I don't understand why you'd put a "sacrificial" system outside the firewall or how that's any better than the same system inside. It just increases the complexity. I haven't seen any place where containment on an internal relay is a problem.
-----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Posted At: Friday, June 07, 2002 5:59 AM Posted To: Microsoft Exchange Conversation: lesser of the evils - ssl or smtp Subject: RE: lesser of the evils - ssl or smtp Actually, and I'm not normally one to contradict you, its best to have an SMTP relay outside the firewall, which in turn forwards to an SMTP relay inside the firewall (with a locked down rule allowing SMTP between those two hosts only), with the internal relay doing virus checking (with Viruswall, for instance), and the internal relay passing off via SMTP to Exchange. I'd skip the internal relay first, but that depends on what the external relay is running (ie OS and MTA). ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -----Original Message----- > From: Baker, Jennifer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 4:07 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > IMO, it is best practice to have an smtp relay server behind > a firewall and > between your mailbox servers and the internet. Although, I > am not sure how > he thinks that smtp floods will be avoided with a relay > server in place. > > -----Original Message----- > From: Cook, Jason [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 12:28 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Yes! The voice of reason. Ed, you're the shit! That's what > I'm saying, > OWA with SSL works great. My brother is trying to tell me > that you should > use sendmail or a border 2k box for smtp relaying to stop smtp floods. > What's your take? Expose smtp directly to the internet, > through a firewall > or not? > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Ed Crowley [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 2:25 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > I would agree even to say that OWA with SSL would be reasonable safe > configuration for large organizations. I don't like front-end servers > in a DMZ because of the myriad ports you must open between the DMZ and > the intranet. > > Ed Crowley MCSE+Internet MVP kcCC+I > Tech Consultant > hp Services > Protecting the world from PSTs and Bricked Backups! > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Cook, Jason > Sent: Thursday, June 06, 2002 11:18 AM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Seems a little rash mr. butler, a lot of small companies use the > scenario presented by Rob Ellis originally. A firewall, a good > hardware one anyway is great protection if used effectively. OWA with > ssl is a good and secure solution, so I'm curious as to why you > believe that it's > a "rule" to use a dmz? > > > Jason Cook > J.H. Ellwood and Associates > Network Administrator > [EMAIL PROTECTED] > > > -----Original Message----- > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 1:06 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > No, not remote users, server smtp traffic. > > We are proposing citrix full desktop, OWA for some remote users, no > POP/smtp access for end users. > > The Webshield I mentioned is as you say, part of TVD. > > Our design sounds very much like your setup. > > > Regards, > > > Rob Ellis > > -----Original Message----- > From: Mellott, Bill [mailto:[EMAIL PROTECTED]] > Sent: 06 June 2002 18:49 > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > Ill throw in .02 > > Assuming you are referring to allowing remote users to get > their e-mail. > > I'm doing the OWA thing for "remote/roaming" users. > I do some Citrix for full desktops. > I do NOT allow users to connect to the exch box at this time via > SMTP/POP. > > I do at this time use the Simple Webshield product bundled with the > NIA/Mcafee TVD suite. It does reside on it's own machine. > so Internet smtp > webshield > Exch. > yes the webshield sit's before Exch box. > Yes it provides me with an additional layer of pre exch virus > protection...works ok yes it also provides some prefiltering on > attachments...sucks...does not go any deeper the first level i.e. FWD> > FWD it will miss. > Note: Their full blown product webshield APP is supposed to work > well..no exp with it, Ill keep my opinions to myself.. > > If I had to let user(s) directly get to either port 110/POP and > port25/smtp to do their e-mail... > 1.) I would not ..thats me.. > 2.) Forced too only via some secure connection like a VPN. > > bill > > PS for those interested I run the AV product to at the file level and > scan all files on the exchange box with no exceptions. > ;-) > > -----Original Message----- > From: Bendall, Paul [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 06, 2002 1:38 PM > To: Exchange Discussions > Subject: RE: lesser of the evils - ssl or smtp > > > Okay I'll add another spanner to your works, I would advise an SMTP > relay server on your DMZ but I really wouldn't use McAfee Webshield. > Why I hear you cry for one it is pretty bad at blocking viruses and > two we have had no end of problems with it crashing or not sending to > certain domains when it gets a DAT update. Why not use the SMTP > component of IIS > as your SMTP relay server and then use ScanMail or Antigen on your > Exchange server. Either that or use someone like MessageLabs to > outsource your antivirus too. > > Regards, > > Paul > > -----Original Message----- > From: Rob Ellis [mailto:[EMAIL PROTECTED]] > Sent: 06 June 2002 18:26 > To: Exchange Discussions > Subject: lesser of the evils - ssl or smtp > > > Ok, I've got a couple of scenarios, which of them is the least risky? > > Exchange 2000 mailbox server on the LAN, accepting/making connections > using SMTP through a firewall to the internet > > Exchange 2000 mailbox server on the LAN, accepting SSL secured OWA > connections from the internet, again, protected by a firewall. > > > Basically I am being told I may have to do both with the same box, but > I'd rather have the smtp traffic going through a DMZ based gateway > running McAfee Webshield, and let the OWA clients come into the > internal box over SSL (which I see as less of a risk than opening up > port 25. > > If you had to choose one of the 2 above scenarios, which would it be? > > Regards, > > Rob Ellis > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > ---------------------------------------------------------------------- > If you have received this e-mail in error or wish to read our e-mail > disclaimer statement and monitoring policy, please refer to > http://www.drkw.com/disc/email/ or contact the sender. > ---------------------------------------------------------------------- > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
