web-based email and POP/IMAP access

[Craig White]

On Thu, 2003-02-20 at 14:37, Scott H wrote:
> > From: Scott H <scottlhenderson@yahoo.com>
> > I have an Exchange server for company mail for
> > about 1400 users.  My boss wants web-based
> > email
> > and POP/IMAP access from the Internet.  He
> > agrees
> > with me putting Exchange and Outlook Web Access
> > out there is not a good idea, from a security
> > standpoint.  So we're looking for a good OSS
> > solution.  I know I can use products like
> > squirrelmail and Horde's IMP to provide a
> > web-based email front end, but how can I
> > provide
> > POP/IMAP clients access to their Exchange
> > mailboxes, without opening up ports to the
> > Exchange box?  Is there OSS software that will
> > do this?  
> >
> > From: "Brian Tafoya" <btafoya@briantafoya.com>
> > Yeah... it is called Sendmail! ;-)
> > Now, if the web server running Squirrelmail
> > (which is what I use) and the
> > exchange server are behind a firewall, that is
> > not an issue. Just open
> > ports 80/443 to the web server and keep the
> > IMPA and POP ports blocked. :)
> > Brian Tafoya
> >
> >
> > From: Mike Starke <meg@lilly.csoft.net>
> > I had a similar situation and here is how I had
> > it configured:
> > 1. Debian/Apache (SSL) running IMP on the
> > Intranet side 
> >    (complete w/LDAP to addressbook)
> > 2. OpenBSD Firewall that redirected port 443 to
> > server in #1
> > 3. #1 was on same LAN as Exchange, so they
> > played happily together.
> > Never had a problem.
> > <snip>
> > Mike
> 
> I can see from the reponses I got on this
> question that I am obviously missing something. 
> How is it sendmail, squirrelmail, and IMP are all
> being recommended to handle (in addition to
> operating as a web-based front end) IMAP/POP
> proxying in front of an Exchange server?  How do
> I configure these to proxy POP or IMAP requests?
> (i.e. the user is out on the Internet, with a POP
> or IMAP client, the mail is inside the company,
> on an Exchange server - I want the client to
> connect through our firewall to a Linux box in
> the DMZ that will handle/proxy all the POP/IMAP
> requests between the client and the Exchange
> server inside on the LAN. The reason for this
> config is in order to not have to open the
> Exchange box to direct connects from the
> Internet, for security reasons). If this can be
> done with any regular mail server, my preference
> would be postfix, as I have experience with it. 
> Hope this is clear, and thanks again, 
> 
> Scott
> 
----
You need to learn about this - a dmz cannot be allowed to create
communications to anywhere on the local lan, thus, it would never serve
to have a webmail solution on a dmz with the primary mail server on a
local lan...that would be dumb.

Exchange server is a sophisticated and expensive mail system and if the
company is already invested in it, they should maximize their investment
and use it.

I think that you are making too much of this. If it were me, I would
have a firewall that forwards all incoming port 80 & 443 to the Exchange
server and let it service it. I would also have it running OWA - Outlook
Web Access and that would be the only way I would allow mail access from
offsite. Thus offsite POP3 & IMAP requests would be stopped by the
firewall.

I would have this firewall receive inbound mail for the domain, probably
process it with spam filtering/procmail recipe filtering etc. and then
forward the mail to the Exchange Server for local delivery.

I think you are trying to make this overly complicated.

Craig