Shorewall users - Feb 2003 - Exchange Server in DMZ

I would like to place an exchange 5.5 server in my DMZ.

Can anyone tell me how I can set this up to allow LAN clients to be able to
connect to Exchange and also so I can admin the box from the LAN with
Terminal Services?

Thank you.

> -----Original Message-----
> From: Randy Millis
> Sent: Tuesday, February 25, 2003 9:15 PM
> Subject: [Shorewall-users] Exchange Server in DMZ
> 
> 
> I would like to place an exchange 5.5 server in my DMZ.
So your wanting to live life dangerously by placing an exchange server in a
publicly accessible zone. I don''t know why, but the term sleep
depravation
comes to mind here. :-)
> 
> Can anyone tell me how I can set this up to allow LAN clients 
> to be able to connect to Exchange and also so I can admin the
> box from the LAN with Terminal Services?
Microsoft has written many articles about this subject. Try searching
microsoft.com for "exchange+firewall". The required registry changes
(rpc
stuff) and ports required are listed in most of these articles.

FWIW: I run exchange 5.5 here (in my loc zone) but front-end this exchange
server with a linux server running sendmail/spamassassin in my DMZ. I simply
configured sendmail to relay all inbound e-mail for my domains to the
exchange server. A simple one-line mailertable entry per domain was all that
was required. My shorewall rules for this design are also quite simple:

# Allow inbound e-mail from internet to sendmail server.
DNAT     net     dmz:192.168.8.2   tcp     smtp 

# Allow inbound e-mail to be relayed to exchange
# server (192.168.9.2) after being processed by SA
ACCEPT   dmz     loc:192.168.9.2   tcp     smtp

# Allow sendmail to send DSN''s
ACCEPT   dmz     net               tcp     smtp

# Allow exchange to send DSN''s. Policy loc->net set to accept
REJECT:info     loc:!192.168.9.2   net   tcp     25

On a side note... in the last month my dmz server has been subjected to
three DoS type attacks against the smtp port. One time I actually had to
bounce sendmail to start the flow of e-mail again. Grrr! My point being --
given Microsoft''s'' poor history regarding DoS type attacks,
there is no
telling what would have happened had these attacks been launched against
Exchange''s MTA (IMC).

Steve Cowles

Let me tell you, I know how bad an Exchange server gets when it is
accessable from the Inet.. We have been working 20hr days for a week
straight to clean up that mess.. I would suggest you re-think that approach.

-Bill

----- Original Message -----
From: "Cowles, Steve" <Steve@SteveCowles.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Wednesday, February 26, 2003 6:28 AM
Subject: RE: [Shorewall-users] Exchange Server in DMZ

> > -----Original Message-----
> > From: Randy Millis
> > Sent: Tuesday, February 25, 2003 9:15 PM
> > Subject: [Shorewall-users] Exchange Server in DMZ
> >
> >
> > I would like to place an exchange 5.5 server in my DMZ.
>
> So your wanting to live life dangerously by placing an exchange server in
a
> publicly accessible zone. I don''t know why, but the term sleep
depravation
> comes to mind here. :-)
>
> >
> > Can anyone tell me how I can set this up to allow LAN clients
> > to be able to connect to Exchange and also so I can admin the
> > box from the LAN with Terminal Services?
>
> Microsoft has written many articles about this subject. Try searching
> microsoft.com for "exchange+firewall". The required registry
changes (rpc
> stuff) and ports required are listed in most of these articles.
>
> FWIW: I run exchange 5.5 here (in my loc zone) but front-end this exchange
> server with a linux server running sendmail/spamassassin in my DMZ. I
simply
> configured sendmail to relay all inbound e-mail for my domains to the
> exchange server. A simple one-line mailertable entry per domain was all
that
> was required. My shorewall rules for this design are also quite simple:
>
> # Allow inbound e-mail from internet to sendmail server.
> DNAT     net     dmz:192.168.8.2   tcp     smtp
>
> # Allow inbound e-mail to be relayed to exchange
> # server (192.168.9.2) after being processed by SA
> ACCEPT   dmz     loc:192.168.9.2   tcp     smtp
>
> # Allow sendmail to send DSN''s
> ACCEPT   dmz     net               tcp     smtp
>
> # Allow exchange to send DSN''s. Policy loc->net set to accept
> REJECT:info     loc:!192.168.9.2   net   tcp     25
>
> On a side note... in the last month my dmz server has been subjected to
> three DoS type attacks against the smtp port. One time I actually had to
> bounce sendmail to start the flow of e-mail again. Grrr! My point being --
> given Microsoft''s'' poor history regarding DoS type
attacks, there is no
> telling what would have happened had these attacks been launched against
> Exchange''s MTA (IMC).
>
> Steve Cowles
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

