I would like to place an exchange 5.5 server in my DMZ. Can anyone tell me how I can set this up to allow LAN clients to be able to connect to Exchange and also so I can admin the box from the LAN with Terminal Services? Thank you.
> -----Original Message----- > From: Randy Millis > Sent: Tuesday, February 25, 2003 9:15 PM > Subject: [Shorewall-users] Exchange Server in DMZ > > > I would like to place an exchange 5.5 server in my DMZ.So your wanting to live life dangerously by placing an exchange server in a publicly accessible zone. I don''t know why, but the term sleep depravation comes to mind here. :-)> > Can anyone tell me how I can set this up to allow LAN clients > to be able to connect to Exchange and also so I can admin the > box from the LAN with Terminal Services?Microsoft has written many articles about this subject. Try searching microsoft.com for "exchange+firewall". The required registry changes (rpc stuff) and ports required are listed in most of these articles. FWIW: I run exchange 5.5 here (in my loc zone) but front-end this exchange server with a linux server running sendmail/spamassassin in my DMZ. I simply configured sendmail to relay all inbound e-mail for my domains to the exchange server. A simple one-line mailertable entry per domain was all that was required. My shorewall rules for this design are also quite simple: # Allow inbound e-mail from internet to sendmail server. DNAT net dmz:192.168.8.2 tcp smtp # Allow inbound e-mail to be relayed to exchange # server (192.168.9.2) after being processed by SA ACCEPT dmz loc:192.168.9.2 tcp smtp # Allow sendmail to send DSN''s ACCEPT dmz net tcp smtp # Allow exchange to send DSN''s. Policy loc->net set to accept REJECT:info loc:!192.168.9.2 net tcp 25 On a side note... in the last month my dmz server has been subjected to three DoS type attacks against the smtp port. One time I actually had to bounce sendmail to start the flow of e-mail again. Grrr! My point being -- given Microsoft''s'' poor history regarding DoS type attacks, there is no telling what would have happened had these attacks been launched against Exchange''s MTA (IMC). Steve Cowles
Let me tell you, I know how bad an Exchange server gets when it is accessable from the Inet.. We have been working 20hr days for a week straight to clean up that mess.. I would suggest you re-think that approach. -Bill ----- Original Message ----- From: "Cowles, Steve" <Steve@SteveCowles.com> To: <shorewall-users@lists.shorewall.net> Sent: Wednesday, February 26, 2003 6:28 AM Subject: RE: [Shorewall-users] Exchange Server in DMZ> > -----Original Message----- > > From: Randy Millis > > Sent: Tuesday, February 25, 2003 9:15 PM > > Subject: [Shorewall-users] Exchange Server in DMZ > > > > > > I would like to place an exchange 5.5 server in my DMZ. > > So your wanting to live life dangerously by placing an exchange server ina> publicly accessible zone. I don''t know why, but the term sleep depravation > comes to mind here. :-) > > > > > Can anyone tell me how I can set this up to allow LAN clients > > to be able to connect to Exchange and also so I can admin the > > box from the LAN with Terminal Services? > > Microsoft has written many articles about this subject. Try searching > microsoft.com for "exchange+firewall". The required registry changes (rpc > stuff) and ports required are listed in most of these articles. > > FWIW: I run exchange 5.5 here (in my loc zone) but front-end this exchange > server with a linux server running sendmail/spamassassin in my DMZ. Isimply> configured sendmail to relay all inbound e-mail for my domains to the > exchange server. A simple one-line mailertable entry per domain was allthat> was required. My shorewall rules for this design are also quite simple: > > # Allow inbound e-mail from internet to sendmail server. > DNAT net dmz:192.168.8.2 tcp smtp > > # Allow inbound e-mail to be relayed to exchange > # server (192.168.9.2) after being processed by SA > ACCEPT dmz loc:192.168.9.2 tcp smtp > > # Allow sendmail to send DSN''s > ACCEPT dmz net tcp smtp > > # Allow exchange to send DSN''s. Policy loc->net set to accept > REJECT:info loc:!192.168.9.2 net tcp 25 > > On a side note... in the last month my dmz server has been subjected to > three DoS type attacks against the smtp port. One time I actually had to > bounce sendmail to start the flow of e-mail again. Grrr! My point being -- > given Microsoft''s'' poor history regarding DoS type attacks, there is no > telling what would have happened had these attacks been launched against > Exchange''s MTA (IMC). > > Steve Cowles > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
