Exchange, DMZ, SMTP, STEALTH MODE

[Javy1]

Hey Guys,

Have a few question for you. Is it a good idea to put a exchange box in a DMZ? It's this more secure than having port 25 open for SMTP? How vulnerable is this port? Is it easy to hack? Is is possible to put this port into a stealth mode in a Cisco Firewall? I really hate seem that port open every time I do a scan of my exchange box ip address.

Thanks,

Javy

 

[forbsy]

Why don't you look at a front-end back-end exchange topology? In this scenerio you have your front-end box(es) sitting between an outer firewall and your back-end exchange box(es).
Your firewall lets port 25 through to your FE server(s) and requests are passed through to your BE box(es) that home your mailboxes. You could even place another firewall in between your FE box and your BE box for added security.
You'll have to research all the required ports to be opened on your firewall for these setups.

-Forbsy

 

[kballiger]

It also depends on your cisco firewall topology. does your PIX have more then an inside and outside interface? Depending on model you can have up to 8. If so then put your front end server in a DMZ on the PIX and nat the DMZ to the outside opening only the ports needed ( SMTP, HTTP, POP3, HTTPS). This way if your server is compromised its by itself and you dont have your orgainizations active directory exposed. Check Microsoft for info on how to deploy a front server.

 

[s686]

Another way is to set up Postfix as SMTP gateway.
Additional you will be able to set up antyvirus software on it and additional rules. A lot of incoming SMTP trafic can be filtered before it come to exchange.