OT: Need some system advice please
Kevin Miller
Kevin_Miller at ci.juneau.ak.us
Mon Feb 26 22:08:25 CET 2007
Peter Nitschke wrote:
> Just a quick off the cuff reply.
>
> Delist the exchange server as an MX, so only have the MailScanner box
> accept email from the outside world.
>
> Use sendmail mailertable to route the processed mail to the Exchange
> box.
>
> Use smf-sav to verify users on the exchange box - eliminates
> dictionary etc attacks.
>
> Store no mail on the MS box, users can either pop or use Outlook from
> the Exchange box.
>
> Have external users also use the MS box for smtp even though they are
> popping from Exchange.
>
> Have done a few recently, works really well.
That's almost exactly what I'm doing as well, and it has worked out very
well for us. I have a couple of mx gateways running MS for redundancy
rather than just one. For outside users getting to Exchange however, we
use OWA filtered through a reverse proxy. Squid would fit the bill
nicely. Outsiders never touch the Exchange server directly, but they
can get their email quite easily. OWA is pretty robust in IE and OK in
other browsers.
The guide you mentioned is out on the wiki I think. I know it used to
be in the FAQ-O-Matic. I never liked the idea of publishing a pointer
to my Exchange server, then denying access. Made more sense to me to
run an internal and external DNS server. You can easily configure Bind
to do different views based on ACLs so you inside users see Exchange as
the primary MX, and outside users see the MS gateway. (Or build a 2nd
DNS and point inside users at it and outside users at the other.)
It's a bit more efficient making your primary MX a MailScanner box, as
the outside sending servers don't have to wait for the primary MX
(Exchange) to time out. Not that users will ever notice the few second
delay. I just think it's a bit cleaner...
...Kevin
--
Kevin Miller Registered Linux User No: 307357
CBJ MIS Dept. Network Systems Admin., Mail Admin.
155 South Seward Street ph: (907) 586-0242
Juneau, Alaska 99801 fax: (907 586-4500
More information about the MailScanner
mailing list