--On Wednesday, February 26, 2003 06:37:44 AM -0600 "i-hacked.com" 
<hevnsnt@i-hacked.com> wrote:
> Let me tell you, I know how bad an Exchange server gets when it is
> accessable from the Inet.. We have been working 20hr days for a week
> straight to clean up that mess.. I would suggest you re-think that
> approach.
>
Didn''t Randy say that he simply wanted LAN users to be able to access
the
Exchange server and that he wanted to be able to administer the server from 
the LAN? I don''t believe that he mentioned opening it up for net
access.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

> > I would like to place an exchange 5.5 server in my DMZ.
>
> So your wanting to live life dangerously by placing an exchange server in
a
> publicly accessible zone. I don''t know why, but the term sleep
depravation
> comes to mind here. :-)
Not tooo dangerously. I hope. :-) All I am opengn from the internet is smtp.
> Microsoft has written many articles about this subject. Try searching
> microsoft.com for "exchange+firewall". The required registry
changes (rpc
> stuff) and ports required are listed in most of these articles.
Ok. I will look at that.
> FWIW: I run exchange 5.5 here (in my loc zone) but front-end this exchange
> server with a linux server running sendmail/spamassassin in my DMZ. I
simply
> configured sendmail to relay all inbound e-mail for my domains to the
> exchange server. A simple one-line mailertable entry per domain was all
that
> was required. My shorewall rules for this design are also quite simple:
Do you have an example of the mailertable entry? I''m not a good
sendmail
cook.:-)

I will look over yoru rules below for this and fire you any questions I
have.
> # Allow inbound e-mail from internet to sendmail server.
> DNAT     net     dmz:192.168.8.2   tcp     smtp
>
> # Allow inbound e-mail to be relayed to exchange
> # server (192.168.9.2) after being processed by SA
> ACCEPT   dmz     loc:192.168.9.2   tcp     smtp
>
> # Allow sendmail to send DSN''s
> ACCEPT   dmz     net               tcp     smtp
>
> # Allow exchange to send DSN''s. Policy loc->net set to accept
> REJECT:info     loc:!192.168.9.2   net   tcp     25
>
> On a side note... in the last month my dmz server has been subjected to
> three DoS type attacks against the smtp port. One time I actually had to
> bounce sendmail to start the flow of e-mail again. Grrr! My point being --
> given Microsoft''s'' poor history regarding DoS type
attacks, there is no
> telling what would have happened had these attacks been launched against
> Exchange''s MTA (IMC).
Hmmmm..... food for though.... Maybe your idea is a better one...

> Let me tell you, I know how bad an Exchange server gets when it is
> accessable from the Inet.. We have been working 20hr days for a week
> straight to clean up that mess.. I would suggest you re-think that
approach.

I am rethinking it... Tell me more?

I would put the Postfix MTA with Spamassassin & virus scanning in that 
DMZ.  Reason:  Postfix is about as secure as a mailer can be, and very 
easy to configure. I have done many similar setups where postfix takes 
the mail, scans it for viruses & spam and then forwards it to Exchange 
inside.

If you need recipies for the postfix conf, I can probably give a hand.

Tim

Randy Millis wrote:
>>Let me tell you, I know how bad an Exchange server gets when it is
>>accessable from the Inet.. We have been working 20hr days for a week
>>straight to clean up that mess.. I would suggest you re-think that
>>    
>>
>approach.
>
>I am rethinking it... Tell me more?
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
>  
>

--On Wednesday, February 26, 2003 11:33:08 AM -0700 Randy Millis 
<rmillisl@mailhost.isa-geek.net> wrote:
>> --On Wednesday, February 26, 2003 06:37:44 AM -0600
"i-hacked.com"
>> <hevnsnt@i-hacked.com> wrote:
>>
>> > Let me tell you, I know how bad an Exchange server gets . . .
>
>> Didn''t Randy say that he simply wanted LAN users to be able to
access the
>> Exchange server and that he wanted to be able to administer the server
> from
>> the LAN? I don''t believe that he mentioned opening it up for
net access.
>
>
> Yes that''s correct. Access for the LAN and just SMTP from the
Internet.
>
Ah -- but it is in that last part (SMTP to the net) where the pain lies...

