Re web-based email and POP/IMAP access front end for Exchang…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Scott H
Date:  
Subject: Re web-based email and POP/IMAP access front end for Exchange server
On Thu, 2003-02-20 at 14:37, Scott H wrote:
> > From: Scott H <>
> > I have an Exchange server for company mail

for
> > about 1400 users. My boss wants web-based
> > email
> > and POP/IMAP access from the Internet. He
> > agrees
> > with me putting Exchange and Outlook Web

Access
> > out there is not a good idea, from a security
> > standpoint. So we're looking for a good OSS
> > solution. I know I can use products like
> > squirrelmail and Horde's IMP to provide a
> > web-based email front end, but how can I
> > provide
> > POP/IMAP clients access to their Exchange
> > mailboxes, without opening up ports to the
> > Exchange box? Is there OSS software that

will
> > do this?
> >
> > From: "Brian Tafoya"

<>
> > Yeah... it is called Sendmail! ;-)
> > Now, if the web server running Squirrelmail
> > (which is what I use) and the
> > exchange server are behind a firewall, that

is
> > not an issue. Just open
> > ports 80/443 to the web server and keep the
> > IMPA and POP ports blocked. :)
> > Brian Tafoya
> >
> >
> > From: Mike Starke <>
> > I had a similar situation and here is how I

had
> > it configured:
> > 1. Debian/Apache (SSL) running IMP on the
> > Intranet side 
> >    (complete w/LDAP to addressbook)
> > 2. OpenBSD Firewall that redirected port 443

to
> > server in #1
> > 3. #1 was on same LAN as Exchange, so they
> > played happily together.
> > Never had a problem.
> > <snip>
> > Mike
>
> I can see from the reponses I got on this
> question that I am obviously missing something.


> How is it sendmail, squirrelmail, and IMP are

all
> being recommended to handle (in addition to
> operating as a web-based front end) IMAP/POP
> proxying in front of an Exchange server? How

do
> I configure these to proxy POP or IMAP

requests?
> (i.e. the user is out on the Internet, with a

POP
> or IMAP client, the mail is inside the company,
> on an Exchange server - I want the client to
> connect through our firewall to a Linux box in
> the DMZ that will handle/proxy all the POP/IMAP
> requests between the client and the Exchange
> server inside on the LAN. The reason for this
> config is in order to not have to open the
> Exchange box to direct connects from the
> Internet, for security reasons). If this can be
> done with any regular mail server, my

preference
> would be postfix, as I have experience with it.


> Hope this is clear, and thanks again,
>
> Scott
>


----
>You need to learn about this - a dmz cannot be

allowed
>to create communications to anywhere on the

local lan,
>thus, it would never serve to have a webmail

solution
>on a dmz with the primary mail server on a
>local lan...that would be dumb.
>
>Exchange server is a sophisticated and expensive

mail
>system and if the company is already invested in

it,
>they should maximize their investment and use

it.
>
>I think that you are making too much of this. If

it were
>me, I would have a firewall that forwards all

incoming
>port 80 & 443 to the Exchange server and let it

service
>it. I would also have it running OWA - Outlook

Web Access
>and that would be the only way I would allow

mail access
>from offsite. Thus offsite POP3 & IMAP requests

would be
>stopped by the firewall.
>
>I would have this firewall receive inbound mail

for the
>domain, probably process it with spam

filtering/procmail
>recipe filtering etc. and then forward the mail

to the
>Exchange Server for local delivery.
>I think you are trying to make this overly

complicated.
>Craig


Thanks for your response, Craig. Let me try to
answer what you say and maybe we can get things a
little clearer. I'm thinking maybe there are
various conceptions/structures of DMZs? At our
company, no traffic from the Internet may connect
directly to the LAN. But it IS possible to
connect to a server in our DMZ, which in turn has
the ability to connect to a server on the LAN.
All steps in this pass through the firewall. Our
inbound mail is like this, for instance - SMTP
mail comes to a Red Hat postfix server in the
DMZ, which blocks relay attempts, filters out
spam, etc., then passes the rest into the
Exchange server, on the LAN. My view is this
gives us an extra layer of protection, as nothing
from the Internet attaches directly to the
Exchange box. No?

I don't MEAN to be making too much of this. I
was thinking that having a server in the DMZ,
functioning similarly to the spamfiltering
server, only handling all POP/IMAP requests,
would be a good idea, for the same reasons...
Plus, my understanding is that MS Exchange and
OWA (although a useful system which the company
has already paid for, and doesn't plan to pitch),
is still not a real secure system, even when only
certain ports like 25, 445, 110, etc are opened
up to it from the Internet, because of
application level exploits. So I'm thinking it
would be worthwhile to put a proxy in front of it
for that reason, as well.

Also, I don't want to stop POP and IMAP requests
from the Internet, as you suggest - that's
exactly what I need to handle. I have road
warriors that NEED this, not just a web
front-end.

Please let me know if there are mistakes in my
thinking here. And/or if there is a way you know
of I can accomplish my goals.

Thanks very much! Scott



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/