Firewall Wizards mailing list archives
[Fwd: RE: Exchange Questions]
From: Chris Brenton <cbrenton () sover net>
Date: Sun, 16 May 1999 20:50:15 -0400
Rex rote;
If I was setting up a DMZ, using Firewall-1, what advantage would there be if I put my Exchange server & Email connector outon the DMZ?
Its probably more of a hassle than its worth. Exchange uses DCOM. This means that instead of using fixed port numbers Exchange will constantly change the port numbers it is using. There are registry hacks you can implement which will hard set the transport and port numbers used by Exchange, but I've found that this blows up the server about one out of every ten times you try it. Best to leave the Exchange server on your internal network where you will not have to worry about client connectivity. Will this system be acting as your SMTP relay as well? If so, I can understand your concern. Exchange suffered from buffer overflow attacks as recently as version 5.0 (the latest is 5.5 I believe). It is quite possible that there are some some vulnerabilities that have yet to make it out to the public eye. If your concern is that an attacker may compromise the system via SMTP, I would suggest that you install an SMTP relay on your service network (what you call a DMZ) and let this system talk to the world at large. You could also use FW-1's SMTP security servers for receiving inbound mail. This option is not quite as configurable (or stable depending on which patches you are using) but if your needs are simple it should do the trick. I would not however use the SMTP security servers to deliver outbound mail. The security servers do not understand MX record preferences. This means that the SMTP security server is incapable of falling back to a higher preference mail system if the lower preference system is off-line. Still, this only effects outbound mail. You can still use the SMTP security server to relay inbound messages with out worrying about this problem. Happy hunting, Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Current thread:
- [Fwd: RE: Exchange Questions] Chris Brenton (May 17)