It does what IIS does and more. It's adds AV protection and doesn't use IIS at all, it has its own built in SMTP relay. You point your MX record to the realy and from your relay forward to your mail server. From the actual mail server, you forward to the relay. Very simple and straight forward. And you can put the relay box wherever you like (DMZ or internal). Make sure it is just a stand alone server too...
-----Original Message----- From: Cook, Jason [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 5:56 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp So you're saying Interscan Viruswall can do what iis does? Also, how would you set up the mx records for this config. Basically a smtp relay behind a firewall. Jason Cook J.H. Ellwood and Associates Network Administrator [EMAIL PROTECTED] -----Original Message----- From: Ely, Don [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 4:44 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Well for starters, IIS is free versus Imail... I've never used it personally. I've used MS Mail, Groupwise, Exchange, and Sendmail for the most part. If you're just looking for an SMTP relay, IIS is the cheaper way to go. If you know *nix at all, Sendmail is very configurable and would probably be my favorite as a relay. Since we're talking about SMTP relay's, we should also consider A/V as well. Something like Trend Micro's InterScan Viruswall might be a good fit as well bundled with scanmail or even antigen. It really depends on what your end goal is, how you want to get there, and how much it will cost. I wouldn't buy something like Imail if I could have something like the TM solution instead. At least with the TM solution, you get the SMTP relay you're looking for AND you get some A/V protection. Can't go wrong there.... -----Original Message----- From: Cook, Jason [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 5:34 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Don, what do you think of Imail? Say in comparison to iis. Jason Cook J.H. Ellwood and Associates Network Administrator [EMAIL PROTECTED] -----Original Message----- From: Ely, Don [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 4:22 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp You offering me a contract or job? :P Don Ely - NMBOTWBAS and then some [EMAIL PROTECTED] -----Original Message----- From: Schwartz, Jim [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 5:24 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Nope. I leave that type of restricting to the folks that know firewalls. -----Original Message----- From: Ely, Don [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 4:25 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp What? You mean I can limit what happens on my network? Wow.... Don Ely - NMBOTWBAS and then some [EMAIL PROTECTED] -----Original Message----- From: Schwartz, Jim [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 4:24 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Limit the number of connections and limit the size of the mail. Connection reset. Bye-bye. If you're so concerned with not "exposing" your Exchange server directly to the internet, then place a relay server behind your firewall to accept mail from External sources and then pass the mail to your Exchange servers. Anyone trying to get to your relaying server has to go through the firewall and that traffic can be analyzed for any sort of attack that someone may think up (not likely, SMTP has been around for a while). By putting the relaying server in the DMZ (look up what a DMZ does) you have mail sitting out there where it shouldn't be. Any server in the DMZ should be considered expendable. Mail sitting on an expendable server keeps me up at night. -----Original Message----- From: Cook, Jason [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 4:13 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Don, what if I sent you 100,000 messages at the same time? What if your clients configured no limit to messages and I sent you 1,000 messages with 100mb attachments. Internet mail is down. Explain that to the ceo. Jason Cook J.H. Ellwood and Associates Network Administrator [EMAIL PROTECTED] -----Original Message----- From: Ely, Don [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 2:58 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp How the hell can a server be taken down with a DoS to port 25? You don't open the entire exchange server to the internet, only a dumba$$ would do that. All that is required for exchange having external access is port 25. Your theory suggests someone would actually open the entire server up to the world. As a side note, if I want to DoS you, I'm not going to "just" pick your mail server, I'm going to pick your entire network. Don Ely - NMBOTWBAS and then some [EMAIL PROTECTED] -----Original Message----- From: Jon Butler [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 3:53 PM To: Exchange Discussions Subject: RE: lesser of the evils - ssl or smtp Andy & Chris -- I guess our needs here are somehwat different, perhaps. We don't use Exchange in the DMZ (that's ridiculous overkill) but we do have relays out there ... and we lock 'em down to specific ports internally as well. I disagree that it would be "just as harmful as in the DMZ", though ... perform a DoS on a box in the DMZ, you only kill communications through that one box. DoS the Exchange Server, bam -- you just lost ALL email services. Granted, we've got more systems to support, but that's the price we pay for the security and redundancy that comes with it. And Chris, you asked to "demonstrate an exploit" ... we prefer to not wait for one to be demonstrated, but rather do the best we can to preemptively protect ourselves before one is found: use relays in the DMZ, and mix relay products so what exploits one may not be expoitable on another. Have different flavors of antivirus protection at the relay, Exchange, and at the client. Like I said before though, it ain't right for everybody ... it takes some bank to make it happen. Our requirements here are a little more anal than others'. Jon > -----Original Message----- > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 3:38 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > On specific ports? Sure, why not? > > I'd allow 443 to an inside box. It requires authentication and it's > encrypted. Any vulnerability in the application itself would be just > as harmful in the DMZ. > > I'd allow 25 to an inside box. The endpoint is a system that accepts > the mail and scans it for viruses and malicious content. Any > vulnerability in the application would be almost as harmful in the > DMZ. > > As it stands I have half the number of systems to secure in my design > as you do in yours. If we both block 98% of the vulnerabilities on > those systems, you're less secure. I contend that I can do better > than you given fewer systems to focus on. > > Now, I'm not saying that there aren't good uses for a DMZ. There are. > Exchange just isn't one of them. > > -----Original Message----- > From: Jon Butler [mailto:[EMAIL PROTECTED]] > Posted At: Thursday, June 06, 2002 1:53 PM > Posted To: Microsoft Exchange > Conversation: lesser of the evils - ssl or smtp > Subject: RE: lesser of the evils - ssl or smtp > > > So you'd allow "from any" to your inside boxes? That would keep me > awake at night. :) > > > > -----Original Message----- > > From: Webb, Andy [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 06, 2002 2:47 PM > > To: Exchange Discussions > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > but you're not talking about a good use of the DMZ. the > DMZ should be > > an end point, not a hop. it doesn't really matter where your SMTP > > virus scanner sits - you should have one, I agree. but on the DMZ > > doesn't really make much difference based on your loose > restrictions > > between the DMZ and the LAN. > > > > OWA also doesn't make much difference. you have to open up rpc > > traffic from the DMZ to the LAN. might as well keep the DMZ more > > secure and put OWA inside. relative security of the LAN is > about the > > same. > > > > now, if you want to discuss multiple physical DMZ segments, perhaps > > it's more interesting, but not much. > > > > there's quite a lot of this discussion in the archives, by > the way. > > no new arguments so far. so, if you want to jump forward > to the end > > of the discussion, look back a couple years. > > > > ======================================================= > > Andy Webb [EMAIL PROTECTED] www.swinc.com > > Simpler-Webb, Inc. Austin, TX 512-322-0071 > > -- Eating XXX Chili at Texas Chili Parlor since 1989 -- > > ======================================================= > > > > > > -----Original Message----- > > From: Jon Butler [mailto:[EMAIL PROTECTED]] > > Posted At: Thursday, June 06, 2002 1:30 PM > > Posted To: Microsoft Exchange > > Conversation: lesser of the evils - ssl or smtp > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Perhaps I shouldn't have used the term "rule", but rather > perhaps "a > > good security practice." It's better to let the kiddies > play with a > > hardened DMZ bastion then your production Exchange Server ... but I > > also understand that's often not feasible for smaller companies. A > > good security paradigm can take some dough. > > > > > > > -----Original Message----- > > > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 2:18 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > Seems a little rash mr. butler, a lot of small companies use the > > > scenario presented by Rob Ellis originally. A firewall, a good > > > hardware one anyway is great protection if used effectively. OWA > > > with ssl is a good and secure solution, so I'm curious as > to why you > > > > believe that it's a "rule" to use a dmz? > > > > > > > > > Jason Cook > > > J.H. Ellwood and Associates > > > Network Administrator > > > [EMAIL PROTECTED] > > > > > > > > > -----Original Message----- > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 1:06 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > No, not remote users, server smtp traffic. > > > > > > We are proposing citrix full desktop, OWA for some remote > users, no > > > POP/smtp access for end users. > > > > > > The Webshield I mentioned is as you say, part of TVD. > > > > > > Our design sounds very much like your setup. > > > > > > > > > Regards, > > > > > > > > > Rob Ellis > > > > > > -----Original Message----- > > > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > > > Sent: 06 June 2002 18:49 > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > Ill throw in .02 > > > > > > Assuming you are referring to allowing remote users to get their > > > e-mail. > > > > > > I'm doing the OWA thing for "remote/roaming" users. > > > I do some Citrix for full desktops. > > > I do NOT allow users to connect to the exch box at this time via > > > SMTP/POP. > > > > > > I do at this time use the Simple Webshield product > bundled with the > > > NIA/Mcafee TVD suite. It does reside on it's own machine. > > > so Internet smtp > webshield > Exch. > > > yes the webshield sit's before Exch box. > > > Yes it provides me with an additional layer of pre exch virus > > > protection...works ok yes it also provides some prefiltering on > > > attachments...sucks...does not go any deeper the first level i.e. > > > FWD> FWD it will miss. > > > Note: Their full blown product webshield APP is supposed to work > > > well..no exp with it, Ill keep my opinions to myself.. > > > > > > If I had to let user(s) directly get to either port 110/POP and > > > port25/smtp to do their e-mail... > > > 1.) I would not ..thats me.. > > > 2.) Forced too only via some secure connection like a VPN. > > > > > > bill > > > > > > PS for those interested I run the AV product to at the file level > > > and scan all files on the exchange box with no exceptions. > > > ;-) > > > > > > -----Original Message----- > > > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, June 06, 2002 1:38 PM > > > To: Exchange Discussions > > > Subject: RE: lesser of the evils - ssl or smtp > > > > > > > > > Okay I'll add another spanner to your works, I would > advise an SMTP > > > relay server on your DMZ but I really wouldn't use McAfee > Webshield. > > > > Why I hear you cry for one it is pretty bad at blocking > viruses and > > > two we have had no end of problems with it crashing or > not sending > > > to certain domains when it gets a DAT update. Why not use > the SMTP > > > component of IIS as your SMTP relay server and then use > ScanMail or > > > Antigen on your Exchange server. Either that or use someone like > > > MessageLabs to outsource your antivirus too. > > > > > > Regards, > > > > > > Paul > > > > > > -----Original Message----- > > > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > > > Sent: 06 June 2002 18:26 > > > To: Exchange Discussions > > > Subject: lesser of the evils - ssl or smtp > > > > > > > > > Ok, I've got a couple of scenarios, which of them is the > > least risky? > > > > > > Exchange 2000 mailbox server on the LAN, accepting/making > > > connections using SMTP through a firewall to the internet > > > > > > Exchange 2000 mailbox server on the LAN, accepting SSL secured OWA > > > connections from the internet, again, protected by a firewall. > > > > > > > > > Basically I am being told I may have to do both with the same box, > > > but I'd rather have the smtp traffic going through a DMZ based > > > gateway running McAfee Webshield, and let the OWA clients > come into > > > the internal box over SSL (which I see as less of a risk than > > > opening up port 25. > > > > > > If you had to choose one of the 2 above scenarios, which > > would it be? > > > > > > Regards, > > > > > > Rob Ellis > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > > > > > > ---------------------------------------------------------------------- > > > If you have received this e-mail in error or wish to read > our e-mail > > > > disclaimer statement and monitoring policy, please refer to > > > http://www.drkw.com/disc/email/ or contact the sender. > > > > > > ---------------------------------------------------------------------- > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]