Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] Protecting Exchange with Suse proxy & postfix relay
Date: Thu Feb 05 2004 - 10:22:38 CST
Quoting Eric Kahklen <erickahklen.com>:
> I am currently trying to implement an Exchange 2000 server and it was
> suggested by a friend that I put a SuSE box between the internet and
> Exchange. He suggested having Postfix relay incoming mail only to the
> Exchange box and then allow Exchange to send out its mail through the
> firewall (Watchguard). Then for the OWA/SSL connectivity, he suggested
> using Apache's mod_proxy & mod_ssl to protect IIS. I am only going to
> allow https traffic to my exchange server. My question is, is this plan
> feasible? and does anyone know if there is a how to out there for this
> type of configuration? I've never setup Postfix or these Apache modules
> so I am hoping to find out if its possible since I don't have a lot of
> time to set this up due to the launch date of Exchange.
1) I am required to suggest to you that simply use the SuSE box for mail and
web. It is just a better policy.
2) If #1 is infeasible, the mail part of the above should work fine. I use a
postfix box to scan incoming mail for viruses before sending it to the real
mail server for storage and retrieval (in my case, it's a matter of delegation
of resources, not a matter of the mail server sucking)
3) Perhaps someone else can help you with the web part, but as I understand it,
proxying SSL connections isn't feasible... though, I suppose you could have the
SuSE box talk SSL to the client while IIS talkes to SuSE in the clear...
I would really like to stress #1, though. Just running proper internet services
on a decent server is much easier than mucking abot with proxying and whatnot.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here