RE: Exchange2K/DMZ

From: Robert Schwartz (robert@mrsquirrel.com)
Date: 07/14/02


From: "Robert Schwartz" <robert@mrsquirrel.com>
To: <focus-ms@securityfocus.com>
Date: Sun, 14 Jul 2002 10:26:29 -0700

Many have recommended using a UNIX server with a SMTP server on it in
your DMZ to protect Exchange. This doesn't mean Exchange SMTP is
vulnerable to anything, but it is Defense in Depth and multiple layers
of security based on different vendor products. These are all Good
Things(tm).

Many of these same people then show how you need to open tons of holes
on your DMZ firewall. Most security policies call for "one well known
port coming in and one well known port going out". Why not use a UNIX
server with some Web Mail variant on it to "protect" exchange here too?

OWA is way more dangerous then SMTP. I'd say the risk you accept by
putting a full-bore Front-End server with OWA on your DMZ is at least 10
times the risk for a Microsoft SMTP server on the DMZ with one
well-known port coming in and one well known port going out.

If you used something like http://www.squirrelmail.org/ then you get web
mail from a different vendor then your email servers and you get Defense
in Depth as there are multiple hosts and systems with extra defense on
the perimiter. There is one well known port (HTTPS) coming in, and one
well known port (IMAP) going out. The only functionality you lose is
the proprietary MS calendaring can't be displayed this way.

> -----Original Message-----
> From: Nicole Tutt [mailto:Nicolet@meddata.com]
> Sent: Wednesday, July 10, 2002 3:46 PM
> To: focus-ms@securityfocus.com
> Subject: Exchange2K/DMZ
>
>
> The LAN Administrator set up an Exchange server and placed it
> inside the firewall - opening ports for SSL and SMTP to the
> Exchange box from the outside world. I want to move the
> Exchange services to the DMZ. I'm not that familiar with
> Exchange 2k specifically but am used to being able to split
> out services from mail servers (IE. put WebAccess and SMTP
> gateways) and place vulnerable items in the DMZ or if not
> place the whole Exchange server in the DMZ. The LAN admin is
> concerned because the Exchange server has to see the domain
> controller on the inside net. How have others handled this setup?
>
> Thanks in advance
> Nicole
>
>



Relevant Pages

  • RE: Webserver on a DMZ still needed?
    ... Certainly your suggestion to have a email server in a DMZ but still have ... having the exchange server on the internal LAN with only the smtp ports ... Talking of the financial cost of setup by the book vs the security cost ...
    (Security-Basics)
  • [NT] Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (MS03-046)
    ... Get your security news from a reliable source. ... In Exchange Server 5.5, a security vulnerability exists in the Internet ... an unauthenticated attacker to connect to the SMTP port on an Exchange ...
    (Securiteam)
  • RE: SMTP error (only from Outlook)
    ... This issue appeared on specify user or all SMTP clients? ... If yes, in Exchange System ... Is there any local bridgehead server listed in "Local ... to over three dozen open relay block lists. ...
    (microsoft.public.windows.server.sbs)
  • RE: strange email errors
    ... you to check the relay configuration on the SBS server. ... please restart the SMTP virtue server and Exchange ... Please also refer to the following steps to create a new SMTP Connector to ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange issues
    ... Are you up to date on all your Service Packs, both Windows and Exchange? ... > all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... > You should verify that the server really isn't an open relay: ...
    (microsoft.public.exchange2000.admin)