Re web-based email and POP/IMAP access front end for Exchange server

[Scott H]

On Thu, 2003-02-20 at 14:37, Scott H wrote:
> > From: Scott H <scottlhenderson@yahoo.com>
> > I have an Exchange server for company mail
for
> > about 1400 users.  My boss wants web-based
> > email
> > and POP/IMAP access from the Internet.  He
> > agrees
> > with me putting Exchange and Outlook Web
Access
> > out there is not a good idea, from a security
> > standpoint.  So we're looking for a good OSS
> > solution.  I know I can use products like
> > squirrelmail and Horde's IMP to provide a
> > web-based email front end, but how can I
> > provide
> > POP/IMAP clients access to their Exchange
> > mailboxes, without opening up ports to the
> > Exchange box?  Is there OSS software that
will
> > do this?  
> >
> > From: "Brian Tafoya"
<btafoya@briantafoya.com>
> > Yeah... it is called Sendmail! ;-)
> > Now, if the web server running Squirrelmail
> > (which is what I use) and the
> > exchange server are behind a firewall, that
is
> > not an issue. Just open
> > ports 80/443 to the web server and keep the
> > IMPA and POP ports blocked. :)
> > Brian Tafoya
> >
> >
> > From: Mike Starke <meg@lilly.csoft.net>
> > I had a similar situation and here is how I
had
> > it configured:
> > 1. Debian/Apache (SSL) running IMP on the
> > Intranet side 
> >    (complete w/LDAP to addressbook)
> > 2. OpenBSD Firewall that redirected port 443
to
> > server in #1
> > 3. #1 was on same LAN as Exchange, so they
> > played happily together.
> > Never had a problem.
> > <snip>
> > Mike
> 
> I can see from the reponses I got on this
> question that I am obviously missing something.

> How is it sendmail, squirrelmail, and IMP are
all
> being recommended to handle (in addition to
> operating as a web-based front end) IMAP/POP
> proxying in front of an Exchange server?  How
do
> I configure these to proxy POP or IMAP
requests?
> (i.e. the user is out on the Internet, with a
POP
> or IMAP client, the mail is inside the company,
> on an Exchange server - I want the client to
> connect through our firewall to a Linux box in
> the DMZ that will handle/proxy all the POP/IMAP
> requests between the client and the Exchange
> server inside on the LAN. The reason for this
> config is in order to not have to open the
> Exchange box to direct connects from the
> Internet, for security reasons). If this can be
> done with any regular mail server, my
preference
> would be postfix, as I have experience with it.

> Hope this is clear, and thanks again, 
> 
> Scott
>
 
----
>You need to learn about this - a dmz cannot be
allowed 
>to create communications to anywhere on the
local lan, 
>thus, it would never serve to have a webmail
solution 
>on a dmz with the primary mail server on a
>local lan...that would be dumb.
>
>Exchange server is a sophisticated and expensive
mail 
>system and if the company is already invested in
it, 
>they should maximize their investment and use
it.
>
>I think that you are making too much of this. If
it were 
>me, I would have a firewall that forwards all
incoming 
>port 80 & 443 to the Exchange server and let it
service 
>it. I would also have it running OWA - Outlook
Web Access
>and that would be the only way I would allow
mail access 
>from offsite. Thus offsite POP3 & IMAP requests
would be 
>stopped by the firewall.
>
>I would have this firewall receive inbound mail
for the 
>domain, probably process it with spam
filtering/procmail 
>recipe filtering etc. and then forward the mail
to the 
>Exchange Server for local delivery.
>I think you are trying to make this overly
complicated.
>Craig

Thanks for your response, Craig.  Let me try to
answer what you say and maybe we can get things a
little clearer.  I'm thinking maybe there are
various conceptions/structures of DMZs?  At our
company, no traffic from the Internet may connect
directly to the LAN.  But it IS possible to
connect to a server in our DMZ, which in turn has
the ability to connect to a server on the LAN. 
All steps in this pass through the firewall.  Our
inbound mail is like this, for instance - SMTP
mail comes to a Red Hat postfix server in the
DMZ, which blocks relay attempts, filters out
spam, etc., then passes the rest into the
Exchange server, on the LAN.  My view is this
gives us an extra layer of protection, as nothing
from the Internet attaches directly to the
Exchange box. No?

I don't MEAN to be making too much of this.  I
was thinking that having a server in the DMZ,
functioning similarly to the spamfiltering
server, only handling all POP/IMAP requests,
would be a good idea, for the same reasons...
Plus, my understanding is that MS Exchange and
OWA  (although a useful system which the company
has already paid for, and doesn't plan to pitch),
is still not a real secure system, even when only
certain ports like 25, 445, 110, etc are opened
up to it from the Internet, because of
application level exploits.  So I'm thinking it
would be worthwhile to put a proxy in front of it
for that reason, as well.

Also, I don't want to stop POP and IMAP requests
from the Internet, as you suggest - that's
exactly what I need to handle.  I have road
warriors that NEED this, not just a web
front-end.  

Please let me know if there are mistakes in my
thinking here.  And/or if there is a way you know
of I can accomplish my goals.  

Thanks very much!  Scott



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/