Securing and protecting mail server in small office (spam/virus)

Okay, this ones gonna cause some flak as I'm looking for peoples opinions and experiences, so might have to spread some points around. I realise that everyone is welcome tro their opinions, as long as they agree to mine *8-)

Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..

Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the mail system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication

The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)

The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server

I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net).

So, my initial thoughts were:

Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.

IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.

An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam fioltering system and then forward via SMTP to the Exchange server.

Out going mail will be delivered straight out to the internet from Exchange directly.

I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???

So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. I'm open to anything really, just don't want my office to be!

Many thanks in advance and apologies for the length of this post...
Who is Participating?
trbonjaConnect With a Mentor Commented:
Hi there.

1 – install exchange 2003 on green side & install ISA (server has to have two interfaces to support ISA). Server NIC that points to the green NIC of IPCop will be secured by ISA
ex: IPCop green  secured server NIC 1: “Unsecured” server NIC2
NIC 2 will be used by internal clients (proxy, outlook…)

1a – Use DMZ/Orange on IPCop & install your server in the orange zone. You can again use ISA (two NICs) or no ISA, in that case single NIC on that server will do just fine. In this configuration you’ll have to setup few dmz pinholes to your green network. Or you can go without ISA & with the single NIC.

To secure your exchange use Mail Marshal (. It’s costs money but this was a best investment in my case. It will work with your virus scanner & filter everything out before email hits exchange. This software will eliminate the need for second PC needed for Linux based filtering – Another hardware, another possible point of failure.

If users will be accessing OWA only through the vpn tunnel (using ipcop) there is no need to setup CA on Server 2003.
But, if you’ll need access to OWA from anywhere on the net you’ll have to. Setup CA on windows server 2003.
I would rather invest money in to Mail Marshall software & good virus scanner software (I like Etrust InoculateIT) than spend money on commercial firewall solution.

I’m using IPCop all the time in setups like yours. Also I maintain so if you have any questions on how to setup ipcop, please let me know…here or in our community.

For a small office, your initial proposal sounds way too complicated...not that it is a bad idea, but its complexitiy is not scaled to the size of the office.

Alternative #1:  Install a Pix 501 firewall and enable the "mailguard" feature and run straight up email and file servers behind it.  The Pix is relatively inexpensive and you will get great firewall protection.  Unless you have specific reason to fear being the object of a direct attack, imho this could be sufificient for your needs.  Run IIS on the email server to get OWA functionality.

Alternative #2: Beef up alternative #1 by installing ISA on the file server and installing dual nics, one to connect to the LAN, the other to connect to the mail server.  Set up ISA rules to clamp down on allowed traffic to file server and between file server and email server.  ISA can be a giant pain to configure, so this adds a major layer of complexity, but it also creates a major layer of security.

WRT POP3 mailboxes and Exchange... Exchange can query the POP3 mailboxes for you directly, it's easy to configure and much simpler that trying to collect and send it.

WRT anti-virus...From my personal experience, I like McAfee Groupshield best.

WRT anti-spam...I am using GFI Mail Essentials with great success.

Unless you are going to subscribe to a service that scans your email before it hits the premises (this is pretty expensive), I don't see too much advantage to having a separate box at or behind your firewall.  A standalone email server should have no problem keeping up.
arcascompAuthor Commented:
Quetzal, thanks for the reply, interesting ideas.

wrt to complexity I should've stated that I am looking to set this up to be very secure as a pilot for possibly implementing to a larger (more clients anyway) site that is getting serious email traffic, with massive amounts of spam. Also being a suitably techy geek, any extra complexity becomes a better challenge! Why make life easy:-)

Said larger site is also a charity so the cheaper the option (without incurring excessive amounts of man hours to install, configure and mostly maintain) will always be preferrable.

Unless M$ has added a POP3 collector to Exchange 2003, then unfortuneately it cannot natively collect from a POP3 box. Only the Small Business Server ones have that cludge installed.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

wrt pop3 connector see

If you can stand the higher cost of a Pix 515, you can get a true DMZ, mailguard, and avoid the configuration hassles of ISA...simple to install, very robust.

SonicWall has options for virus and spam filtering, but I don't have personal experience with their products.