--On Wednesday, February 26, 2003 06:37:44 AM -0600 "i-hacked.com" <hevnsnt@i-hacked.com> wrote:> Let me tell you, I know how bad an Exchange server gets when it is > accessable from the Inet.. We have been working 20hr days for a week > straight to clean up that mess.. I would suggest you re-think that > approach. >Didn''t Randy say that he simply wanted LAN users to be able to access the Exchange server and that he wanted to be able to administer the server from the LAN? I don''t believe that he mentioned opening it up for net access. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > I would like to place an exchange 5.5 server in my DMZ. > > So your wanting to live life dangerously by placing an exchange server ina> publicly accessible zone. I don''t know why, but the term sleep depravation > comes to mind here. :-)Not tooo dangerously. I hope. :-) All I am opengn from the internet is smtp.> Microsoft has written many articles about this subject. Try searching > microsoft.com for "exchange+firewall". The required registry changes (rpc > stuff) and ports required are listed in most of these articles.Ok. I will look at that.> FWIW: I run exchange 5.5 here (in my loc zone) but front-end this exchange > server with a linux server running sendmail/spamassassin in my DMZ. Isimply> configured sendmail to relay all inbound e-mail for my domains to the > exchange server. A simple one-line mailertable entry per domain was allthat> was required. My shorewall rules for this design are also quite simple:Do you have an example of the mailertable entry? I''m not a good sendmail cook.:-) I will look over yoru rules below for this and fire you any questions I have.> # Allow inbound e-mail from internet to sendmail server. > DNAT net dmz:192.168.8.2 tcp smtp > > # Allow inbound e-mail to be relayed to exchange > # server (192.168.9.2) after being processed by SA > ACCEPT dmz loc:192.168.9.2 tcp smtp > > # Allow sendmail to send DSN''s > ACCEPT dmz net tcp smtp > > # Allow exchange to send DSN''s. Policy loc->net set to accept > REJECT:info loc:!192.168.9.2 net tcp 25 > > On a side note... in the last month my dmz server has been subjected to > three DoS type attacks against the smtp port. One time I actually had to > bounce sendmail to start the flow of e-mail again. Grrr! My point being -- > given Microsoft''s'' poor history regarding DoS type attacks, there is no > telling what would have happened had these attacks been launched against > Exchange''s MTA (IMC).Hmmmm..... food for though.... Maybe your idea is a better one...
> Let me tell you, I know how bad an Exchange server gets when it is > accessable from the Inet.. We have been working 20hr days for a week > straight to clean up that mess.. I would suggest you re-think thatapproach. I am rethinking it... Tell me more?
I would put the Postfix MTA with Spamassassin & virus scanning in that DMZ. Reason: Postfix is about as secure as a mailer can be, and very easy to configure. I have done many similar setups where postfix takes the mail, scans it for viruses & spam and then forwards it to Exchange inside. If you need recipies for the postfix conf, I can probably give a hand. Tim Randy Millis wrote:>>Let me tell you, I know how bad an Exchange server gets when it is >>accessable from the Inet.. We have been working 20hr days for a week >>straight to clean up that mess.. I would suggest you re-think that >> >> >approach. > >I am rethinking it... Tell me more? > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >
--On Wednesday, February 26, 2003 11:33:08 AM -0700 Randy Millis <rmillisl@mailhost.isa-geek.net> wrote:>> --On Wednesday, February 26, 2003 06:37:44 AM -0600 "i-hacked.com" >> <hevnsnt@i-hacked.com> wrote: >> >> > Let me tell you, I know how bad an Exchange server gets . . . > >> Didn''t Randy say that he simply wanted LAN users to be able to access the >> Exchange server and that he wanted to be able to administer the server > from >> the LAN? I don''t believe that he mentioned opening it up for net access. > > > Yes that''s correct. Access for the LAN and just SMTP from the Internet. >Ah -- but it is in that last part (SMTP to the net) where the pain lies... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Wednesday, February 26, 2003 10:40:36 AM -0800 Tim Sutinen <tim@sutinen.com> wrote:> I would put the Postfix MTA with Spamassassin & virus scanning in that > DMZ. Reason: Postfix is about as secure as a mailer can be, and very > easy to configure. I have done many similar setups where postfix takes > the mail, scans it for viruses & spam and then forwards it to Exchange > inside. > > If you need recipies for the postfix conf, I can probably give a hand. >There''s also good Postfix configuration info at: http://www.stahl.bau.tu-bs.de/~hildeb/postfix/ I can also offer advise about setting up Postfix with Spamassassin and Vexira MailArmor. