Jason,<br><br>The main reasons for using an intermediate mail server was to protect our internal exchange server. If we have a POP3 box on the DMZ and someone exploits it, all they have access to is that box and not the entire network (correct me if I am wrong). <br><br><b><i>Jason Schaefer <js@jasonschaefer.com></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> I could be missing something here but, why use an intermediate mail <br>server? Why not just use exchange?<br><br><br><br><br>luis pena wrote:<br>> Sorry everyone about the blank email as well.<br>><br>> Ed,<br>><br>> You are correct in your three assumptions:<br>> > - allow users to get mail via pop3s or https from outside the firewall<br>> > - not allow internet access to internal exchange server<br>> > - use linux amap (as much as possible)<br>><br>> Also, after a couple days of research I
concur:<br>> > The real problem is the organization's choice to use exchange.<br>><br>> The exchange system has been designed to "not play well" with others. <br>> I have come to the conclusion that this endeavor may be fruitless and <br>> a waste of precious time. Again I will reiterate - the problem is <br>> exchange. I thank you, gentlemen, for your time and comments.<br>><br>> Luis Pena<br>><br>><br>> */"Edward F. Brown" <ebrown@lanl.gov>/* wrote:<br>><br>> Sorry for the empty mail. Also, I didn't respond to the ldap question.<br>> Looking for more info about how 'outlook webmail' handled active<br>> directory<br>> authentication led me to this site:<br>> http://systembash.com/content/outlook-web-access-apache-proxy/<br>> which says that 'Outlook Web Access', or OWA, has to run on the<br>> exchange<br>> server itself. But it does offer a way to configure apache to be
a<br>> proxy.<br>> You might also look at this site:<br>> http://www.debian-administration.org/articles/411<br>><br>> -Ed<br>><br>><br>> On Sat, March 10, 2007 2:00 pm, Edward F. Brown wrote:<br>> > Luis,<br>> ><br>> > So correct this if it's wrong. You want to:<br>> > - allow users to get mail via pop3s or https from outside the<br>> firewall<br>> > - not allow internet access to internal exchange server<br>> > - use linux amap (as much as possible)<br>> ><br>> > Not sure this is really practical. Webmail can present or make mail<br>> > available to users, when it actually resides on a separate<br>> server, the<br>> > exchange server in this case. (Squirrelmail uses imap behind the<br>> scenes<br>> > for this.) But I don't think you can 'front-end' mail in this<br>> sense via<br>> >
pop. You're really talking about having two different mail<br>> servers, and I<br>> > don't you can, or would want to try, to do this. The issues<br>> involved in<br>> > keeping mailboxes synchronized, for example, would just be too<br>> wierd.<br>> ><br>> > The real problem is the organization's choice to use exchange.<br>> It just<br>> > isn't suitable to make mail available to untrusted networks via<br>> any other<br>> > means than a webmail interface. Users should be required to vpn<br>> in if<br>> > webmail is inadequate (which also allows use of other exchange<br>> services -<br>> > calendar etc.)<br>> ><br>> > The good news is the barracuda/sonicwall will provide some<br>> protection by<br>> > prefiltering mail before it gets delivered to the exchange<br>> server, and<br>> > prevents
direct connection from the internet to port 25 there,<br>> acting as a<br>> > kind of proxy.<br>> ><br>> > So maybe you can host the web interface on a linux box, but I'm<br>> not even<br>> > sure about that, not being familiar with the 'outlook' webmail<br>> server you<br>> > mention. I guess if it runs on apache, you're good to go.<br>> ><br>> > hth,<br>> > Ed<br>> ><br>> ><br>> ><br>> > On Sat, March 10, 2007 10:57 am, luis pena wrote:<br>> >> I work in a Windoze house, contantly looking for a way to integrate<br>> >> Linux.<br>> >> I finally have my chance and would like to pose some questions<br>> to the<br>> >> community on the subject of firewalls and POP3.<br>> >><br>> >> First let me start w/ an overview of my network. We are 18 nodes<br>>
