Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

[Fwd: RE: Exchange Questions]

From: Chris Brenton <cbrenton () sover net>
Date: Sun, 16 May 1999 20:50:15 -0400
Rex rote;

If I was setting up a DMZ, using Firewall-1, what advantage would
there be if I put my Exchange server & Email connector outon the
DMZ?


Its probably more of a hassle than its worth. Exchange uses DCOM. This
means that instead of using fixed port numbers Exchange will constantly
change the port numbers it is using. There are registry hacks you can
implement which will hard set the transport and port numbers used by
Exchange, but I've found that this blows up the server about one out of
every ten times you try it. Best to leave the Exchange server on your
internal network where you will not have to worry about client
connectivity.

Will this system be acting as your SMTP relay as well? If so, I can
understand your concern. Exchange suffered from buffer overflow attacks
as recently as version 5.0 (the latest is 5.5 I believe). It is quite
possible that there are some some vulnerabilities that have yet to make
it out to the public eye. If your concern is that an attacker may
compromise the system via SMTP, I would suggest that you install an SMTP
relay on your service network (what you call a DMZ) and let this system
talk to the world at large.

You could also use FW-1's SMTP security servers for receiving inbound
mail. This option is not quite as configurable (or stable depending on
which patches you are using) but if your needs are simple it should do
the trick. 

I would not however use the SMTP security servers to deliver outbound
mail. The security servers do not understand MX record preferences. This
means that the SMTP security server is incapable of falling back to a
higher preference mail system if the lower preference system is
off-line. Still, this only effects outbound mail. You can still use the
SMTP security server to relay inbound messages with out worrying about
this problem.

Happy hunting,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Previous By Date Next
Previous By Thread Next

Current thread: