Re: Running Exchange 2000 on a DMZ
From: Al Mulnick (amulnick_No_SPAM_at_ncDOTrr.com)
Date: 09/08/04
- Next message: Al Mulnick: "Re: Exchange 2003 Global Address List"
- Previous message: Al Mulnick: "Re: New Exchange setup - Mailbox Store & mail.site.com"
- In reply to: compufxr: "Re: Running Exchange 2000 on a DMZ"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 7 Sep 2004 21:59:14 -0400
Well...
Here's a way to do this, but I have to ask a question and make an
assumption. Is it possible to route the mail internally? I'm going to
assume it is.
To make sendmail send mail for particular recipients, you are essentially
smarthosting. That means that Sendmail is smart enough to know where your
mailstore resides (mailbox location) when it gets a piece of mail. Sendmail
is nice because it typically uses an alias table. Some of the newer
implementations use LDAP, but the concept is the same. Email comes in,
Sendmail looks up the destination in it's table (alias file or LDAP
typically) and relays the message to that destination. Since mail handlers
are designated by the DNS MX records, you would not want to change the
internet inbound mail stream. Instead, tell sendmail to deliver your mail
to your host. It would look something like this:
If you want to do this for a large number of users then this is one way to
do this:
1) Change your recipient policy to make your server responsible for
domain.com (where domain.com is your primary mail address on the internet).
2) add the other three domains via domain policy the same way, except they
are not primary mail addresses.
3) add one more domain, called domain.local that only your internal network
knows about
4) in Sendmail alias table change your alias from alias:localmailstore to
alias:ExchangeServer (this assumes you're not rewriting the envelope and it
should not be in this configuration.
This should allow sendmail to deliver mail for just that alias to your
Exchange server. I highly suggest using a test account until you get this
worked out to your liking. The same concept is true for Sendmail with LDAP,
just different location and you have to deal with attributes.
If you want to do it for a few users, then this might be more helpful:
1) Change your recipient policy to make your server responsible for
domain.com (where domain.com is your primary mail address on the internet).
2) add the other three domains via domain policy the same way, except they
are not the primary mail address.
3) add one more domain, called domain.local that only your internal network
knows about
4) Use a .forward file to send mail to your mail drop (their term; it refers
to your Exchange server mailbox store). Here's a doc describing it:
http://www.uwsg.iu.edu/usail/mail/aliasing/
What's the .local domain for? That's what I refer to your internal network
as. Use your internal network for that instead. You can even use MX
records, but you shouldn't need it necessarily.
I'm a few years rusty on Sendmail since I haven't written any rules for
Sendmail since 8.x but from memory that should do what you want for the
incoming stream. The outgoing stream would be direct from your Exchange
server to the internet via TCP/IP and DNS records [1] or via your normal
outbound mail stream. I would suggest the regular outbound mail stream if
possible.
Trying to route messages across the internet would require a new domain name
most likely as your target domain to send email to. Not that people have to
know you by that name, but your sendmail host would have to know you there.
Doesn't make a lot of sense in most cases to accept mail internally and then
put it right back onto the internet for delivery. Not that it isn't done,
it just doesn't make a lot of sense for many systems [2]
If you have any questions, ping me off-line at my home address amulnick_at_
nc.rr.com as NNTP is not always followed. I'll do my best from here. I
should also note that what you are talking about doing seems counter to what
the company wants. I understand that this is likely do to internal
political reasons and I normally suggest a company strategy session with
someone with lots of large-scale messaging experience to prevent this type
of thing. Just so we're on the same page ;-) I also understand that
business has to get done, hence the long post.
[1] be careful of this. Sending via your own server on a network where they
don't like that may not be the way to go since some domains may be looking
for reverse DNS and even SPF records which would show your regular outbound
path. If possible, use the same outbound path as your primary path for
outgoing mail. Saves you a lot of trouble and administration later.
