[nmglug] POP3 Server::Request for Info

luis pena glyph_dtd at yahoo.com
Wed Mar 14 15:06:34 PDT 2007 

Jason,

The main reasons for using an intermediate mail server was to protect our internal exchange server. If we have a POP3 box on the DMZ and someone exploits it, all they have access to is that box and not the entire network (correct me if I am wrong). 

Jason Schaefer <js at jasonschaefer.com> wrote: I could be missing something here but, why use an intermediate mail 
server? Why not just use exchange?




luis pena wrote:
> Sorry everyone about the blank email as well.
>
> Ed,
>
> You are correct in your three assumptions:
> > - allow users to get mail via pop3s or https from outside the firewall
> > - not allow internet access to internal exchange server
> > - use linux amap (as much as possible)
>
> Also, after a couple days of research I concur:
> > The real problem is the organization's choice to use exchange.
>
> The exchange system has been designed to "not play well" with others. 
> I have come to the conclusion that this endeavor may be fruitless and 
> a waste of precious time. Again I will reiterate - the problem is 
> exchange. I thank you, gentlemen, for your time and comments.
>
> Luis Pena
>
>
> */"Edward F. Brown" /* wrote:
>
>     Sorry for the empty mail. Also, I didn't respond to the ldap question.
>     Looking for more info about how 'outlook webmail' handled active
>     directory
>     authentication led me to this site:
>     http://systembash.com/content/outlook-web-access-apache-proxy/
>     which says that 'Outlook Web Access', or OWA, has to run on the
>     exchange
>     server itself. But it does offer a way to configure apache to be a
>     proxy.
>     You might also look at this site:
>     http://www.debian-administration.org/articles/411
>
>     -Ed
>
>
>     On Sat, March 10, 2007 2:00 pm, Edward F. Brown wrote:
>     > Luis,
>     >
>     > So correct this if it's wrong. You want to:
>     > - allow users to get mail via pop3s or https from outside the
>     firewall
>     > - not allow internet access to internal exchange server
>     > - use linux amap (as much as possible)
>     >
>     > Not sure this is really practical. Webmail can present or make mail
>     > available to users, when it actually resides on a separate
>     server, the
>     > exchange server in this case. (Squirrelmail uses imap behind the
>     scenes
>     > for this.) But I don't think you can 'front-end' mail in this
>     sense via
>     > pop. You're really talking about having two different mail
>     servers, and I
>     > don't you can, or would want to try, to do this. The issues
>     involved in
>     > keeping mailboxes synchronized, for example, would just be too
>     wierd.
>     >
>     > The real problem is the organization's choice to use exchange.
>     It just
>     > isn't suitable to make mail available to untrusted networks via
>     any other
>     > means than a webmail interface. Users should be required to vpn
>     in if
>     > webmail is inadequate (which also allows use of other exchange
>     services -
>     > calendar etc.)
>     >
>     > The good news is the barracuda/sonicwall will provide some
>     protection by
>     > prefiltering mail before it gets delivered to the exchange
>     server, and
>     > prevents direct connection from the internet to port 25 there,
>     acting as a
>     > kind of proxy.
>     >
>     > So maybe you can host the web interface on a linux box, but I'm
>     not even
>     > sure about that, not being familiar with the 'outlook' webmail
>     server you
>     > mention. I guess if it runs on apache, you're good to go.
>     >
>     > hth,
>     > Ed
>     >
>     >
>     >
>     > On Sat, March 10, 2007 10:57 am, luis pena wrote:
>     >> I work in a Windoze house, contantly looking for a way to integrate
>     >> Linux.
>     >> I finally have my chance and would like to pose some questions
>     to the
>     >> community on the subject of firewalls and POP3.
>     >>
>     >> First let me start w/ an overview of my network. We are 18 nodes
>     >> connected
>     >> via T1/partial T1's on a Frame Relay network. We are using
>     Cisco routers
>     >> and our firewall is a Cisco PIX. We are in the process of
>     switching over
>     >> to a new domain and upgrading our firewall to include a spam
>     filtration
>     >> (Barracuda/Sonicwall). Be advised I am aware of the numerous
>     solutions
>     >> available in the Open Source realm... alas, I do not make the final
>     >> decision on hardware purchases
>     >>
>     >> We have and exchange 2003 sever and a 2003 domain controller that
>     >> provides
>     >> internal authentication and email services. One of the features of
>     >> exchange is
>     >> outlook web access (similar to squirrel mail) which allows people
>     >> outside
>     >> of our internal network to check the email.
>     >>
>     >> I have been tasked with finding a solution for configuring a
>     POP 3server
>     >> to sit in the DMZ of the firewall. This server will provide several
>     >> functions:
>     >> - Serve up Outlook Web Access on an Apache Server(which will
>     require
>     >> communications with the LDAP-based active directory?)
>     >> - Be configured have the exchange server initiate the opening
>     of port 25
>     >> on the POP 3 server to download email. It is preferred that
>     incoming
>     >> mail
>     >> be housed on the POP 3serve after hitting the spam filtration
>     device.
>     >>
>     >> Here are my questions:
>     >> - Is the solution of placing a POP3 server in the DMZ my best
>     option for
>     >> protecting my exchange server and serving up web access to email?
>     >> - Are there any items that I have not considered?
>     >> - Will I need LDAP running on Linux boxen to ""talk" to active
>     directory
>     >> - What would be the best way to set up a testing sandbox (ad hoc,
>     >> through
>     >> the PIX, etc...)
>     >>
>     >> Thanks to Ed Brown for pointing me towards dovecot as a
>     solution for my
>     >> POP3 needs. I hope I have been clear and have provided enough
>     >> information... I am still learning. Thank you in advance.
>     >>
>     >>
>     >>
>     >>
>     >> ---------------------------------
>     >> Food fight? Enjoy some healthy debate
>     >> in the Yahoo! Answers Food & Drink
>     >> Q&A._______________________________________________
>     >> nmglug mailing list
>     >> nmglug at nmglug.org
>     >> http://www.nmglug.org/mailman/listinfo/nmglug
>     >>
>     >
>     >
>     > _______________________________________________
>     > nmglug mailing list
>     > nmglug at nmglug.org
>     > http://www.nmglug.org/mailman/listinfo/nmglug
>     >
>
>
>     _______________________________________________
>     nmglug mailing list
>     nmglug at nmglug.org
>     http://www.nmglug.org/mailman/listinfo/nmglug
>
>
> ------------------------------------------------------------------------
> Sucker-punch spam 
>  
> with award-winning protection.
> Try the free Yahoo! Mail Beta. 
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> nmglug mailing list
> nmglug at nmglug.org
> http://www.nmglug.org/mailman/listinfo/nmglug
>   

_______________________________________________
nmglug mailing list
nmglug at nmglug.org
http://www.nmglug.org/mailman/listinfo/nmglug


 
---------------------------------
Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nmglug.org/pipermail/nmglug-nmglug.org/attachments/20070314/65827d42/attachment.htm>

More information about the nmglug mailing list