systems (which is why Postfix has
this horrible proxy_interfaces kludge).
Depending on the quality of implementation and operation, connections
can fail because of trashed ICMP or other feedback; an under-powered
box can run out of NAT table space with a high-powered MTA that
generates lots of TCP and DNS "session" state. On the positive
side, under-powered NAT boxes are great for breaking worms.
Wietse
|
|
|