RE: Exchange Questions

[Russ <Russ.Cooper () rc on ca>]

Frank W. Keeney ced;

> IMHO all host with services accessible from the Internet should be in
> the DMZ (or service network). Windows NT hosts such as Exchange or web
> servers should be in their own MS Domain. Then setup a one way MS
Domain
> trust so the external domains trust the internal domains but not the
> other way around.

FYI.

NT Domain Trusts require password changes on a regular basis (i.e. 15
days). This password change is for the Trust alone. l0phtcrack could
sniff and decrypt it, particularly if LanMan hashes have not been
disabled.

It also introduces an oft complained about issue in WAN environments,
namely, if for any reason the new password process fails, the Trust is
down'd, and must be created anew.

I would ask anyone who is paranoid of SMTP to explain why that paranoia
is believed to be applicable to MS Exchange Server. IMO, there is no
known translation of known SMTP vulnerabilities against MS Exchange
Server. I would be happy to hear of any I'm unaware of. SMTP Relay is
the only issue I can think of, and a DMZ does nothing to assist with it.

If the issue is the stability of an MS NT TCP/IP stack against malformed
packets, this should be dealt with by the FW-1 box irregardless of DMZ.

I can fully appreciate the "by-the-book" approach to putting such
servers in a DMZ, but when the question is specific, the answer should
be more than "well, that's how I've always seen it done before".

IMNSHO, a DMZ'd MS Exchange Server (in a different NT domain or
otherwise) does absolutely nothing but add to the complexity of an
already complex FW-1 installation.

It also adds to the overall cost of the implementation, as well as the
complexity of the Exchange installation. Cost is added due to a 2nd,
totally unnecessary, Exchange Server license. Installation complexity
comes as a result of maintaining a Site Connector (since, we assume, the
DMZ'd box is going to also be in an different Exchange Site).

While this list is probably the best resource for getting information on
the pros and cons of FW-1 DMZ usage, its certainly not the best place to
get MS Exchange Server advice. The MS Exchange Server mailing list can
be found through <http://www.msexchange.org>.

Given MS Exchange Server's current lack of Sendmail-like
vulnerabilities, one must also be extremely wary about introducing such
possibilities by placing something in front of the Exchange Server's
SMTP connector. *THIS IS DEFINITELY NOT A REFERENCE TO CYBERWALL/PLUS*,
but instead a reference to ideas that some sort of SMTP forwarding
server be placed in the DMZ instead of an Exchange Server.

Be very careful that the layers of the onion you're trying to create
don't make you cry to much...;-]

Cheers,
Russ - NTBugtraq Editor