RE: Protecting an Exchange server?

From: Chris Santerre (csanterre_at_MerchantsOverseas.com)
Date: 05/18/04

  • Next message: Amin Tora: "RE: Ping Tool"
    To: "'Jose Enrique Diaz Jolly'" <enrique.diaz@cbbanorte.com.mx>, "Mark G. Spencer" <mspencer@evidentdata.com>, security-basics@securityfocus.com
    Date: Tue, 18 May 2004 11:33:59 -0400
    
    

    Jose's recomendation below are quite good. We use Sendmail box in a dmz. Of
    course I use Spamassassin. (See link in sig!) Email has to go thru firewall
    twice before entering internal exchange server. IMHO no microsoft box should
    ever be attached directly to the internet.

    You can setup aliases to users, then a static route to internal server. This
    way you don't have to have actual users on the outside box, and the outside
    box will handle rejections. There are a few other neat things you can do as
    well ;)

    Jose, I'm interested in your secure OWA setup. Is there more info you can
    send me off list? Currently users outside the company have to VPN in to
    check email. I'd rather just shut that off :)

    Chris Santerre
    System Admin and SARE Ninja
    http://www.rulesemporium.com
    'It is not the strongest of the species that survives,
    not the most intelligent, but the one most responsive to change.'
    Charles Darwin

    >-----Original Message-----
    >From: Jose Enrique Diaz Jolly [mailto:enrique.diaz@cbbanorte.com.mx]
    >Sent: Saturday, May 15, 2004 1:51 PM
    >To: Mark G. Spencer; security-basics@securityfocus.com
    >Subject: RE: Protecting an Exchange server?
    >Importance: High
    >
    >
    >
    >Sure there are several methods, some of them are expensive on
    >cash other
    >on time and fine tuning.
    >
    >We have a strong policy against exposing any one whose surname is
    >Microsoft to the internet. So we have made different schemas for
    >different services.
    >
    >For SMTP we have an SMTP server, sendmail on a linux box with some
    >filters on it like Spamassassin, bogofilter etc. This server
    >verifies if
    >the destination address is a real recipient using some of the sendmails
    >LDAPRouting features against the inside network's Active Directory. We
    >only have a single cluster with Exchange so I don't need the ability to
    >route mail towards different servers to reach the recipient's mailbox.
    >Thus facilitates me to ensure that any generated "rejection" is made by
    >my linux box which is on my DMZ. No Exchange is "announced". Then
    >instead LDAPRouting, I pass (deliver) all mail to an inside
    >server which
    >has all the TrendMicro Security Suite, AntiSPAM and AntiVirus software
    >which finally delivers to the actual Exchange. On the other hand
    >outgoing mail is delivered to another box (smart relay) which also has
    >sendmail on linux.
    >
    >The other feature is serving OWA, we revised MS' recommendation about
    >serving securely OWA with an ISA server but I was not satisfied, so we
    >started to work on a reverse proxy (a reverse proxy is a proxy by
    >another name) built with Apache, again on a linux box. Using some
    >features such as rewrite and proxypass I can serve owa without
    >announcing nor letting it to be seen my OWA server.
    >
    >
    >> -----Original Message-----
    >> From: Mark G. Spencer [mailto:mspencer@evidentdata.com]
    >> Sent: Thursday, May 13, 2004 12:52 PM
    >> To: security-basics@securityfocus.com
    >> Subject: Protecting an Exchange server?
    >>
    >> Hello,
    >>
    >> I'm wondering if there is any way to locate an Exchange
    >> server on my internal network and place some kind of email
    >> appliance on our DMZ to actually send and receive email to
    >> the world and to the Exchange server on my internal network?
    >>
    >> Basically, I don't want my Exchange server to be accessible
    >> to the world in any way.
    >>
    >> So ..
    >>
    >> Internet -> My Email Appliance -> Firewall -> Exchange Server
    >>
    >> I envision setting up a dedicated route in the firewall
    >> between the email appliance out on the Internet and my
    >> Exchange server behind the firewall on my local network?
    >>
    >> Are there any email appliances that can work with Exchange in
    >> this way?
    >> It's my (limited) understanding that Exchange server can't
    >> "pop" to another email server to pull each Exchange users
    >> email, so I'm not sure exactly how or if my plan could be put
    >> into action.
    >>
    >> Thanks,
    >>
    >> Mark
    >>
    >>
    >>
    >>
    >>
    >> --------------------------------------------------------------
    >> -------------
    >> Ethical Hacking at the InfoSec Institute. Mention this ad and
    >> get $545 off any course! All of our class sizes are
    >> guaranteed to be 10 students or less to facilitate one-on-one
    >> interaction with one of our expert instructors.
    >> Attend a course taught by an expert instructor with years of
    >> in-the-field pen testing experience in our state of the art
    >> hacking lab. Master the skills of an Ethical Hacker to better
    >> assess the security of your organization.
    >> Visit us at:
    >> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >> --------------------------------------------------------------
    >> --------------
    >>
    >>
    >>
    >
    >---------------------------------------------------------------
    >------------
    >Ethical Hacking at the InfoSec Institute. Mention this ad and
    >get $545 off
    >any course! All of our class sizes are guaranteed to be 10
    >students or less
    >to facilitate one-on-one interaction with one of our expert
    >instructors.
    >Attend a course taught by an expert instructor with years of
    >in-the-field
    >pen testing experience in our state of the art hacking lab.
    >Master the skills
    >of an Ethical Hacker to better assess the security of your
    >organization.
    >Visit us at:
    >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >---------------------------------------------------------------
    >-------------
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Amin Tora: "RE: Ping Tool"

    Relevant Pages

    • RE: Catchall not working, EXTERNALLY?
      ... Microsoft CSS Online Newsgroup Support ... but we will start using the exchange server fully ... When I open the connection (over internet) to my exchange account, ...
      (microsoft.public.windows.server.sbs)
    • RE: Catchall not working, EXTERNALLY?
      ... Exchange server 2003 supports multiple clients, such as OWA, MAPI ... Microsoft CSS Online Newsgroup Support ... When I open the connection (over internet) to my exchange account, ...
      (microsoft.public.windows.server.sbs)
    • Re: PocketPC user and ActiveSync over Internet
      ... Under ActiveSync on the PocketPC, ... Synchronize with Exchange Server ... So it contacted the Exchange server and grab the mail, ... Open the Server Management console and click the Internet and E-mail ...
      (microsoft.public.windows.server.sbs)
    • Re: Email Configuration
      ... To send internet mail you should not need to do anything special. ... > on the server is configured with fowarders pointing to the IP Addresses that> our ISP gave us so we can have internet access. ... > Currently we have a groupwise server that we are going to replace with an> Exchange server. ... > Would this help me with internet mail, or do i still need to configure a> recipient policy. ...
      (microsoft.public.exchange.setup)
    • RE: Securing Corporate Web Based Email
      ... are you managing to route webmail through your exchange server? ... Securing Corporate Web Based Email ... groupware server and screened, scanned and monitored all email traffic ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ...
      (Security-Basics)