I am currently trying to implement an Exchange 2000 server and it was suggested by a friend that I put a SuSE box between the internet and Exchange. He suggested having Postfix relay incoming mail only to the Exchange box and then allow Exchange to send out its mail through the firewall (Watchguard). Then for the OWA/SSL connectivity, he suggested using Apache's mod_proxy & mod_ssl to protect IIS. I am only going to allow https traffic to my exchange server. My question is, is this plan feasible? and does anyone know if there is a how to out there for this type of configuration? I've never setup Postfix or these Apache modules so I am hoping to find out if its possible since I don't have a lot of time to set this up due to the launch date of Exchange. Thanks and I appologize if this isn't totally on topic, Eric
I am currently trying to implement an Exchange 2000 server and it was suggested by a friend that I put a SuSE box between the internet and Exchange. He suggested having Postfix relay incoming mail only to the Exchange box and then allow Exchange to send out its mail through the firewall (Watchguard). I've implemented this in my company and it is relatively easy. But we use two relay servers (+ MX entries), to make the relay redundant (of course exchange is not, but at least the relay :)
Then for the OWA/SSL connectivity, he suggested using Apache's mod_proxy & mod_ssl to protect IIS. I am only going to allow https traffic to my exchange server. I did this with squid. The 3.0 version has a special feature called "front_end_https", which is needed if the OWA doesn't use https (which is ok, in the LAN).
My question is, is this plan feasible? and does anyone know if there is a how to out there for this type of configuration? I've never setup Postfix or these Apache modules so I am hoping to find out if its possible since I don't have a lot of time to set this up due to the launch date of Exchange. Yes, it is absolutely feasible! But I wouldn't do it with apache. In any case, don't forget regular updates of BOTH machines using windows update and fou4s/YOU.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Markus, Great!!! Do you know of any good books on Squid 3.0? or any docs out there that explain how to do this? Setting up SSL is new to me in general so I want to make sure I can get a decent understanding of how Squid would work in this situation. Would the SSL session just get transparently forwarded to the Exchange box? or would there have to be some sort of authentication on the SuSE box for Squid to let it through? Thanks again!! Eric Markus Gaugusch wrote:
I am currently trying to implement an Exchange 2000 server and it was suggested by a friend that I put a SuSE box between the internet and Exchange. He suggested having Postfix relay incoming mail only to the Exchange box and then allow Exchange to send out its mail through the firewall (Watchguard).
I've implemented this in my company and it is relatively easy. But we use two relay servers (+ MX entries), to make the relay redundant (of course exchange is not, but at least the relay :)
Then for the OWA/SSL connectivity, he suggested using Apache's mod_proxy & mod_ssl to protect IIS. I am only going to allow https traffic to my exchange server.
I did this with squid. The 3.0 version has a special feature called "front_end_https", which is needed if the OWA doesn't use https (which is ok, in the LAN).
My question is, is this plan feasible? and does anyone know if there is a how to out there for this type of configuration? I've never setup Postfix or these Apache modules so I am hoping to find out if its possible since I don't have a lot of time to set this up due to the launch date of Exchange.
Yes, it is absolutely feasible! But I wouldn't do it with apache. In any case, don't forget regular updates of BOTH machines using windows update and fou4s/YOU.
Markus
On Feb 5, Eric Kahklen <eric@kahklen.com> wrote:
Do you know of any good books on Squid 3.0? or any docs out there that explain how to do this? I can send you my config file by private mail.