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

--On Wednesday, February 26, 2003 10:40:36 AM -0800 Tim Sutinen 
<tim@sutinen.com> wrote:
> I would put the Postfix MTA with Spamassassin & virus scanning in that
> DMZ.  Reason:  Postfix is about as secure as a mailer can be, and very
> easy to configure. I have done many similar setups where postfix takes
> the mail, scans it for viruses & spam and then forwards it to Exchange
> inside.
>
> If you need recipies for the postfix conf, I can probably give a hand.
>
There''s also good Postfix configuration info at:

	http://www.stahl.bau.tu-bs.de/~hildeb/postfix/

I can also offer advise about setting up Postfix with Spamassassin and 
Vexira MailArmor.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

> -----Original Message-----
> From: Randy Millis
> Sent: Wednesday, February 26, 2003 12:30 PM
> Subject: Re: [Shorewall-users] Exchange Server in DMZ
> 
> 
> > > I would like to place an exchange 5.5 server in my DMZ.
> >
> > So your wanting to live life dangerously by placing an 
> > exchange server in a publicly accessible zone. I don''t know
> > why, but the term sleep depravation comes to mind here. :-)
> 
> Not tooo dangerously. I hope. :-) All I am opengn from the 
> internet is smtp.
I only have smtp open from the internet too. But I would rather have a unix
based mta listening on port 25, then exchange''s mta (IMC). Again, I get
back
to Microsofts track record in this area. Plus my desire to sleep.
> 
> > Microsoft has written many articles about this subject. Try 
> > searching microsoft.com for "exchange+firewall". The
required
> > registry changes (rpc stuff) and ports required are listed in
> > most of these articles.
> 
> Ok. I will look at that.
> 
> > FWIW: I run exchange 5.5 here (in my loc zone) but 
> > front-end this exchange server with a linux server running
> > sendmail/spamassassin in my DMZ. I simply configured
> > sendmail to relay all inbound e-mail for my domains to the
> > exchange server. A simple one-line mailertable entry per 
> > domain was all that was required. My shorewall rules for
> > this design are also quite simple:
> 
> Do you have an example of the mailertable entry? I''m not a 
> good sendmail cook.:-)
Sure... from  /etc/mail/mailertable

stevecowles.com  esmtp:smtp.stevecowles.com

if you do not have an entry in either /etc/hosts or a dns server that
returns an rfc1918 address for the fqdn of your exchange server (smtp... in
my case), then you can use the following syntax for the rfc1918 ip address

stevecowles.com  esmtp:[192.168.9.2]

Note the use of brackets.
> 
> I will look over yoru rules below for this and fire you any 
> questions I have.
No problem!
> 
> > # Allow inbound e-mail from internet to sendmail server.
> > DNAT     net     dmz:192.168.8.2   tcp     smtp
> >
> > # Allow inbound e-mail to be relayed to exchange
> > # server (192.168.9.2) after being processed by SA
> > ACCEPT   dmz     loc:192.168.9.2   tcp     smtp
> >
> > # Allow sendmail to send DSN''s
> > ACCEPT   dmz     net               tcp     smtp
> >
> > # Allow exchange to send DSN''s. Policy loc->net set to
accept
> > REJECT:info     loc:!192.168.9.2   net   tcp     25
> >
> > On a side note... in the last month my dmz server has been 
> > subjected to three DoS type attacks against the smtp port.
> > One time I actually had to bounce sendmail to start the flow
> > of e-mail again. Grrr! My point being -- given
Microsoft''s''
> > poor history regarding DoS type attacks, there is no
> > telling what would have happened had these attacks been 
> > launched against Exchange''s MTA (IMC).
> 
> Hmmmm..... food for though.... Maybe your idea is a better one...
YMMV, but it works here. Plus I have been running this configuration for
years without a single break-in or being used as an open relay (knocks on
wood!)

DoS attacks are tuff to defend against. Fortunately, sendmails load
averaging feature disables connections so most of the time sendmail can
unwind from a DoS attack gracefully without restarting. i.e. from the last
DoS attack...

Feb 16 04:30:10 excelsior sendmail[498]: rejecting connections
on daemon MTA: load average: 85
Feb 16 04:30:10 excelsior sendmail[498]: rejecting connections
on daemon MTA: load average: 45
Feb 16 04:30:24 excelsior sendmail[498]: rejecting connections
on daemon MTA: load average: 35
Feb 16 04:30:39 excelsior sendmail[498]: rejecting connections
on daemon MTA: load average: 27
Feb 16 04:30:54 excelsior sendmail[498]: rejecting connections
on daemon MTA: load average: 21
Feb 16 04:31:09 excelsior sendmail[498]: accepting connections
again for daemon MTA

I then added the entire netblock of this asshole''s ISP to my shorewall
blacklist file.

Steve Cowles

I''m going to be in this same situation very soon myself.

We currently have our web host maintaining our email and we just connect to
our individual pop boxes.  Am I correct in my thinking that I can setup
shorewall to ONLY accept port 25/110 connections from a specific IP and then
forward them to the exchange box??

Thanks

Jayson wrote:
> I''m going to be in this same situation very soon myself.
> 
> We currently have our web host maintaining our email and we just connect to
> our individual pop boxes.  Am I correct in my thinking that I can setup
> shorewall to ONLY accept port 25/110 connections from a specific IP and
then
> forward them to the exchange box??
> 
Presumably, your web host will forward using port 25. Restricting 
connections by source IP is the topic of FAQ 24 
(http://www.shorewall.net/FAQ.htm#faq24).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net