>> connected<br>> >> via T1/partial T1's on a Frame Relay network. We are using<br>> Cisco routers<br>> >> and our firewall is a Cisco PIX. We are in the process of<br>> switching over<br>> >> to a new domain and upgrading our firewall to include a spam<br>> filtration<br>> >> (Barracuda/Sonicwall). Be advised I am aware of the numerous<br>> solutions<br>> >> available in the Open Source realm... alas, I do not make the final<br>> >> decision on hardware purchases<br>> >><br>> >> We have and exchange 2003 sever and a 2003 domain controller that<br>> >> provides<br>> >> internal authentication and email services. One of the features of<br>> >> exchange is<br>> >> outlook web access (similar to squirrel mail) which allows people<br>> >> outside<br>> >> of our
internal network to check the email.<br>> >><br>> >> I have been tasked with finding a solution for configuring a<br>> POP 3server<br>> >> to sit in the DMZ of the firewall. This server will provide several<br>> >> functions:<br>> >> - Serve up Outlook Web Access on an Apache Server(which will<br>> require<br>> >> communications with the LDAP-based active directory?)<br>> >> - Be configured have the exchange server initiate the opening<br>> of port 25<br>> >> on the POP 3 server to download email. It is preferred that<br>> incoming<br>> >> mail<br>> >> be housed on the POP 3serve after hitting the spam filtration<br>> device.<br>> >><br>> >> Here are my questions:<br>> >> - Is the solution of placing a POP3 server in the DMZ my best<br>> option for<br>>
>> protecting my exchange server and serving up web access to email?<br>> >> - Are there any items that I have not considered?<br>> >> - Will I need LDAP running on Linux boxen to ""talk" to active<br>> directory<br>> >> - What would be the best way to set up a testing sandbox (ad hoc,<br>> >> through<br>> >> the PIX, etc...)<br>> >><br>> >> Thanks to Ed Brown for pointing me towards dovecot as a<br>> solution for my<br>> >> POP3 needs. I hope I have been clear and have provided enough<br>> >> information... I am still learning. Thank you in advance.<br>> >><br>> >><br>> >><br>> >><br>> >> ---------------------------------<br>> >> Food fight? Enjoy some healthy debate<br>> >> in the Yahoo! Answers Food & Drink<br>> >>
Q&A._______________________________________________<br>> >> nmglug mailing list<br>> >> nmglug@nmglug.org<br>> >> http://www.nmglug.org/mailman/listinfo/nmglug<br>> >><br>> ><br>> ><br>> > _______________________________________________<br>> > nmglug mailing list<br>> > nmglug@nmglug.org<br>> > http://www.nmglug.org/mailman/listinfo/nmglug<br>> ><br>><br>><br>> _______________________________________________<br>> nmglug mailing list<br>> nmglug@nmglug.org<br>> http://www.nmglug.org/mailman/listinfo/nmglug<br>><br>><br>> ------------------------------------------------------------------------<br>> Sucker-punch spam <br>> <http: us.rd.yahoo.com="" evt="49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html"> <br>> with award-winning protection.<br>> Try the free Yahoo! Mail Beta.
<br>> <http: us.rd.yahoo.com="" evt="49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html"> <br>><br>> ------------------------------------------------------------------------<br>><br>> _______________________________________________<br>> nmglug mailing list<br>> nmglug@nmglug.org<br>> http://www.nmglug.org/mailman/listinfo/nmglug<br>> <br><br>_______________________________________________<br>nmglug mailing list<br>nmglug@nmglug.org<br>http://www.nmglug.org/mailman/listinfo/nmglug<br></http:></http:></ebrown@lanl.gov></blockquote><br><p>
<hr size=1>Don't pick lemons.<br>
See all the <a href="http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--">new 2007 cars</a> at <a href="http://autos.yahoo.com/new_cars.html;_ylc=X3oDMTE0OGRsc3F2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3Y2Fycw--">Yahoo! Autos.</a>