"Tom Del Rosso" <(E-Mail Removed)> wrote in message
news:vurIe.25111$(E-Mail Removed)...
> The firewall is forwarding port 25 to the Exchange server, so that port is
> open to the internet. Of course I realize that computers all over the
world
> are open to the internet, but I mean to ask if Exchange is vulnerable that
> way.
I think you are "over applying" the concept of vulnerable and insecure. If
something is exposed to the interent,...then it is exposed to the internet.
If it is not exposed to the internet then it just flat doesn't work. Being
vurnerable or insecure isn't even in the conversation because it just simply
*has* to be exposed to the internet to work.
> An email provider with a backup mail server (the same company that hosted
> email before getting Exchange) points their MX record to the company
office.
> The office firewall only accepts port 25 traffic from the address of the
> outside server.
Ok,..yes that would be an SMTP Smart Host situation where your SMTP Server
depends on the ISP's SMTP server in order to recieve mail.
> AIUI this arrangement with an outside server is not always used, and
instead
> the company's internet domain can reside right in the office, so SMTP and
> other ports are open to the whole internet. Is that considered insecure
> with Exchange?
It is often refered to as the Direct DNS method where the mail server
resolve the destination email address via DNS then sends the message
directly to the detination server. It is also considered to be the primary
way and the best way people should do it. Yes, it is more exposed because
more than just the ISP's SMTP is contacting it,...but worrying about that
compares to those people with disorders that are so paranoid of other people
the they never leave their homes and go outside.
> Now that I rephrased the question I think I can answer it myself. The
> outside server is merely passing all port 25 traffic to this server, so if
> there is an attack it will pass through the outside server and not be
> blocked anyway, right?
No. The mail server stands on its own. Firewalls protect things by
*preventing* them from being available. As soon as a Firewall is setup to
Static-NAT or Reverse-NAT (the true terms for it) to some internal service,
that service ceases to be "protected". Firewalls do not have the "mystical
vodo" going on inside them that many seem to think. They protect when they
prevent things from being available and stop protecting when they make
something available. However they do have some advantage in that the better
ones might filter out certain SMTP Commands so the published service doesn't
see or process them,...but a with a properly configured mail server that
would not have mattered anyway. Firewalls do have the advantage of not
allowing anything else running on the published mail server to be
exposed,..where as they would be exposed if the mail server sat directly on
the internet.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------
Similar Threads
Linear Mode
