Thanks Len. We presently run Mail Marshal as an SMTP gateway to our mail server, which is a rather expensive SMTP/AV/BlackList gateway. The problem is, what I really need is a way for our "external" users to be able Authenticate POP3 / IMAP against an "internal" Win2K AD domain. It seems I only have but four choices;
a) User Non-NT accounts like internal iMail accounts or SQL (not an option) b) Place a DC in the DMZ and pray like hell it isn't compromised. (NetBios) c) Setup a one-way "Trusted" Domain, and attempt to make iMail authenticate against a domain that is not local to itself. (iMail only sees the local host accounts) d) Hope that iMail can be tricked intto using LDAP, Radius or Kerberos, so as to be able to move this entire mail server into the DMZ --- then only pass back authentication packets into the internal domain. Then if the mail server should be compromised, the damage will be a little more self-contained. Our existing Mail Server (InterChange) is able to bridge this configuration, I was hoping that iMail could do the same. I've seen a couple of other products that can support this configuration. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Len Conrad Sent: Monday, May 06, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] DMZ Authentication against Internal Win2K Domain >We are presently looking to change our mail server software and iMail seems >to have a lot of features. However, I am a bit surprised that iMail does >not seem to be able to Authenticate against an NT database other than the >local machine. > >Has anyone found a way to Authenticate iMail in a DMZ to an Internal Win2K >domain controller or Radius server? If you're getting into building a DMZ, it's not the best solution to expose your mailbox server in the DMZ and as MX host. Put an SMTP + DNS proxy/bastion host (IMgate) in your DMZ, and Imail behind the inner firewall, which only trusts SMTP traffic to/from imail from the ip of the DMZ proxy. This is an "smtp/dns forwarding architecture", buzz, buzz. If you need SMTP relaying for roamers (outside your outer firewall), then you do pop-before-smtp on the bastion server, keeping all the relay traffic out of your internal firewall. Also, for your roamers coming from other access providers, IMGate can run an extra SMTPD service on, eg, port 1025, so your roamers are unaffected by blocking of port 25 by the access providers. Len www.menandmice.com/DNS-training : DNS Training BIND8NT.MEIway.com : ISC BIND for NT4 & W2K IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
