> I am seeking info from those of you who have installed Imail on a > Domain Controller. We desire the account integration that comes with > installing Imail on a DC, but are wondering if there is a downside, > like potential security headaches.
If you do not already have a DMZ, it should provide no appreciable decrease in security. The IMail services must be monitored for future vulnerabilities, as would any other services on your network. If you are accustomed to having your mail server in a DMZ, allowing LDAP replication between the DMZ and the internal network will indeed create one additional attack vector for somebody who has compromised your mail server (and in turn may have administrator access in AD). But owning the mail server itself will not carry with it a further privilege elevation unless additional internal systems are accessible; a lot depends, then, on other remote access methods available at your site, and whether these, too, are integrated with AD. Overall, when managed with care, the advantages of using NT integration will far outweigh the hazards. Just be aware of what you're dealing with and model the consequences of various attacks. As Todd suggests, using an integrity checker on any Internet-facing server (whether a web servers, dumb MX, or mailbox server) gives peace of mind. Of course, IDSes and so on are also part of the big picture. I personally prefer to poke just LDAP queries and auths--as opposed to LDAP replication--through the firewall, thus ensuring that no full copy of your userbase is never stored in the DMZ--yet POP3/SMTP AUTH logins and SMTP recipients can still be processed. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.mailmage.com/products/software/freeutils/exchange2aliases/download/release/ http://www.mailmage.com/products/software/freeutils/ldap2aliases/download/release/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
