I believe the rationale is to limit external connectivity into the production (internal) network. While I'm not sure I'd call it a sacrificial system, the external relays do consolidate mail relay and DNS for the outside facing world, with firewall rules preventing any direct connection for those protocols.
I do have to say it's a bit of a complicated system, part of which existed before we swapped to new firewalls[1]. Part of the complexity revolves around other portions of our business that have some interesting requirements of their own. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA [1] The old firewalls butched SMTP relaying, so we had to have good systems on both sides to mitigate traffic flow through the firewall > -----Original Message----- > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 07, 2002 8:00 AM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > I don't understand why you'd put a "sacrificial" system outside the > firewall or how that's any better than the same system > inside. It just > increases the complexity. I haven't seen any place where containment > on an internal relay is a problem. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Posted At: Friday, June 07, 2002 5:59 AM > Posted To: Microsoft Exchange > Conversation: lesser of the evils - ssl or smtp > Subject: RE: lesser of the evils - ssl or smtp > > > Actually, and I'm not normally one to contradict you, its best to have > an SMTP relay outside the firewall, which in turn forwards to an SMTP > relay inside the firewall (with a locked down rule allowing > SMTP between > those two hosts only), with the internal relay doing virus checking > (with Viruswall, for instance), and the internal relay passing off via > SMTP to Exchange. > > I'd skip the internal relay first, but that depends on what > the external > relay is running (ie OS and MTA). > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Peregrine Systems > Atlanta, GA > > > > -----Original Message----- > > From: Baker, Jennifer [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 4:07 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > IMO, it is best practice to have an smtp relay server behind > > a firewall and > > between your mailbox servers and the internet. Although, I > > am not sure how > > he thinks that smtp floods will be avoided with a relay > > server in place. > > > > -----Original Message----- > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 12:28 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Yes! The voice of reason. Ed, you're the shit! That's what > > I'm saying, > > OWA with SSL works great. My brother is trying to tell me > > that you should > > use sendmail or a border 2k box for smtp relaying to stop > smtp floods. > > What's your take? Expose smtp directly to the internet, > > through a firewall > > or not? > > > > Jason Cook > > J.H. Ellwood and Associates > > Network Administrator > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 2:25 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > I would agree even to say that OWA with SSL would be > reasonable safe > > configuration for large organizations. I don't like > front-end servers > > > in a DMZ because of the myriad ports you must open between > the DMZ and > > > the intranet. > > > > Ed Crowley MCSE+Internet MVP kcCC+I > > Tech Consultant > > hp Services > > Protecting the world from PSTs and Bricked Backups! > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Cook, Jason > > Sent: Thursday, June 06, 2002 11:18 AM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Seems a little rash mr. butler, a lot of small companies use the > > scenario presented by Rob Ellis originally. A firewall, a good > > hardware one anyway is great protection if used > effectively. OWA with > > > ssl is a good and secure solution, so I'm curious as to why you > > believe that it's > > a "rule" to use a dmz? > > > > > > Jason Cook > > J.H. Ellwood and Associates > > Network Administrator > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 1:06 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > No, not remote users, server smtp traffic. > > > > We are proposing citrix full desktop, OWA for some remote users, no > > POP/smtp access for end users. > > > > The Webshield I mentioned is as you say, part of TVD. > > > > Our design sounds very much like your setup. > > > > > > Regards, > > > > > > Rob Ellis > > > > -----Original Message----- > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > Sent: 06 June 2002 18:49 > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > Ill throw in .02 > > > > Assuming you are referring to allowing remote users to get > > their e-mail. > > > > I'm doing the OWA thing for "remote/roaming" users. > > I do some Citrix for full desktops. > > I do NOT allow users to connect to the exch box at this time via > > SMTP/POP. > > > > I do at this time use the Simple Webshield product bundled with the > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > so Internet smtp > webshield > Exch. > > yes the webshield sit's before Exch box. > > Yes it provides me with an additional layer of pre exch virus > > protection...works ok yes it also provides some prefiltering on > > attachments...sucks...does not go any deeper the first > level i.e. FWD> > > > FWD it will miss. > > Note: Their full blown product webshield APP is supposed to work > > well..no exp with it, Ill keep my opinions to myself.. > > > > If I had to let user(s) directly get to either port 110/POP and > > port25/smtp to do their e-mail... > > 1.) I would not ..thats me.. > > 2.) Forced too only via some secure connection like a VPN. > > > > bill > > > > PS for those interested I run the AV product to at the file > level and > > scan all files on the exchange box with no exceptions. > > ;-) > > > > -----Original Message----- > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 1:38 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Okay I'll add another spanner to your works, I would advise an SMTP > > relay server on your DMZ but I really wouldn't use McAfee > Webshield. > > Why I hear you cry for one it is pretty bad at blocking viruses and > > two we have had no end of problems with it crashing or not > sending to > > certain domains when it gets a DAT update. Why not use the SMTP > > component of IIS > > as your SMTP relay server and then use ScanMail or Antigen on your > > Exchange server. Either that or use someone like MessageLabs to > > outsource your antivirus too. > > > > Regards, > > > > Paul > > > > -----Original Message----- > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > Sent: 06 June 2002 18:26 > > To: Exchange Discussions > > Subject: lesser of the evils - ssl or smtp > > > > > > Ok, I've got a couple of scenarios, which of them is the > least risky? > > > > Exchange 2000 mailbox server on the LAN, accepting/making > connections > > using SMTP through a firewall to the internet > > > > Exchange 2000 mailbox server on the LAN, accepting SSL secured OWA > > connections from the internet, again, protected by a firewall. > > > > > > Basically I am being told I may have to do both with the > same box, but > > > I'd rather have the smtp traffic going through a DMZ based gateway > > running McAfee Webshield, and let the OWA clients come into the > > internal box over SSL (which I see as less of a risk than > opening up > > port 25. > > > > If you had to choose one of the 2 above scenarios, which > would it be? > > > > Regards, > > > > Rob Ellis > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > ---------------------------------------------------------------------- > > If you have received this e-mail in error or wish to read our e-mail > > disclaimer statement and monitoring policy, please refer to > > http://www.drkw.com/disc/email/ or contact the sender. > > > ---------------------------------------------------------------------- > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