Setting up SSL is new to me in general so I want to make sure I can get a decent understanding of how Squid would work in this situation. I use tinyca (a gtk-perl application for Linux with GUI) for creating certificates. It's really easy with that :-)
Would the SSL session just get transparently forwarded to the Exchange box? or would there have to be some sort of authentication on the SuSE box for Squid to let it through? No, because that would make everything senseless. Squid terminates the SSL connection to the client and talks in cleartext to the Exchange box. Squid does some sanity checking on the URLs to prevent "bad" commands from reaching the Exchange server. In fact, I'd recommend to enable IMAP on the exchange box and use something like Horde/IMP webmail and NOT IIS/OWA. Apart from the calendar, everything works fine (even the address book over LDAP!). Our users have had more complaints about OWA web interface (especially when using Internet Explorer(!)) than with Horde :)
To get imap running smoothly, there is an option on the exchange server that you should enable for the, because it slows down mailbox listing a lot (it's something about "calculate exact size for each mail"). But, as someone else suggested, if there is ANY way to prevent using MS Exchange, DO IT!! It's just a pain in the ass ... Our server doesn't even start without manual intervention because the antivirus services (mcafee) are not ready when started as service, so exchange can't start automatically. Virus scanning is also done on the relay servers, which I would also recommend to you (as well as spam checking with spamassassin), especially in an outlook/exchange environment ... Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Quoting Eric Kahklen <eric@kahklen.com>:
I am currently trying to implement an Exchange 2000 server and it was suggested by a friend that I put a SuSE box between the internet and Exchange. He suggested having Postfix relay incoming mail only to the Exchange box and then allow Exchange to send out its mail through the firewall (Watchguard). Then for the OWA/SSL connectivity, he suggested using Apache's mod_proxy & mod_ssl to protect IIS. I am only going to allow https traffic to my exchange server. My question is, is this plan feasible? and does anyone know if there is a how to out there for this type of configuration? I've never setup Postfix or these Apache modules so I am hoping to find out if its possible since I don't have a lot of time to set this up due to the launch date of Exchange.
1) I am required to suggest to you that simply use the SuSE box for mail and web. It is just a better policy. 2) If #1 is infeasible, the mail part of the above should work fine. I use a postfix box to scan incoming mail for viruses before sending it to the real mail server for storage and retrieval (in my case, it's a matter of delegation of resources, not a matter of the mail server sucking) 3) Perhaps someone else can help you with the web part, but as I understand it, proxying SSL connections isn't feasible... though, I suppose you could have the SuSE box talk SSL to the client while IIS talkes to SuSE in the clear... I would really like to stress #1, though. Just running proper internet services on a decent server is much easier than mucking abot with proxying and whatnot.
-----Original Message----- From: suse@rio.vg [mailto:suse@rio.vg] Sent: 05 February 2004 16:23 To: suse-security@suse.com Subject: Re: [suse-security] Protecting Exchange with Suse proxy & postfixrelay
Quoting Eric Kahklen <eric@kahklen.com>:
I am currently trying to implement an Exchange 2000 server
1) I am required to suggest to you that simply use the SuSE box for mail and web. It is just a better policy.
I would really like to stress #1, though. Just running proper internet services on a decent server is much easier than mucking abot with proxying and whatnot.
You might be forgetting all that an Exchange server can do, it's not just about email. If someone wants to replace an Exchange server with a SuSE Linux alternative, I think the SuSE people would probably suggest buying SuSE Linux OpenExchange Server. I don't know exactly what Exchange servers _do_ do, so I can't say if the SLOX solution is complete or appropriate, even if your time scale _did_ allow you to change at this stage. Tom.
Eric Kahklen wrote:
I am currently trying to implement an Exchange 2000 server and it was suggested by a friend that I put a SuSE box between the internet and Exchange. He suggested having Postfix relay incoming mail only to the Exchange box and then allow Exchange to send out its mail through the firewall (Watchguard). Then for the OWA/SSL connectivity, he suggested using Apache's mod_proxy & mod_ssl to protect IIS. I am only going to allow https traffic to my exchange server. My question is, is this plan feasible? and does anyone know if there is a how to out there for this type of configuration? I've never setup Postfix or these Apache modules so I am hoping to find out if its possible since I don't have a lot of time to set this up due to the launch date of Exchange.
Thanks and I appologize if this isn't totally on topic,
Eric
check out the website www.postfix.org as well as their mailing list (google groups) this subject has been discussed in great detail
participants (5)
-
Eric Kahklen -
Markus Gaugusch -
pheonix1t -
suse@rio.vg -
Tom Knight