> Note: Two messages below quote for reference. > > While you could make this work it would it is far outside > best practices > from an Exchange perspective. However even if this did work I don't > think it will go very far in making Exchange any more secure. > A proper > way to achieve this would be to build an Outlook Web Access (OWA) > frontend system and place it in your DMZ and only open the ports it > requires to talk to the backend. You would keep the Exchange server > itself on your internal network. > > Also while you are at it you might want to consider moving to a more > recent version of Exchange, as 5.5 is somewhat of a relic these days. > > In reference to what Charles said with putting an SMTP smart > host in the > DMZ, this is a very good idea. I have something similar configured > using Qmail-LDAP so that it can interface with Active > Directory to check > validity of emails addresses before accepting them and it works > exceptionally well. > > R.
Considering how complex the MS domain functions play out, I'd agree that it'd be less troublesome to use a smtp proxy in the DMZ and forward packets through it to the Exchange box. Would the following statement in /etc/network.conf enable me to punch a hole from the DMZ to the LAN?: INTERN_SERVER6="tcp 192.168.2.xxx smtp 192.168.1.xxx smtp" whereas 192.168.2.xxx refers to the smtp proxy and 192.168.1.xxx is the Exchange box assuming the DMZ IP address range is 192.168.2.0/24 and the LAN IP address range is 192.168.1.0/24. Currently the DMZ is set as a private DMZ switch. Is there any advantage to changing the DMZ switch to something other than private under the circumstances regarding the smtp proxy? Any advice/tips would be greatly appreciated! ~Doug > > -----Original Message----- > From: Doug Sampson > Sent: Friday, January 06, 2006 1:41 PM > To: [EMAIL PROTECTED] > Subject: RE: [leaf-user] DMZ --> LAN? > > It is both an Exchange 5.5 box and an OWA- all in one box. > I've opened a > hole on the external interface to allow webmail connections > for webmail > users. I am not comfortable with allowing connections into > the LAN- thus > the > reason why I want to move it to the DMZ. > > When I boot up in the DMZ, it complains of not finding a domain > controller. > It is a member of our domain but is not a domain controller. > > HTH. > > ~D > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Charles > Steinkuehler > Sent: Friday, January 06, 2006 3:23 PM > To: Doug Sampson > Cc: [email protected] > Subject: Re: [leaf-user] DMZ --> LAN? > > Unless someone with exchange experience chimes in (I've stayed as far > away > from exchange as I can), you'll probably need to ask your > question on a > more > MS centric list and/or search google/MSDN for information on putting a > firewall between your exchange server and clients. > > NOTE: If you're moving the exchange box to the DMZ mainly because of > concernes that it might get hacked, an alternative would be to install > an > SMTP server in the DMZ that simply forwards mail to the exchange box > sitting > on the internal LAN, shielding it from the 'raw' internet in the > process. > ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
