RE: Exchange2K/DMZ

From: Gene Gomez (gegomez@tycoint.com)
Date: 07/11/02


From: "Gene Gomez" <gegomez@tycoint.com>
To: "Nicole Tutt" <Nicolet@meddata.com>
Date: Thu, 11 Jul 2002 07:18:00 -0700

I'm assuming that by "opening ports for SSL and SMTP" below, you mean HTTPS
(for OWA) and SMTP.
My favorite is setting up a Sendmail bridgehead server in the DMZ. You only
need two services running:
1. Sendmail: Just set this guy up to forward ALL mail into the Exchange
server by punching tcp/25 from the sendmail system to the Exchange system.
2. Port forwarder: You can approach this one of two ways. Either use
stunnel (SSL comes into this system, is decrypted and forwarded in to the
Exchange OWA system) and punch tcp/80 through the firewall from sendmail to
Exchange, or ipchains (packets are SNATed to Exchange OWA and are encrypted
end-to-end) and punch tcp/443 through.
Of course, there are other neat things you can do with this setup. You can
run anti-spam rules on the bridgehead, anti-virus, or whatever you want.

HTH,
Gene

-----Original Message-----
From: Nicole Tutt [mailto:Nicolet@meddata.com]
Sent: Wednesday, July 10, 2002 3:46 PM
To: focus-ms@securityfocus.com
Subject: Exchange2K/DMZ

The LAN Administrator set up an Exchange server and placed it inside the
firewall - opening ports for SSL and SMTP to the Exchange box from the
outside world. I want to move the Exchange services to the DMZ. I'm not
that familiar with Exchange 2k specifically but am used to being able to
split out services from mail servers (IE. put WebAccess and SMTP gateways)
and place vulnerable items in the DMZ or if not place the whole Exchange
server in the DMZ. The LAN admin is concerned because the Exchange server
has to see the domain controller on the inside net. How have others handled
this setup?

Thanks in advance
Nicole



Relevant Pages

  • [NT] Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (MS03-046)
    ... Get your security news from a reliable source. ... In Exchange Server 5.5, a security vulnerability exists in the Internet ... an unauthenticated attacker to connect to the SMTP port on an Exchange ...
    (Securiteam)
  • RE: SMTP error (only from Outlook)
    ... This issue appeared on specify user or all SMTP clients? ... If yes, in Exchange System ... Is there any local bridgehead server listed in "Local ... to over three dozen open relay block lists. ...
    (microsoft.public.windows.server.sbs)
  • RE: strange email errors
    ... you to check the relay configuration on the SBS server. ... please restart the SMTP virtue server and Exchange ... Please also refer to the following steps to create a new SMTP Connector to ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange issues
    ... Are you up to date on all your Service Packs, both Windows and Exchange? ... > all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... > You should verify that the server really isn't an open relay: ...
    (microsoft.public.exchange2000.admin)
  • Filtering email on ISA
    ... Unless you choose to create a new IIS SMTP Virtual ... Server, ordinarily you will want to Server Publish ... directly to the Exchange SMTP, ...
    (microsoft.public.isa)