RE: Protecting an Exchange server?

["Jose Enrique Diaz Jolly" <enrique.diaz () cbbanorte com mx>]

Sure there are several methods, some of them are expensive on cash other
on time and fine tuning.

We have a strong policy against exposing any one whose surname is
Microsoft to the internet. So we have made different schemas for
different services. 

For SMTP we have an SMTP server, sendmail on a linux box with some
filters on it like Spamassassin, bogofilter etc. This server verifies if
the destination address is a real recipient using some of the sendmails
LDAPRouting features against the inside network's Active Directory. We
only have a single cluster with Exchange so I don't need the ability to
route mail towards different servers to reach the recipient's mailbox.
Thus facilitates me to ensure that any generated "rejection" is made by
my linux box which is on my DMZ. No Exchange is "announced". Then
instead LDAPRouting, I pass (deliver) all mail to an inside server which
has all the TrendMicro Security Suite, AntiSPAM and AntiVirus software
which finally delivers to the actual Exchange. On the other hand
outgoing mail is delivered to another box (smart relay) which also has
sendmail on linux.

The other feature is serving OWA, we revised MS' recommendation about
serving securely OWA with an ISA server but I was not satisfied, so we
started to work on a reverse proxy (a reverse proxy is a proxy by
another name) built with Apache, again on a linux box. Using some
features such as rewrite and proxypass I can serve owa without
announcing nor letting it to be seen my OWA server.
 

> -----Original Message-----
> From: Mark G. Spencer [mailto:mspencer () evidentdata com] 
> Sent: Thursday, May 13, 2004 12:52 PM
> To: security-basics () securityfocus com
> Subject: Protecting an Exchange server?
>
> Hello,
>
> I'm wondering if there is any way to locate an Exchange 
> server on my internal network and place some kind of email 
> appliance on our DMZ to actually send and receive email to 
> the world and to the Exchange server on my internal network?
>
> Basically, I don't want my Exchange server to be accessible 
> to the world in any way.
>
> So ..
>
> Internet -> My Email Appliance -> Firewall -> Exchange Server
>
> I envision setting up a dedicated route in the firewall 
> between the email appliance out on the Internet and my 
> Exchange server behind the firewall on my local network?
>
> Are there any email appliances that can work with Exchange in 
> this way?
> It's my (limited) understanding that Exchange server can't 
> "pop" to another email server to pull each Exchange users 
> email, so I'm not sure exactly how or if my plan could be put 
> into action.
>
> Thanks,
>
> Mark
>
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and 
> get $545 off any course! All of our class sizes are 
> guaranteed to be 10 students or less to facilitate one-on-one 
> interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of 
> in-the-field pen testing experience in our state of the art 
> hacking lab. Master the skills of an Ethical Hacker to better 
> assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------