Re: Protecting an Exchange server?

[Brian Keefer <chort () amaunetsgothique com>]

On Thu, 2004-05-13 at 10:51, Mark G. Spencer wrote:
> Hello,
>
> I'm wondering if there is any way to locate an Exchange server on my
> internal network and place some kind of email appliance on our DMZ to
> actually send and receive email to the world and to the Exchange server on
> my internal network?
>
> Basically, I don't want my Exchange server to be accessible to the world in
> any way.
>
> Internet -> My Email Appliance -> Firewall -> Exchange Server
>
> I envision setting up a dedicated route in the firewall between the email
> appliance out on the Internet and my Exchange server behind the firewall on
> my local network?


You're describing exactly what several available commercial products
do.  The company I work for (CipherTrust) provides the an e-mail
security appliance that filters everything from viruses and spam to
policy violations and dangerous attachments (and does tons of other
stuff, like encryption, etc).

We aren't the only one (although we were the first).  Several other
companies make solutions that are somewhat similar.  Google is your
friend there.

You can also provide the same functionality with some blend of
BSD/Linux/UNIX running Postfix/Qmail/Sendmail and
MIME::Defang,ClamAV,SpamAssassin,etc...

Basically the static NAT that is right now pointing to your Exchange
server would point to your security gateway instead.  The security
gateway would accept e-mail on port 25, filter it, and pass the
remaining mail to Exchange via SMTP.  Some of the commercial solutions
(such as ours) offer the ability to quarantine suspicious e-mail on the
appliance and potentially allow users to release it.  There are also
some quarantine solutions available for Open Source software as well
(although now you're getting into a really complex project).  On
Exchange, point your "smarthost" entry to the security gateway (instead
of "use DNS"), that is if your gateway can also scan outbound mail (for
viruses and policy violations).

-- 
Brian Keefer, CISSP
Systems Engineer
CipherTrust Inc, www.CipherTrust.com


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------