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> -----Original Message----- > From: Randy Millis > Sent: Wednesday, February 26, 2003 12:30 PM > Subject: Re: [Shorewall-users] Exchange Server in DMZ > > > > > I would like to place an exchange 5.5 server in my DMZ. > > > > So your wanting to live life dangerously by placing an > > exchange server in a publicly accessible zone. I don''t know > > why, but the term sleep depravation comes to mind here. :-) > > Not tooo dangerously. I hope. :-) All I am opengn from the > internet is smtp.I only have smtp open from the internet too. But I would rather have a unix based mta listening on port 25, then exchange''s mta (IMC). Again, I get back to Microsofts track record in this area. Plus my desire to sleep.> > > Microsoft has written many articles about this subject. Try > > searching microsoft.com for "exchange+firewall". The required > > registry changes (rpc stuff) and ports required are listed in > > most of these articles. > > Ok. I will look at that. > > > FWIW: I run exchange 5.5 here (in my loc zone) but > > front-end this exchange server with a linux server running > > sendmail/spamassassin in my DMZ. I simply configured > > sendmail to relay all inbound e-mail for my domains to the > > exchange server. A simple one-line mailertable entry per > > domain was all that was required. My shorewall rules for > > this design are also quite simple: > > Do you have an example of the mailertable entry? I''m not a > good sendmail cook.:-)Sure... from /etc/mail/mailertable stevecowles.com esmtp:smtp.stevecowles.com if you do not have an entry in either /etc/hosts or a dns server that returns an rfc1918 address for the fqdn of your exchange server (smtp... in my case), then you can use the following syntax for the rfc1918 ip address stevecowles.com esmtp:[192.168.9.2] Note the use of brackets.> > I will look over yoru rules below for this and fire you any > questions I have.No problem!> > > # Allow inbound e-mail from internet to sendmail server. > > DNAT net dmz:192.168.8.2 tcp smtp > > > > # Allow inbound e-mail to be relayed to exchange > > # server (192.168.9.2) after being processed by SA > > ACCEPT dmz loc:192.168.9.2 tcp smtp > > > > # Allow sendmail to send DSN''s > > ACCEPT dmz net tcp smtp > > > > # Allow exchange to send DSN''s. Policy loc->net set to accept > > REJECT:info loc:!192.168.9.2 net tcp 25 > > > > On a side note... in the last month my dmz server has been > > subjected to three DoS type attacks against the smtp port. > > One time I actually had to bounce sendmail to start the flow > > of e-mail again. Grrr! My point being -- given Microsoft''s'' > > poor history regarding DoS type attacks, there is no > > telling what would have happened had these attacks been > > launched against Exchange''s MTA (IMC). > > Hmmmm..... food for though.... Maybe your idea is a better one...YMMV, but it works here. Plus I have been running this configuration for years without a single break-in or being used as an open relay (knocks on wood!) DoS attacks are tuff to defend against. Fortunately, sendmails load averaging feature disables connections so most of the time sendmail can unwind from a DoS attack gracefully without restarting. i.e. from the last DoS attack... Feb 16 04:30:10 excelsior sendmail[498]: rejecting connections on daemon MTA: load average: 85 Feb 16 04:30:10 excelsior sendmail[498]: rejecting connections on daemon MTA: load average: 45 Feb 16 04:30:24 excelsior sendmail[498]: rejecting connections on daemon MTA: load average: 35 Feb 16 04:30:39 excelsior sendmail[498]: rejecting connections on daemon MTA: load average: 27 Feb 16 04:30:54 excelsior sendmail[498]: rejecting connections on daemon MTA: load average: 21 Feb 16 04:31:09 excelsior sendmail[498]: accepting connections again for daemon MTA I then added the entire netblock of this asshole''s ISP to my shorewall blacklist file. Steve Cowles
I''m going to be in this same situation very soon myself. We currently have our web host maintaining our email and we just connect to our individual pop boxes. Am I correct in my thinking that I can setup shorewall to ONLY accept port 25/110 connections from a specific IP and then forward them to the exchange box?? Thanks
Jayson wrote:> I''m going to be in this same situation very soon myself. > > We currently have our web host maintaining our email and we just connect to > our individual pop boxes. Am I correct in my thinking that I can setup > shorewall to ONLY accept port 25/110 connections from a specific IP and then > forward them to the exchange box?? >Presumably, your web host will forward using port 25. Restricting connections by source IP is the topic of FAQ 24 (http://www.shorewall.net/FAQ.htm#faq24). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net