[2] I've done it myself, so I'm sure I'll hear about that suggestion :)
Al
"compufxr" <compufxr@discussions.microsoft.com> wrote in message
news:50A6154E-FBD4-4584-A96F-1A47C93D767C@microsoft.com...
> Dear Al,
>
> O.K. - here goes - The mail server (running sendmail) is located in Texas
> and is currently accepting mail for all 4 domains. There may actually be
> more but they do not belong to my company and I have no idea what they
> are.
> I want the sendmail server to be able to forward e-mail to my exchange
> server
> which will have its own public IP address on the internet.
>
> Now, once the mail is forwarded to Exchange I want to be able to retreive
> it
> in Outlook on my desktop. The problem I have is how to make Exchange
> public
> on the internet so that it will accept the mail. Internally, Exchange
> seems
> to be running perfect. I can send mail between accounts from different
> computers and everyone receives and sends mail properly. I just want to
> know
> how to get the mail from the sendmail server to those same people that are
> getting mail internally.
>
> Also, as far as sending mail goes, I don't think it will really matter if
> it
> is send directly through Exchange. In fact, I think it may be better that
> way - since we are avoiding the extra hop to the mail server in Texas.
> That
> way, if the server in Texas fails, at least we can still send mail if
> everything is live here. This brings up another question. If I have
> exchange sending mail, and I send a message to myself, will the following
> occur? The mail will get sent through Exchange and then routed to the
> e-mail
> server in Texas which will then route the mail back to Exchange for
> delivery
> to me. I think that is what will happen.
>
> You see, my boss is very secretive about the mail server and the routers
> here. I have no idea what he is trying to hide, but I know he doesn't
> trust
> me to manage any of it. I have to ask him to open ports and to make all
> of
> the changes I want. Its certainly a bit of a hinderance at best.
> Soooo...
> what I really want to know, and need to know, is EXACTLY how to accomplish
> what he wants to do. I don't have the resources to be able to do this
> myself
> and no way to check what he is doing. Therefore, if I have full
> instructions
> it would make it easier for him and therefore me as well.
>
> Thank you for your help!
>
> "Al Mulnick" wrote:
>
>> I *think* I have an idea what you want done, but let me play back what I
>> think you want to do; correct me if I haven't got it right.
>> Problem statement:
>> You want to accept mail for four domains in your organization. For the
>> purposes of working Exchange into the topology, only test users should
>> receive mail for two currently working domains. Additionally, mail
>> should
>> be received by an out of state mail host as the first hop from the
>> internet.
>>
>> Is that correct? If so, then the following are my thoughts:
>>
>> Accepting mail for a particular domain or multiple domains is pretty easy
>> in
>> Exchange. You use recipient policies to control that. Read the help
>> file
>> to see more detail on that configuration, but it's mostly a couple of
>> mouse-clicks to tell Exchange it's authoritative for a particular domain.
>> Since you have a mail path already, that first server in the path (the
>> server in the other state, right?) needs to have the ability to smart
>> host
>> for you. In other words, when ExchangeUser1@company.com comes in from
>> the
>> internet, it's going to always go to the first hop after the firewall and
>> at
>> that point that system needs to know to route it to ExchangeServer in
>> your
>> site. Depending on what mail system it's running, it's done different
>> ways.
>> Sendmail is pretty easy if you use alias files or if you use LDAP, most
>> mailers are pretty easy to make this happen. You just tell that server
>> that
>> the delivery destination for user ExchangeUser1@company.com is
>> ExchangeServer and let SMTP take over :) On the receiving server, you
>> need
>> to ensure that you have properly set it up to receive for the individual
>> users you have defined.
>>
>> Outgoing mail should likely be direct from Exchange to the internet
>> unless
>> you have other plans to talk with the users defined in the other system.
>> If
>> you have that requirement (not clear from previous post) then it may be
>> wiser to define a route direct to that server for those domains/users.
>>
>> Does that help?
>>
>>
>>
>> "compufxr" <compufxr@discussions.microsoft.com> wrote in message
>> news:9E7E0D13-0361-4B7D-851B-324F65CF8CB8@microsoft.com...
>> > Al,
>> >
>> > O.K., lets see if I can make this easy. I have a new DC (W2K) and a
>> > new
>> > Exchange 2000 Server. We currently have an e-mail server which is
>> > located
>> > in
>> > another state (don't even ask why). All I want to be able to do is to
>> > have
>> > that e-mail server forward mail to the new exchange server and have it
>> > delivered to the right people here.
>> >
>> > This is where it gets a little (very little I am sure) tricky. We
>> > have,
>> > at
>> > the moment, four (4) different domain names for e-mail. The two main
>> > domain
>> > names (lets call them abc.com and xyz.com) are the most important for
>> > now.
>> > To make matters more difficult, I only want certain users to get their
>> > mail
>> > from exchange. However, I don't think this will be a problem as we
>> > should
>> > be
>> > able to foward mail from those accounts to wherever we want.
>> >
>> > Correct me if I am wrong, but shouldn't I just be able to forward the
>> > mail
>> > from the accounts I want on Exchange from the e-mail server we have now
>> > to
>> > the Exchange Server on the network? I am a little confused about how
>> > sending
>> > mail would work, but that is why I am asking my questions here. So,
>> > basically I need to have those two domains receiving mail on Exchange
>> > but
>> > only for a few accounts (for testing purposes). If there are any
>> > resources
>> > on the web for this I would be more than happy to check them out.
>> >
>> > Thanks for your help.
>> >
>> > Paul
>> >
>> > "Al Mulnick" wrote:
>> >
>> >> Sure. Run by the completed routing that you need to accomplish again
>> >> and
>> >> it
>> >> should be a snap.
>> >>
>> >> Al
>> >>
>> >>
>> >> "compufxr" <compufxr@discussions.microsoft.com> wrote in message
>> >> news:42886C6C-7D0B-41CF-9FC6-C9B91EF2D3E4@microsoft.com...
>> >> > THANK YOU GENTLEMEN!!!
>> >> >
>> >> > I have finally convinced my boss to leave the Exchange Server behind
>> >> > the
>> >> > firewall and not on a DMZ.
>> >> >
>> >> > Now, I need some help finalizing the Exchange Server setup so that
>> >> > it
>> >> > will
>> >> > accept mail from the outside e-mail server and forward it to users
>> >> > on
>> >> > the
>> >> > domain. Are there any articles out there that would help me to set
>> >> > that
>> >> > up??
>> >> >
>> >> > Anyone out there who can help me?
>> >> >
>> >> > Thank you in advance!
>> >> >
>> >> > "Todd Seagraves" wrote:
>> >> >
>> >> >> Well you are going to have a hard time finding documetation since
>> >> >> this
>> >> >> is
>> >> >> not a recommended configuration.
>> >> >> Like other people have posted by the time you open up enough holes
>> >> >> in
>> >> >> the
>> >> >> firewall to your intenal network, you might as well have no
>> >> >> firewall.
>> >> >> The
>> >> >> ports that need to be opened are exactly the ones that would be
>> >> >> targeted
>> >> >> by
>> >> >> malicious attacks because they are well documented and most being
>> >> >> protocols
>> >> >> that have been comprimised in the past.
>> >> >> recommended
>> >> >> inet --> port 25 --> firewall --> port 25 --> firewall --> port
>> >> >> 25 -->exchange on private network (easy as that)
>> >> >>
>> >> >> NOT
>> >> >> inet --> port 25 --> firewall --> port 25 and about 9 -12
>> >> >> others -->
>> >> >> your
>> >> >> network
>> >> >>
>> >> >>
>> >> >> go search for exchange server in a dmz and give the results to your
>> >> >> boss
>> >> >> and
>> >> >> see if he doesn't change his mind. If he doesn't, you may want to
>> >> >> update
>> >> >> your resume because life is going to get really crazy there.
>> >> >>
>> >> >> Todd
>> >> >>
>> >> >>
>> >> >> "compufxr" <compufxr@discussions.microsoft.com> wrote in message
>> >> >> news:15E15B4F-4379-4B1C-B8F4-1D703082350C@microsoft.com...
>> >> >> > Well, the impression I am getting from my boss is that he wants
>> >> >> > the
>> >> >> > Exchange
>> >> >> > Server on the DMZ to isolate it from the network. I am also
>> >> >> > getting
>> >> >> > the
>> >> >> > impression that he thinks the firewall will allow the traffic
>> >> >> > through
>> >> >> > since
>> >> >> > it will be originating from the internal lan. I don't know
>> >> >> > exactly
>> >> >> > how
>> >> >> > he
>> >> >> > thinks this is going to work but I know he doesn't want the
>> >> >> > Exchange
>> >> >> > Server
>> >> >> > on the local lan. He feels that in the event it was compromised
>> >> >> > it
>> >> >> > would
>> >> >> > be
>> >> >> > too easy to compromised the rest of the network.
>> >> >> >
>> >> >> > Knowing that MS products are usually targeted by hackers, he
>> >> >> > feels
>> >> >> > that
>> >> >> > this
>> >> >> > would be the best way to protect the network in the event of an
>> >> >> > attack.
>> >> >> > In
>> >> >> > theory I don't see how this is any different that looking to our
>> >> >> > old
>> >> >> > e-mail
>> >> >> > server it just seems that Exchange will be a "middle-man" for
>> >> >> > retreiving
>> >> >> > e-mail. The real reason we are going with exchange in the first
>> >> >> > place
>> >> >> > is
>> >> >> > so
>> >> >> > that some users in the office will be able to share calendars in
>> >> >> > Outlook.
>> >> >> > I
>> >> >> > think the e-mail is more secondary at the moment.
>> >> >> >
>> >> >> > It is my responsibility to get this all running and that is why I
>> >> >> > am
>> >> >> > posting
>> >> >> > these questions. I have no idea if what he wants to do is
>> >> >> > possible
>> >> >> > or
>> >> >> > if
>> >> >> > it
>> >> >> > is the best way to accomplish what he wants to do. All I know is
>> >> >> > that
>> >> >> > the
>> >> >> > Exchange Server is going to be on the DMZ and I don't think it is
>> >> >> > open
>> >> >> > for
>> >> >> > discussion.
>> >> >> >
>> >> >> > I know, good luck, but unfortunately for me that's the way it is.
>> >> >> >
>> >> >> > Thanks for your help!
>> >> >> >
>> >> >> > "Al Mulnick" wrote:
>> >> >> >
>> >> >> >> Do you have that information now? Do you now realize that
>> >> >> >> Exchange
>> >> >> >> needs
>> >> >> >> to
>> >> >> >> see the domain completely and by the time you allow all that
>> >> >> >> traffic
>> >> >> >> through
>> >> >> >> the firewall, it's trivial to run about your DC/GC/DNS
>> >> >> >> infrastructure
>> >> >> >> if
>> >> >> >> they did compromise your Exchange server.
>> >> >> >>
>> >> >> >> Exchange in a DMZ? What's the real purpose of what you are
>> >> >> >> trying
>> >> >> >> to
>> >> >> >> accomplish and why would Exchange be in the DMZ for it? Why not
>> >> >> >> project
>> >> >> >> it
>> >> >> >> out with a layer-7 device? Why not let a relay exist to pass
>> >> >> >> mail
>> >> >> >> across
>> >> >> >> the firewall and leave the one port (could even be a different
>> >> >> >> port
>> >> >> >> if
>> >> >> >> you
>> >> >> >> felt like it was needed) to allow traffic?
>> >> >> >>
>> >> >> >>
>> >> >> >> "compufxr" <compufxr@discussions.microsoft.com> wrote in message
>> >> >> >> news:0D92A3B3-B1DE-4FC7-A50E-CFC8DE7D0057@microsoft.com...
>> >> >> >> > Different subnets will not be the problem. The problem will be
>> >> >> >> > having a
>> >> >> >> >> server in the DMZ (the exchange server) that needs to talk to
>> >> >> >> >> AD
>> >> >> >> >> thus
>> >> >> >> >> opening quite a few holes from the DMZ to the internal
>> >> >> >> >> network.
>> >> >> >> >> If
>> >> >> >> >> you
>> >> >> >> >> have
>> >> >> >> >> a simple (non-AD aware) SMTP server in the DMZ I would
>> >> >> >> >> suggest
>> >> >> >> >> using
>> >> >> >> >> this
>> >> >> >> >> to
>> >> >> >> >> forward email into the internal network on port 25 to the
>> >> >> >> >> exchange
>> >> >> >> >> server
>> >> >> >> >> there.
>> >> >> >> >
>> >> >> >> > After speaking to my boss about your comments he had the
>> >> >> >> > following
>> >> >> >> > to
>> >> >> >> > say.
>> >> >> >> >
>> >> >> >> > Wouldn't it be better to have the Exchange Server on the DMZ
>> >> >> >> > where
>> >> >> >> > it
>> >> >> >> > would
>> >> >> >> > be isolated from the internal network. That way, if the
>> >> >> >> > Server
>> >> >> >> > was
>> >> >> >> > compromised through the SMTP port somehow, the hacker would
>> >> >> >> > then
>> >> >> >> > have
>> >> >> >> > to
>> >> >> >> > figure out a way past the firewall to get to the internal
>> >> >> >> > network.
>> >> >> >> > The
>> >> >> >> > Exchange Server would only be relaying mail from the main
>> >> >> >> > e-mail
>> >> >> >> > server
>> >> >> >> > (on
>> >> >> >> > an outside network) to the users on the network. Everything
>> >> >> >> > outbound
>> >> >> >> > from
>> >> >> >> > the network is available on the firewall and therefore if the
>> >> >> >> > e-mail
>> >> >> >> > client
>> >> >> >> > initiates a request on port 110 then the firewall will allow
>> >> >> >> > the
>> >> >> >> > inbound
>> >> >> >> > transaction, since it is aware of the IP address of the
>> >> >> >> > requestor,
>> >> >> >> > and
>> >> >> >> > the
>> >> >> >> > internal network user can retreive e-mail. So, if the
>> >> >> >> > Exchange
>> >> >> >> > Server
>> >> >> >> > is
>> >> >> >> > on
>> >> >> >> > the DMZ and a request goes out on Port 110 then the
>> >> >> >> > transaction
>> >> >> >> > should
>> >> >> >> > take
>> >> >> >> > place since the firewall will allow it for that user's IP
>> >> >> >> > address. I
>> >> >> >> > hope
>> >> >> >> > that wasn't too confusing!
>> >> >> >> >
>> >> >> >> > I think you were a little confused (mostly my fault), since we
>> >> >> >> > have
>> >> >> >> > an
>> >> >> >> > e-mail server on a linux box that is handling the e-mail now.
>> >> >> >> > I
>> >> >> >> > simply
>> >> >> >> > want
>> >> >> >> > to forward the e-mails from that box to the Exchange Server
>> >> >> >> > and
>> >> >> >> > let
>> >> >> >> > Exchange
>> >> >> >> > route the e-mails to the correct users.
>> >> >> >> >
>> >> >> >> > The difficulty I was having was comprehending how the Exchange
>> >> >> >> > Server
>> >> >> >> > would
>> >> >> >> > communicate with the DC if the Exchange Server was on a DMZ
>> >> >> >> > and a
>> >> >> >> > completely
>> >> >> >> > different IP Subnet. I wanted to make sure that they would be
>> >> >> >> > able
>> >> >> >> > to
>> >> >> >> > communicate and that users on the domain would be able to see
>> >> >> >> > the
>> >> >> >> > Exchange
>> >> >> >> > Server. I also wanted to know what I needed to do to make
>> >> >> >> > that
>> >> >> >> > all
>> >> >> >> > possible.
>> >> >> >> >
>> >> >> >> > Thanks for your reply!
>> >> >> >> >
>> >> >> >> > Paul
>> >> >> >> >
>> >> >> >> > "Glen Trafford" wrote:
>> >> >> >> >
>> >> >> >> >> > Now, my boss wants to have the exchange server on a DMZ
>> >> >> >> >> > with a
>> >> >> >> >> > totally
>> >> >> >> >> > different subnet (192.168.8). Is this possible?
>> >> >> >> >>
>> >> >> >> >> Yes so long as the Exchange server can talk to the AD server.
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> > I simply relay (or forward) the mail from the other server
>> >> >> >> >> > to
>> >> >> >> >> > my
>> >> >> >> >> > Exchange
>> >> >> >> >> > Server? Has anyone done this before?
>> >> >> >> >>
>> >> >> >> >> Yes. So long as the email being forwarded is for your
>> >> >> >> >> internal
>> >> >> >> >> users
>> >> >> >> >> (and
>> >> >> >> >> you have a reciepent policy that accepts the email as
>> >> >> >> >> inbound).
>> >> >> >> >> Exchange
>> >> >> >> >> will not relay any email for the other domains that you have,
>> >> >> >> >> unless
>> >> >> >> >> you
>> >> >> >> >> explicitly allow it to do so. Bottom line be carefully how
>> >> >> >> >> you
>> >> >> >> >> set
>> >> >> >> >> the
>> >> >> >> >> forwarding up - I suggest on a per email domain basis as you
>> >> >> >> >> seem
>> >> >> >> >> to
>> >> >> >> >> have
>> >> >> >> >> a
>> >> >> >> >> few domains.
>> >> >> >> >>
>> >> >> >> >> > Will I have any problems with the DC and the Exchange
>> >> >> >> >> > Server
>> >> >> >> >> > being
>> >> >> >> >> > on
>> >> >> >> >> > different subnets? Will DNS handle this automatically or
>> >> >> >> >> > will
>> >> >> >> >> > I
>> >> >> >> >> > have
>> >> >> >> >> > to
>> >> >> >> >> do
>> >> >> >> >> > something to DNS on the DC to make the Exchange Server see
>> >> >> >> >> > it?
>> >> >> >> >> > I
>> >> >> >> >> > am
>> >> >> >> >> > very
>> >> >> >> >> > confused but there IS a lot going on here that I have to
>> >> >> >> >> > work
>> >> >> >> >> > out.
>> >> >> >> >> > Any
>> >> >> >> >> help,
>> >> >> >> >> > ideas, suggestions would be appreciated. Please, if you
>> >> >> >> >> > need
>> >> >> >> >> > more
>> >> >> >> >> > info.
>> >> >> >> >> > please let me know.
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> Different subnets will not be the problem. The problem will
>> >> >> >> >> be
>> >> >> >> >> having
>> >> >> >> >> a
>> >> >> >> >> server in the DMZ (the exchange server) that needs to talk to
>> >> >> >> >> AD
>> >> >> >> >> thus
>> >> >> >> >> opening quite a few holes from the DMZ to the internal
>> >> >> >> >> network.
>> >> >> >> >> If
>> >> >> >> >> you
>> >> >> >> >> have
>> >> >> >> >> a simple (non-AD aware) SMTP server in the DMZ I would
>> >> >> >> >> suggest
>> >> >> >> >> using
>> >> >> >> >> this
>> >> >> >> >> to
>> >> >> >> >> forward email into the internal network on port 25 to the
>> >> >> >> >> exchange
>> >> >> >> >> server
>> >> >> >> >> there.
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> Cheers
>> >> >> >> >>
>> >> >> >> >> Glen
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Al Mulnick: "Re: Exchange 2003 Global Address List"
- Previous message: Al Mulnick: "Re: New Exchange setup - Mailbox Store & mail.site.com"
- In reply to: compufxr: "Re: Running Exchange 2000 on a DMZ"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
