arcascomp
asked on
Securing and protecting mail server in small office (spam/virus)
Okay, this ones gonna cause some flak as I'm looking for peoples opinions and experiences, so might have to spread some points around. I realise that everyone is welcome tro their opinions, as long as they agree to mine *8-)
Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..
Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the mail system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication
The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)
The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server
I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net).
So, my initial thoughts were:
Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.
IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.
An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam fioltering system and then forward via SMTP to the Exchange server.
Out going mail will be delivered straight out to the internet from Exchange directly.
I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???
So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. I'm open to anything really, just don't want my office to be!
Many thanks in advance and apologies for the length of this post...
Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..
Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the mail system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication
The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)
The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server
I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net).
So, my initial thoughts were:
Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.
IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.
An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam fioltering system and then forward via SMTP to the Exchange server.
Out going mail will be delivered straight out to the internet from Exchange directly.
I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???
So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. I'm open to anything really, just don't want my office to be!
Many thanks in advance and apologies for the length of this post...
ASKER
Quetzal, thanks for the reply, interesting ideas.
wrt to complexity I should've stated that I am looking to set this up to be very secure as a pilot for possibly implementing to a larger (more clients anyway) site that is getting serious email traffic, with massive amounts of spam. Also being a suitably techy geek, any extra complexity becomes a better challenge! Why make life easy:-)
Said larger site is also a charity so the cheaper the option (without incurring excessive amounts of man hours to install, configure and mostly maintain) will always be preferrable.
Unless M$ has added a POP3 collector to Exchange 2003, then unfortuneately it cannot natively collect from a POP3 box. Only the Small Business Server ones have that cludge installed.
wrt to complexity I should've stated that I am looking to set this up to be very secure as a pilot for possibly implementing to a larger (more clients anyway) site that is getting serious email traffic, with massive amounts of spam. Also being a suitably techy geek, any extra complexity becomes a better challenge! Why make life easy:-)
Said larger site is also a charity so the cheaper the option (without incurring excessive amounts of man hours to install, configure and mostly maintain) will always be preferrable.
Unless M$ has added a POP3 collector to Exchange 2003, then unfortuneately it cannot natively collect from a POP3 box. Only the Small Business Server ones have that cludge installed.
wrt pop3 connector see http://www.mapilab.com/exchange/pop3_connector/
If you can stand the higher cost of a Pix 515, you can get a true DMZ, mailguard, and avoid the configuration hassles of ISA...simple to install, very robust.
SonicWall has options for virus and spam filtering, but I don't have personal experience with their products.
Also forgot to mention that Outlook 2003 has a highly touted spam filtering capability, but it does not work when running OL on Terminal Serivces.
Also, the new (higher) user caps on SBS 2003 make it very attractive and affordable for the small office solution.
If you can stand the higher cost of a Pix 515, you can get a true DMZ, mailguard, and avoid the configuration hassles of ISA...simple to install, very robust.
SonicWall has options for virus and spam filtering, but I don't have personal experience with their products.
Also forgot to mention that Outlook 2003 has a highly touted spam filtering capability, but it does not work when running OL on Terminal Serivces.
Also, the new (higher) user caps on SBS 2003 make it very attractive and affordable for the small office solution.
ASKER
That pop3 connector is not native to exchange but a commercial addon. Fetchmail on unix can do all that for free! Trying to spend less money not more if possible :-)
Roughly how much do the Pix firewalls cost?
IPCop is the freeware community's continuation of the original SonicWall product, hopefully some people here will have had some experience of this and can advise accordingly. Might need to ask a simlar question in the firewall section as well.
Outlook 2003 does indeed filter spam fairly well, but I prefer to stop spam and viruses at the front door whenever possible. I feel that a local client spam and virus checker should be the final line of defence.
SBS is a single server solution that forces all your eggs into one basket so I'm not keen on that approach. Also my license for that is slated to be used for the internal test system.
Thanks again for your comments.
Roughly how much do the Pix firewalls cost?
IPCop is the freeware community's continuation of the original SonicWall product, hopefully some people here will have had some experience of this and can advise accordingly. Might need to ask a simlar question in the firewall section as well.
Outlook 2003 does indeed filter spam fairly well, but I prefer to stop spam and viruses at the front door whenever possible. I feel that a local client spam and virus checker should be the final line of defence.
SBS is a single server solution that forces all your eggs into one basket so I'm not keen on that approach. Also my license for that is slated to be used for the internal test system.