Also forgot to mention that Outlook 2003 has a highly touted spam filtering capability, but it does not work when running OL on Terminal Serivces.

Also, the new (higher) user caps on SBS 2003 make it very attractive and affordable for the small office solution.
arcascompAuthor Commented:
That pop3 connector is not native to exchange but a commercial addon. Fetchmail on unix can do all that for free! Trying to spend less money not more if possible :-)

Roughly how much do the Pix firewalls cost?

IPCop is the freeware community's continuation of the original SonicWall product, hopefully some people here will have had some experience of this and can advise accordingly. Might need to ask a simlar question in the firewall section as well.

Outlook 2003 does indeed filter spam fairly well, but I prefer to stop spam and viruses at the front door whenever possible. I feel that a local client spam and virus checker should be the final line of defence.

SBS is a single server solution that forces all your eggs into one basket so I'm not keen on that approach. Also my license for that is slated to be used for the internal test system.

Thanks again for your comments.
QuetzalConnect With a Mentor Commented:
Pix 501 is about $375 (US), Pix 515 is (ouch) about $3100 (US).

Here is the tradeoff in my mind.  If you want to tinker and your time is not a factor in the cost equation, then I am all for freeware.  But imho, if you can find commercial products that are known quantities and well-supported, you will spend far less time tinkering.  It has often been true for me that when I have tried to skimp on $ in the beginning, i've ended up in the long run spending as much or more had I simply bitten the bullet in the beginning.

I would also add that wrt to firewalls, a hardware-based solution is more robust than a software solution.  It is  difficult to fully harden an OS against attacks.  But there are no "freeware" hardware solutions.

With smaller companies this equation is tricky because cost is a big factor to them (ditto with your charity I'm sure).  But if you factor in the true cost for your time, it may change your perception of the right elements to use.

That said, I've certainly taken the cheaper routes that required more work on my part.  I've learned tons from doing this and have a much better working knowledge of what works and doesn't work and why.  It's also made me appreciate the "nuances" of the more expensive approaches.

WRT to SBS as an "all your eggs into one basket", let me challenge you as to why you think that way.  If you create a reliable, well-maintained, backed-up environment, I would assert that this is a very viable alternative....especially if cost is a concern.  All I am saying is that this is a good "template solution" to have in your hip pocket.
arcascompAuthor Commented:
It's really funny reading your response Quetzal, as what you're saying is *exactly* what I would probably answer a question like this with! LOL

I guess what you've said about the learning by tinkering is what I hadn't added in originally. I feel I know the land of M$ fairly well but I know very little about the Linux land and sadly I enjoy these learning experiences :-)

wrt to the cheaper soho firewalls, many of these are in fact embedded linux systems so an older pc and a Good linux stripped distro like IPCop is fairly similar on the security level. After all, some of the big commercial firewalls like checkpoint are only really software solutions.

Hmmmm, well maintained, backed-up environment........ if only I stopped wasting my time tinkering and concentrated with the obvious! If I learnt from all my mistakes, I'd be over qualified for this job!

lol.  I want to know Linux better too and will be putting up a couple test boxes soon.  It will be interesting to see what other viewpoints you get.  WRT my mistakes...15th time is a charm!
Gabriel OrozcoSolution ArchitectCommented:
it's not too dificult to install linux+spamassasin and add to it lot's of rules that are already there on the web. just look for
arcascompAuthor Commented:

Thanks for the info, I'm favouring 1a as a better solution.

I'm not worried about having extra hardware, but I concede the point about areas of failure. I'm interested in playing with clustering/load balancing with Linux eventually if I get familiar enough with it all. My main thoughts are to keep excessive traffic away from the exchange box as the sheer levels of SPAM whinging its way in is terrible. Most of our email addresses have been around for years so they've had a bit too much exposure in places.

I'm keen on using a linux firewall solution and IPCop seems to have good support, nice site btw. I knew a guy that had his firewall blacklist any ip address that scans ports that are locked down. I liked the idea, can IPCop do that sort of thing? maybe I should ask a separate q for that.
arcascompAuthor Commented:
Sorry for the delay in following this up. I've split the points as suggested as I agree. There never will be a 'right' answer to this question!

Thanks to all who added suggestions
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.