> This is what I was hoping someone had perhaps worked out already! I'll see what I can do, but the roadmap shouldn't be that hard to follow.
> We can't be the only folks trying to secure our network. No, but passing packets from DMZ is, to say the least, not a common security task! People who want the highest security for their mail servers just don't expose their non-mail data to them, period. Many people run Imail against ODBC databases that are shared by RADIUS, FTP, and other servers. This is a relatively securable architecture, as the SQL database can be placed in its own DMZ with only inbound access. In addition to locking down your mail server and only exposing necessary ports, it's also important that you put an IDS out there and consult your IDS and Imail logs early and often, and of course keep up with Imail security notes (knock on wood, there are few). > Win2K can support Radius, LDAP, and Kerberos authentication. Imail isn't an OS, though, so I don't think that's a fair comparison. > Even SP2 of Exchange (pucker factor on) now offers LDAP as a DMZ > authentication option. I don't think you're gonna get Imailers lining up for Exchange because of that feature, but point taken. > That is not an option. We are trying to protect our internal > network, so having any DC (other than a seperate one-way trusted > domain) is out. Try implementing push replication for AD, using, as John T. suggested, Integrated (NT compatibility) mode. > I cringe at the thought of NetBios. Any persistent connection from the DMZ inward constitutes an opportunity for compromise, no matter what protocol you use. > Otherwise, should this DC be compromised, we are sitting ducks for > all our severs. Yep, that's what I said--DMZ concept is gone. > Are there any plans by IPSwitch to add some additional > authentication mechanisms? The problem may be less the authentication mechanism than the storage of the authentication credentials. Signatures, shmignatures; if you can retrieve the creds, and easily decrypt them, then reuse the same authentication from a compromised desktop, your intruder just inherits Imail's permissions. So if your LDAP creds were stored in plain text, after a compromise your LDAP server might as well have had no security at all. -Sandy Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