Thanks again for your comments.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's really funny reading your response Quetzal, as what you're saying is *exactly* what I would probably answer a question like this with! LOL
I guess what you've said about the learning by tinkering is what I hadn't added in originally. I feel I know the land of M$ fairly well but I know very little about the Linux land and sadly I enjoy these learning experiences :-)
wrt to the cheaper soho firewalls, many of these are in fact embedded linux systems so an older pc and a Good linux stripped distro like IPCop is fairly similar on the security level. After all, some of the big commercial firewalls like checkpoint are only really software solutions.
Hmmmm, well maintained, backed-up environment........ if only I stopped wasting my time tinkering and concentrated with the obvious! If I learnt from all my mistakes, I'd be over qualified for this job!
Cheers
I guess what you've said about the learning by tinkering is what I hadn't added in originally. I feel I know the land of M$ fairly well but I know very little about the Linux land and sadly I enjoy these learning experiences :-)
wrt to the cheaper soho firewalls, many of these are in fact embedded linux systems so an older pc and a Good linux stripped distro like IPCop is fairly similar on the security level. After all, some of the big commercial firewalls like checkpoint are only really software solutions.
Hmmmm, well maintained, backed-up environment........ if only I stopped wasting my time tinkering and concentrated with the obvious! If I learnt from all my mistakes, I'd be over qualified for this job!
Cheers
lol. I want to know Linux better too and will be putting up a couple test boxes soon. It will be interesting to see what other viewpoints you get. WRT my mistakes...15th time is a charm!
it's not too dificult to install linux+spamassasin and add to it lot's of rules that are already there on the web. just look for
http://www.spamassassin.org/index.html
http://www.spamassassin.org/index.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Trbonja,
Thanks for the info, I'm favouring 1a as a better solution.
I'm not worried about having extra hardware, but I concede the point about areas of failure. I'm interested in playing with clustering/load balancing with Linux eventually if I get familiar enough with it all. My main thoughts are to keep excessive traffic away from the exchange box as the sheer levels of SPAM whinging its way in is terrible. Most of our email addresses have been around for years so they've had a bit too much exposure in places.
I'm keen on using a linux firewall solution and IPCop seems to have good support, nice site btw. I knew a guy that had his firewall blacklist any ip address that scans ports that are locked down. I liked the idea, can IPCop do that sort of thing? maybe I should ask a separate q for that.
Thanks for the info, I'm favouring 1a as a better solution.
I'm not worried about having extra hardware, but I concede the point about areas of failure. I'm interested in playing with clustering/load balancing with Linux eventually if I get familiar enough with it all. My main thoughts are to keep excessive traffic away from the exchange box as the sheer levels of SPAM whinging its way in is terrible. Most of our email addresses have been around for years so they've had a bit too much exposure in places.
I'm keen on using a linux firewall solution and IPCop seems to have good support, nice site btw. I knew a guy that had his firewall blacklist any ip address that scans ports that are locked down. I liked the idea, can IPCop do that sort of thing? maybe I should ask a separate q for that.
ASKER
Sorry for the delay in following this up. I've split the points as suggested as I agree. There never will be a 'right' answer to this question!
Thanks to all who added suggestions
Thanks to all who added suggestions
Alternative #1: Install a Pix 501 firewall and enable the "mailguard" feature and run straight up email and file servers behind it. The Pix is relatively inexpensive and you will get great firewall protection. Unless you have specific reason to fear being the object of a direct attack, imho this could be sufificient for your needs. Run IIS on the email server to get OWA functionality.
Alternative #2: Beef up alternative #1 by installing ISA on the file server and installing dual nics, one to connect to the LAN, the other to connect to the mail server. Set up ISA rules to clamp down on allowed traffic to file server and between file server and email server. ISA can be a giant pain to configure, so this adds a major layer of complexity, but it also creates a major layer of security.
WRT POP3 mailboxes and Exchange... Exchange can query the POP3 mailboxes for you directly, it's easy to configure and much simpler that trying to collect and send it.
WRT anti-virus...From my personal experience, I like McAfee Groupshield best.
WRT anti-spam...I am using GFI Mail Essentials with great success.
Unless you are going to subscribe to a service that scans your email before it hits the premises (this is pretty expensive), I don't see too much advantage to having a separate box at or behind your firewall. A standalone email server should have no problem keeping up.