Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Protecting an Exchange server?

From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Tue, 18 May 2004 11:33:59 -0400
Jose's recomendation below are quite good. We use Sendmail box in a dmz. Of
course I use Spamassassin. (See link in sig!) Email has to go thru firewall
twice before entering internal exchange server. IMHO no microsoft box should
ever be attached directly to the internet. 

You can setup aliases to users, then a static route to internal server. This
way you don't have to have actual users on the outside box, and the outside
box will handle rejections. There are a few other neat things you can do as
well ;)

Jose, I'm interested in your secure OWA setup. Is there more info you can
send me off list? Currently users outside the company have to VPN in to
check email. I'd rather just shut that off :) 

Chris Santerre 
System Admin and SARE Ninja
http://www.rulesemporium.com
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin 


-----Original Message-----
From: Jose Enrique Diaz Jolly [mailto:enrique.diaz () cbbanorte com mx]
Sent: Saturday, May 15, 2004 1:51 PM
To: Mark G. Spencer; security-basics () securityfocus com
Subject: RE: Protecting an Exchange server?
Importance: High



Sure there are several methods, some of them are expensive on 
cash other
on time and fine tuning.

We have a strong policy against exposing any one whose surname is
Microsoft to the internet. So we have made different schemas for
different services. 

For SMTP we have an SMTP server, sendmail on a linux box with some
filters on it like Spamassassin, bogofilter etc. This server 
verifies if
the destination address is a real recipient using some of the sendmails
LDAPRouting features against the inside network's Active Directory. We
only have a single cluster with Exchange so I don't need the ability to
route mail towards different servers to reach the recipient's mailbox.
Thus facilitates me to ensure that any generated "rejection" is made by
my linux box which is on my DMZ. No Exchange is "announced". Then
instead LDAPRouting, I pass (deliver) all mail to an inside 
server which
has all the TrendMicro Security Suite, AntiSPAM and AntiVirus software
which finally delivers to the actual Exchange. On the other hand
outgoing mail is delivered to another box (smart relay) which also has
sendmail on linux.

The other feature is serving OWA, we revised MS' recommendation about
serving securely OWA with an ISA server but I was not satisfied, so we
started to work on a reverse proxy (a reverse proxy is a proxy by
another name) built with Apache, again on a linux box. Using some
features such as rewrite and proxypass I can serve owa without
announcing nor letting it to be seen my OWA server.



-----Original Message-----
From: Mark G. Spencer [mailto:mspencer () evidentdata com] 
Sent: Thursday, May 13, 2004 12:52 PM
To: security-basics () securityfocus com
Subject: Protecting an Exchange server?

Hello,

I'm wondering if there is any way to locate an Exchange 
server on my internal network and place some kind of email 
appliance on our DMZ to actually send and receive email to 
the world and to the Exchange server on my internal network?

Basically, I don't want my Exchange server to be accessible 
to the world in any way.

So ..

Internet -> My Email Appliance -> Firewall -> Exchange Server

I envision setting up a dedicated route in the firewall 
between the email appliance out on the Internet and my 
Exchange server behind the firewall on my local network?

Are there any email appliances that can work with Exchange in 
this way?
It's my (limited) understanding that Exchange server can't 
"pop" to another email server to pull each Exchange users 
email, so I'm not sure exactly how or if my plan could be put 
into action.

Thanks,

Mark





--------------------------------------------------------------
-------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off any course! All of our class sizes are 
guaranteed to be 10 students or less to facilitate one-on-one 
interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field pen testing experience in our state of the art 
hacking lab. Master the skills of an Ethical Hacker to better 
assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
--------------





---------------------------------------------------------------
------------
Ethical Hacking at the InfoSec Institute. Mention this ad and 
get $545 off 
any course! All of our class sizes are guaranteed to be 10 
students or less 
to facilitate one-on-one interaction with one of our expert 
instructors. 
Attend a course taught by an expert instructor with years of 
in-the-field 
pen testing experience in our state of the art hacking lab. 
Master the skills 
of an Ethical Hacker to better assess the security of your 
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
---------------------------------------------------------------
-------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: