Agree. Definitely want to put something else in between. Harden a box, fully patch it (and keep it up to date with required patches), install mailsweeper with AV plugins etc or something similar on it and chuck it into the DMZ. Hardening the box properly will also lower the number of patches you are required to put on there as services, ports etc are disabled. May want to consider redundant kit if mail is key to your organisation. This also gives you a place to park your mail if exchange decides it doesn't want to be postman for a day. Doug ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch Sent: 29 November 2005 21:01 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: Exchange - bringing e-mail in-house My entire point of that post though was to eliminate your exchange box being directly exposed to the internet. Not something you typically want to do. Jeff On 11/29/05, Philip Walley <mythinlist@xxxxxxxxx> wrote: 2003s built in spam filter seems to be a pretty good product. Grant, Lachlan ISMC:EX wrote: >I've used both NetIQ's MailMarshall and ClearSwift's MIMEsweeper in a DMZ to >handle both incoming and outgoing mail which will also stop you from putting >your exchange server up for grabs. They both do pretty well if you've got >the hardware for them. I prefered MailMarshall, it seemed to be more stable >than MIMESweeper. > >You can do some really neat content filtering stuff with these products, >especially if you've got a user base who likes to push the rules.... And >also makes some pretty reports to justify more spending or anything else >you'd like to prove. > >Lachlan. > >-----Original Message----- >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf >Of Philip Walley >Sent: November 29, 2005 12:22 PM >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Re: OT: Exchange - bringing e-mail in-house > > >trend scanmail, runs on the server and works like a champ > >Jeff Pitsch wrote: > > > >>On those thoughts, you may want to make another box in the DMZ the >>receipient of the mail, scan it, do whatever with it, then forward it >>on to the exchange box. that way you protect yourself. >> >>Jeff Pitsch >> >> >>On 11/29/05, *Philip Walley* <mythinlist@xxxxxxxxx >><mailto: mythinlist@xxxxxxxxx <mailto:mythinlist@xxxxxxxxx> >> wrote: >> >> You'd want to change the MX and the A records I believe, but yeah, >> that >> and making sure that you have a public IP on your outside nat'd to >> the >> correct internal with port 25 open. Bingo! it works. You do need >> to make >> sure that the recipient policy is setup for your external email >> address. >> Exchange 2003 needs that to ensure that it will route it >>correctly. >> >> Jeff Pitsch wrote: >> >> > Maybe this is my ignorance but isn't it a simple change of the MX >> > record and making sure the proper port and IP is NAT'd through the >> > firewall to the server. >> > >> > Jeff Pitsch >> > >> > >> > On 11/29/05, *Mark Mucher* <mmucher@xxxxxxxxxxxxx >> <mailto:mmucher@xxxxxxxxxxxxx> >> > <mailto: mmucher@xxxxxxxxxxxxx <mailto:mmucher@xxxxxxxxxxxxx>>> >> wrote: >> > >> > Sorry for the OT, but I couldn't think of a better group to >> steer >> > me in the right direction. >> > >> > We have Exchange 2003 on Server 2003 with internal e-mail and >> > calendaring, etc. enabled. >> > >> > The task now is to bring the external e-mail (now hosted by and >> > ISP with our domain name) in-house. >> > >> > I'm looking for a white paper, tutorial, etc. that will >> cover all >> > the steps including routing the public IP to the Exchange >> server. >> > >> > Thanks in advance for any and all suggestions. >> > >> > Mark >> > >> > >> ************************************************ >> For Archives, RSS, to Unsubscribe, Subscribe or >> set Digest or Vacation mode use the below link: >> http://www.freelists.org/list/thin >> ************************************************ >> >> >> >> >************************************************ >For Archives, RSS, to Unsubscribe, Subscribe or >set Digest or Vacation mode use the below link: >http://www.freelists.org/list/thin >************************************************ >************************************************ >For Archives, RSS, to Unsubscribe, Subscribe or >set Digest or Vacation mode use the below link: >http://www.freelists.org/list/thin >************************************************ > > > ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://www.freelists.org/list/thin ************************************************ **************************************************************************** SMOKE ALARMS SAVE LIVES Go to London Fire at www.london-fire.gov.uk/firesafety This email is confidential to the addressee only. If you do not believe that you are the intended addressee, do not use, pass on or copy it in any way. If you have received it in error, please delete it immediately and telephone the supplied number, reversing the charges if necessary.