On Thu, 2003-02-20 at 14:37, Scott H wrote: > > From: Scott H > > I have an Exchange server for company mail for > > about 1400 users. My boss wants web-based > > email > > and POP/IMAP access from the Internet. He > > agrees > > with me putting Exchange and Outlook Web Access > > out there is not a good idea, from a security > > standpoint. So we're looking for a good OSS > > solution. I know I can use products like > > squirrelmail and Horde's IMP to provide a > > web-based email front end, but how can I > > provide > > POP/IMAP clients access to their Exchange > > mailboxes, without opening up ports to the > > Exchange box? Is there OSS software that will > > do this? > > > > From: "Brian Tafoya" > > Yeah... it is called Sendmail! ;-) > > Now, if the web server running Squirrelmail > > (which is what I use) and the > > exchange server are behind a firewall, that is > > not an issue. Just open > > ports 80/443 to the web server and keep the > > IMPA and POP ports blocked. :) > > Brian Tafoya > > > > > > From: Mike Starke > > I had a similar situation and here is how I had > > it configured: > > 1. Debian/Apache (SSL) running IMP on the > > Intranet side > > (complete w/LDAP to addressbook) > > 2. OpenBSD Firewall that redirected port 443 to > > server in #1 > > 3. #1 was on same LAN as Exchange, so they > > played happily together. > > Never had a problem. > > > > Mike > > I can see from the reponses I got on this > question that I am obviously missing something. > How is it sendmail, squirrelmail, and IMP are all > being recommended to handle (in addition to > operating as a web-based front end) IMAP/POP > proxying in front of an Exchange server? How do > I configure these to proxy POP or IMAP requests? > (i.e. the user is out on the Internet, with a POP > or IMAP client, the mail is inside the company, > on an Exchange server - I want the client to > connect through our firewall to a Linux box in > the DMZ that will handle/proxy all the POP/IMAP > requests between the client and the Exchange > server inside on the LAN. The reason for this > config is in order to not have to open the > Exchange box to direct connects from the > Internet, for security reasons). If this can be > done with any regular mail server, my preference > would be postfix, as I have experience with it. > Hope this is clear, and thanks again, > > Scott > ---- >You need to learn about this - a dmz cannot be allowed >to create communications to anywhere on the local lan, >thus, it would never serve to have a webmail solution >on a dmz with the primary mail server on a >local lan...that would be dumb. > >Exchange server is a sophisticated and expensive mail >system and if the company is already invested in it, >they should maximize their investment and use it. > >I think that you are making too much of this. If it were >me, I would have a firewall that forwards all incoming >port 80 & 443 to the Exchange server and let it service >it. I would also have it running OWA - Outlook Web Access >and that would be the only way I would allow mail access >from offsite. Thus offsite POP3 & IMAP requests would be >stopped by the firewall. > >I would have this firewall receive inbound mail for the >domain, probably process it with spam filtering/procmail >recipe filtering etc. and then forward the mail to the >Exchange Server for local delivery. >I think you are trying to make this overly complicated. >Craig Thanks for your response, Craig. Let me try to answer what you say and maybe we can get things a little clearer. I'm thinking maybe there are various conceptions/structures of DMZs? At our company, no traffic from the Internet may connect directly to the LAN. But it IS possible to connect to a server in our DMZ, which in turn has the ability to connect to a server on the LAN. All steps in this pass through the firewall. Our inbound mail is like this, for instance - SMTP mail comes to a Red Hat postfix server in the DMZ, which blocks relay attempts, filters out spam, etc., then passes the rest into the Exchange server, on the LAN. My view is this gives us an extra layer of protection, as nothing from the Internet attaches directly to the Exchange box. No? I don't MEAN to be making too much of this. I was thinking that having a server in the DMZ, functioning similarly to the spamfiltering server, only handling all POP/IMAP requests, would be a good idea, for the same reasons... Plus, my understanding is that MS Exchange and OWA (although a useful system which the company has already paid for, and doesn't plan to pitch), is still not a real secure system, even when only certain ports like 25, 445, 110, etc are opened up to it from the Internet, because of application level exploits. So I'm thinking it would be worthwhile to put a proxy in front of it for that reason, as well. Also, I don't want to stop POP and IMAP requests from the Internet, as you suggest - that's exactly what I need to handle. I have road warriors that NEED this, not just a web front-end. Please let me know if there are mistakes in my thinking here. And/or if there is a way you know of I can accomplish my goals. Thanks very much! Scott __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/