Mail server inside the network...Safe?

Yes.

cu

59cobalt

To add to that.. You need a domain controller in order to run exchange so you have done one of 2 things either you are running SBS and you have installed exchange on it or you are running 2003 server which you have promoted to a domain controller and you installed exchange on it. Either way installing exchange on domain controller is not a recommended configuration according to microsoft.

Check out this link it has several other links as to why Microsoft says it is a no no.

Never put a domain controller or a exchange server directly on public name space without using NAT and access lists to control what ports will be allowed open unless the Exchange server is a Front end relaying info to a backend cluster. Even then it is recommended to have a router with some kind of access list to protect it with.

Actually this is a brand new network. There will be only one server for some time. This server will be the DC as well as have the Exchange Server

2007 running on it. So, that is why I am not sure where I should put in the network or the DMZ.

Can I put this on the DMZ and install a second NIC, one NIC connected to the DMZ and the other to the private network?

Thanks, John

If your Exchange server is the only Exchange server, and it's a single server for the network, why would you even think that putting it in the DMZ would protect anyone?

Unless you make it a stand-alone DC/Exchange box, with NO CONNECTION to the LAN servers/AD structure, you're going to have to allow replication between it and the LAN, which means that if they hack it, they get the rest of your network.

SBS 2003 runs as a single server DC with Exchange, and it's painless.

If you have a real firewall you can block a lot of countries (unless you need email from them) and your SPAM/AV filter that is EXCHANGE AWARE can protect the store - not to mention that most firewalls can remove bad headers, bad message sizes, bogus headers, and even remove content based on mime type from messages.

So, the server as a DC, in the LAN, is the only place for it - putting it in the DMZ would defeat the reason for having a DMZ.

Thank you Leythos for making this clear. The server will go in the LAN then. We are not using a SBS, rather Server 2003 64-bit with Exchange 2007.

I actually have ordered a Netscreen SSG5 firewall which comes with UTM and that should block a lot of the stuff.

Thanks again, John

I've put Exchange servers in the DMZ, when I don't use the normal Exchange connector for outlook, or when I have a firewall that can create a connection that is initiated by the LAN user to the DMZ - a proxy type connection that only allows the DMZ based Email server to reply back to the LAN users when the lan users contact it first - the firewall has to handle this.

In all cases, I never put an exchange server or any other DMZ server in a AD/Domain that has to authenticate with the LAN, never, nada, nope, don't do it. If the DMZ devices can authenticate (Domain accounts) with the LAN there is no point in having them in the DMZ.

For secure facilities we do a lot of things one would not really do in a non-secure facility.

Put the DC into your LAN. Bite the bullet and put another server into the DMZ as a smarthost for your Exchange. That second server doesn't have to be expensive, even a box from a couple years back should suffice if you run e.g. Linux and Postfix on it.

DO NOT EXPOSE YOUR DC TO THE WORLD.

cu

59cobalt

I have never installed a smarthost so I don't know what entails in its deployment. So I would appreciate if you can point me to some resouces on how to implement it.

I am not that thrilled about exposing DC, so I was originally thinking of assigning a private IP (something like 10.2.2.5) to the Exchange server and use the firewall to forward all smtp protocol to this server. Do you think this will work?

Thanks, John

Another thought I have is this:

If I use services of an anti-virus/spam company such as Postini or something similar so I can route all incoming mail from one source, then I can open the firewall to receive mail only from one IP address. Would this not decrease the risk dramatically?

google://exchange+smarthost

You setup an MTA in the DMZ, then you setup Exchange in the LAN and configure it to use the MTA as its smarthost. That takes care of your outgoing mail. To have Exchange receive incoming mail you also need to setup something to fetch mail from the MTA (e.g. Cygwin's fetchmail). If you have a little Linux/Unix experience it's pretty straightforward.

Which part of "do not expose your DC" did you fail to understand?

cu

59cobalt

Don't trust your company's communication to anyone outside your company unless you have a really, REALLY good reason to do so.

Your DC would still be accessible from the outside (though perhaps not as easily), which still is a big no-no.

cu

59cobalt

If you want a good smarthost, with support try

John

John Smith wrote: