• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 569
  • Last Modified:

Email Config on DMZ Exchange 2003 server

Experts!

I am attempting to setup  2X Exchange 2003 servers running on Windows 2003.  I have strict security guidelines that I must follow.  I must install an external mail server in my DMZ. I must install one on my internal network.  The DMZ server must not be able to establish any connections into my internal network.  The following info has been edited for security reasons.  Mail will come to my DMZ from 10.0.0.1, 10.0.0.2. (Brightmail servers) Port 25 is open to the DMZ.  How must the DMZ server must be configured to accept mail anonymously and hold it until my internal exchange server connects using a turn connection to retrieve mail?

I am new to exchange and am in dire need of help!

I am also open to using windows 2003 server as just an smtp relay but dont know how to config that either


Thanks for anything you can do for me
0
jhalde6
Asked:
jhalde6
  • 5
  • 4
  • 4
1 Solution
 
wtp_isscCommented:
Make it a frontend server

How to: (start from figure 2)
http://www.msexchange.org/tutorials/OWA_Exchange_Server_2003.html

Details
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/febetop.mspx

This way all you need open is port 25, if you want to utilize OWA then open port 443.

0
 
wtp_isscCommented:
Also making it a frontend, pretty much makes it just a relay since no stores are contained on it.

You may also want to look into and appliance such as mcafee's e500 that scan messages for spam, viruses, and content and can be used as a relay.

http://www.pcmag.com/article2/0,1759,135831,00.asp  check out bottom of article for similar items.
0
 
jhalde6Author Commented:
I can not make it a front end server because I would have to open ports inbound for that to work.  Correct?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
wtp_isscCommented:
Oh wow, sorry I just reread, yup it would need some ports open.

I'm still curious if you made it a front end server, but it only attached when it made that turn connection if that'd work OK.  I think the mail will sit in both queues untill that connection is made.  I know you can edit the retry times for outgoing mail before it fails, not sure when the incoming mail would decide to fail or if it just keeps it till the connection is made.

0
 
SembeeCommented:
Get rid of Exchange. You cannot have Exchange in the DMZ with those restrictions. For an Exchange server to function properly it must communicate with the domain - this will mean registry changes and lots of open ports. It also makes the DMZ totally pointless.
If you carry on you will just have two servers will full event logs caused by them failing to communicate.

You will have to use a standalone Windows machine, configured to operate in a workgroup. On to this you can install Windows own email service, however I don't think Windows IIS supports TURN or ETRN. You may have to look at another server product that can queue the email.

Simon.
0
 
jhalde6Author Commented:
Yes, I am now looking at IIS and I dont se Turn or Eturn.  Do you know what options I would have to set to connect to the IIS relay?
0
 
SembeeCommented:
Do you mean on Exchange or in IIS?

I don't think IIS is suitable for this task - the requirements are unusual. I have relayed email through a Windows 2003 machine before and works very well. However as you have specified that the DMZ mustn't have any connection to production you will have to look at something else.

My first instinct would be sendmail or something similar. That has a relay functionality and supports ETRN. Exchange can do ETRN collection quite happily. It depends where your skill set it, as you are probably looking at a Linux hosted solution.

Simon.
0
 
jhalde6Author Commented:
I dont think I have a skill set :-)  I would love to know how to place exchange in the DMZ, have it sit there and Q mail and have my internal mail server do a ETRN/TURN (not sure the diff) connection to the DMZ server and retrieve mail.
0
 
SembeeCommented:
You cannot put in Exchange in the DMZ with the restrictions you have indicated.
Exchange is a domain product - designed to be operated inside a network, not in a DMZ. It needs constant communication with a global catalog domain controller to operate normally. This means opening a lot of ports on the firewall.

I don't actually see what those restrictions do for security. Having the email being delivered to a relay machine in the DMZ then waiting for another machine to come along and collect it is a greater security risk. While that email is sitting on that server waiting for collection any number of applications could scan the queues to see what the content is.

If the client or your employer is insisting on a high security environment that you have indicated then I think you have very little choice other than bringing in external consultants with experience of setting up this type of environment. You said yourself that you are new to Exchange so this type of complex configuration might be out of your depth.
If I was asked to do something similar then it would be heavily researched (not just a question here), then tested before I went close to production use.

As for the difference, TURN sends the email to the host that asked for it, whereas ETRN sends the email to the host that has been prespecified - by MX records I believe. A badly configured TURN server is insecure.

Simon.
0
 
jhalde6Author Commented:
What if the Exchange server in the DMZ was A Domain Controller for its own domain?  
0
 
jhalde6Author Commented:
Also, what then is the value of putting a relay server in the DMZ if you are just going to open port 25 inbound?  Seems to be that you should just drop the relay and send mail directly to your internal mail server.  I am not trying to sound like an ass, I just really want to learn
0
 
wtp_isscCommented:
Sembee definitly knows his exchange and definitly go with his advice over mine

:) that's my new exchange disclaimer.

Is the company unwilling to change it's security policy?  If not ignore the coming link.  I'd defintly try to go with something like this http://www.isaserver.org/articles/2004dmzfebe.html

0
 
SembeeCommented:
Putting an Exchange server in the DMZ, even in its own domain doesn't really help. I don't think Exchange supports ETRN for outbound email, just inbound, so you haven't achieved anything.

The main reason for putting a relay server in the DMZ is two fold.
1. You restrict on your firewall what can send SMTP traffic. Nothing outbound except from the Exchange server, and nothing inbound except from the relay.

2. The relay server has additional software installed - antispam and/or AV. The messages are scanned before they hit Exchange and can be bounced at that point. In a high traffic environment this can make a big difference to the performance of the Exchange server.

If the company is concerned with having their primary Exchange server visible to the Internet, then use a front-end/back-end scenario. The front-end will still be inside the firewall, but it will process the mail before it hits the main database back-end server.

Simon.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now