Security Basics mailing list archives

Re: Exchange Server and External Access

From: salgak () speakeasy net
Date: Fri, 22 Aug 2003 19:39:15 +0000

-----Original Message-----
From: Cherian M. Palayoor [mailto:cpalayoor () cwalkergroup com]
Sent: Friday, August 22, 2003 05:25 PM
To: security-basics () securityfocus com
Subject: Exchange Server and External Access

Hi,

We presently use the Std edition of Exchange 2000 as a mail server for our
internal users, behind the Firewall.

However we would like to grant mailbox access to external users outside the
Firewall.

What would be the most secure and efficient method of accomplishing this.


Several things come to mind.

1. Leave it behind your firewall: use Outlook Web Access (OWA).  You'll have to tighten-down the IIS security on the 
Exchange box, and as I recall, also open up the NNTP port to the Exchange box.  So you ALREADY have 25 open to the 
world through the firewall: you'd be adding 80, possibly 443 (been a while since I set up OWA) and 119.

2. Move it to the DMZ: run it as a POP3 server: allow internal and external clients to access it via POP3.  I'd also 
lock it down hard.  You'll have to allow 137-139 TCP and UDP, as well as 53 UDP from inside to the Exchange box in the 
DMZ, to allow it to communicate with the Domain Controller.  This is not a recommended solution, but could be made to 
work.  BTW, I hope your Exchange box is NOT a domain controller. . .always a bad choice. . .

3. Variant of #1: instead of OWA setup, do a POP3 setup to the outside world.
To lock it down, use POP3 over SSL (port 995, I think. . .)  The client config is a bit detailed, I've never tried 
this. . .

One stream of thought that I have been entertaining is having a separate
Exchange/Mail  Server on the DMZ.


Bad idea.  You'd need Enterprise Edition of Exchange 2K to synch the servers. . .



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event.  Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Exchange Server and External Access Cherian M. Palayoor (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 22)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- Re: Exchange Server and External Access Moti Levy (Aug 25)
- RE: Exchange Server and External Access Jimmy Sansi (Aug 25)
- RE: Exchange Server and External Access Rick Kingslan (Aug 25)
  - RE: Exchange Server and External Access mobile (Aug 26)
- RE: Exchange Server and External Access Joey Peloquin (Aug 25)
- Re: Exchange Server and External Access chort (Aug 25)
- <Possible follow-ups>
- RE: Exchange Server and External Access Rubottom, Karl (Aug 22)
- Re: Exchange Server and External Access salgak (Aug 22)
- Re: Exchange Server and External Access Tony (Aug 22)
- FW: Exchange Server and External Access Cherian M. Palayoor (Aug 25)
  - Re: FW: Exchange Server and External Access chort (Aug 26)
- RE: Exchange Server and External Access Depp, Dennis M. (Aug 25)
- RE: Exchange Server and External Access Gregory M. Brown (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 25)
- RE: Exchange Server and External Access McGill, Lachlan (Aug 25)
- RE: Exchange Server and External Access Nick Duda (Aug 26)
- Re: Exchange Server and External Access salgak (Aug 26)

(Thread continues...)