Security Basics mailing list archives
Re: Protecting an Exchange server?
From: Brian Keefer <chort () amaunetsgothique com>
Date: 15 May 2004 01:08:09 -0700
On Thu, 2004-05-13 at 10:51, Mark G. Spencer wrote:
Hello, I'm wondering if there is any way to locate an Exchange server on my internal network and place some kind of email appliance on our DMZ to actually send and receive email to the world and to the Exchange server on my internal network? Basically, I don't want my Exchange server to be accessible to the world in any way. Internet -> My Email Appliance -> Firewall -> Exchange Server I envision setting up a dedicated route in the firewall between the email appliance out on the Internet and my Exchange server behind the firewall on my local network?
You're describing exactly what several available commercial products do. The company I work for (CipherTrust) provides the an e-mail security appliance that filters everything from viruses and spam to policy violations and dangerous attachments (and does tons of other stuff, like encryption, etc). We aren't the only one (although we were the first). Several other companies make solutions that are somewhat similar. Google is your friend there. You can also provide the same functionality with some blend of BSD/Linux/UNIX running Postfix/Qmail/Sendmail and MIME::Defang,ClamAV,SpamAssassin,etc... Basically the static NAT that is right now pointing to your Exchange server would point to your security gateway instead. The security gateway would accept e-mail on port 25, filter it, and pass the remaining mail to Exchange via SMTP. Some of the commercial solutions (such as ours) offer the ability to quarantine suspicious e-mail on the appliance and potentially allow users to release it. There are also some quarantine solutions available for Open Source software as well (although now you're getting into a really complex project). On Exchange, point your "smarthost" entry to the security gateway (instead of "use DNS"), that is if your gateway can also scan outbound mail (for viruses and policy violations). -- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Protecting an Exchange server? Mark G. Spencer (May 14)
- Re: Protecting an Exchange server? Ned Fleming (May 14)
- Re: Protecting an Exchange server? Kelly Martin (May 14)
- SMS gateway server GSM modems` Nitin Nair (May 17)
- RE: Protecting an Exchange server? Sanjay K. Patel (May 14)
- Re: Protecting an Exchange server? Joe Polk (May 14)
- RE: Protecting an Exchange server? Kurt (May 14)
- Re: Protecting an Exchange server? Niek (May 14)
- Re: Protecting an Exchange server? Brian Keefer (May 17)
- Re: Protecting an Exchange server? Barrie Dempster (May 17)
- Re: Protecting an Exchange server? Michael Gale (May 18)
- Re: Protecting an Exchange server? Michael Gale (May 17)
- Re: Protecting an Exchange server? Jamie Pratt (May 18)
- <Possible follow-ups>
- Protecting an Exchange server? bob martin (May 14)
- RE: Protecting an Exchange server? Depp, Dennis M. (May 14)
- RE: Protecting an Exchange server? Micro Kluge (May 14)
- RE: Protecting an Exchange server? Michael Dunn (May 14)
- RE: Protecting an Exchange server? Hunt, Jim (May 14)
- RE: Protecting an Exchange server? Randy Johnson (May 20)
(Thread continues...)