-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Sampson wrote:
|> Note: Two messages below quote for reference. |> |> While you could make this work it would it is far outside |> best practices |> from an Exchange perspective. However even if this did work I don't |> think it will go very far in making Exchange any more secure. |> A proper |> way to achieve this would be to build an Outlook Web Access (OWA) |> frontend system and place it in your DMZ and only open the ports it |> requires to talk to the backend. You would keep the Exchange server |> itself on your internal network. |> |> Also while you are at it you might want to consider moving to a more |> recent version of Exchange, as 5.5 is somewhat of a relic these days. |> |> In reference to what Charles said with putting an SMTP smart |> host in the |> DMZ, this is a very good idea. I have something similar configured |> using Qmail-LDAP so that it can interface with Active |> Directory to check |> validity of emails addresses before accepting them and it works |> exceptionally well. |> |> R. | | Considering how complex the MS domain functions play out, I'd agree that | it'd be less troublesome to use a smtp proxy in the DMZ and forward packets | through it to the Exchange box. | | Would the following statement in /etc/network.conf enable me to punch a hole | from the DMZ to the LAN?: | | INTERN_SERVER6="tcp 192.168.2.xxx smtp 192.168.1.xxx smtp" | | whereas 192.168.2.xxx refers to the smtp proxy and 192.168.1.xxx is the | Exchange box assuming the DMZ IP address range is 192.168.2.0/24 and the LAN | IP address range is 192.168.1.0/24. | | Currently the DMZ is set as a private DMZ switch. Is there any advantage to | changing the DMZ switch to something other than private under the | circumstances regarding the smtp proxy? | | Any advice/tips would be greatly appreciated! The DMZ switch you use depends greatly on your network setup. You need valid public IPs to use anything other than private. The default firewall rules on Dachstein are setup such that the internal lan is masqeraded to the DMZ network. You'll need to use port forwarding (ie: the INTERN_SERVER= settings) to allow your SMTP system in the DMZ to talk to the exchange server on the internal network. You can use firewall rules to make sure only the DMZ machine(s) can talk to the exchange box, and not the internet in general. If you have configuration problems, please post details (at least network.conf and the output of "net ipfilter list") and we'll try to get you going. NOTE: If your firewall setup isn't very complex, you may find it more benificial to simply migrate to Bering (and it's shorewall based firewall), as configuring Dachstein can get to be pretty hairy, and at the end of the day you still have a kernel 2.2 based, ipchains, non-stateful firewall. - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDvv6RLywbqEHdNFwRAnurAKCKBJjeUwGUaqcQiphJhxeYPKHUoACeO8bT 6mzvz3aPLrU7R9r2PGrsNg0= =ZX/B -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
