I work in Exchange world and firewall world for same
amount of time so that I can speak for both. The best
practice is to have Exchange engineer to manage the
relay because it's difficult for firewall to manage
open relay, blacklist, antivirus, content filtering...
You may want to consider to have a mail gateway that
include anti-spam, open relay, content filtering
instead of having Exchange to interface with Internet
mail server directly. In addition, it will become a
headache for firewall admin to key in ALL mail server
you are allowed to communicate with. It will be a
nightmare...
Exchange 2000 and Exchange 2003 by default can
configure to avoid open relay. Exchange 2003 in
addition can also turn on reverse DNS look up and
connect black list to verify email source address
before allowing them coming in.
Hope that will give you more comfort.
Thanks.
Wayne
--- daniel owen <dowencma AT YAHOO DOT COM> wrote:
> Personally I believe in defense in depth so I have
> anti relaying turned on both at my Exchange server
> and
> also at the anti spam server.
>
> For the e-mail admins there is a good overview of
> stopping relaying in Exchange 2000 at
> http://www.msexchange.org/tutorials/MF005.html. I
> believe, but am not certain, that most of the
> concepts
> should still be the same in 2003. I'm sure there are
> good tutorials for 2003 but since I'm still using
> 2000
> I have not found them yet.
>
> If you want to use the firewall to block relaying
> you
> can use a SMTP Resource. Under the Match tab Sender
> should be * and Recipient should be *@domain. If you
> need multiple domains you can separate them with a
> comma but I can not remember whether there should be
> a
> space or just a comma. It's in the documentation.
> It's
> been a while since I did one of these and I don't
> have
> a server with this config in front of me to refer to
> but it is definitely in the Checkpoint documentation
> so it should not be too hard to get this right if
> you
> want to go that route. Just a warning setting up
> resources under Checkpoint can create unique
> problems.
>
>
> A third option is if you are using any sort of anti
> spam filter it should include anti relaying options
> as
> well.
>
>
>
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
>
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On
> Behalf Of Matt
> Arntsen
> Sent: Tuesday, May 25, 2004 1:43 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] exchange 2003 best practices
>
>
> In an attempt to limit email relaying, I was
> wondering
> how others have
> set up their email routing with an exchange 2003
> email
> server in
> conjunction with their NG-AI R55 firewall. What is
> the
> best way to set
> it up? I currently have a static NAT rule to send
> all
> email inbound. Our
> email engineers want to prevent relays and are
> convinced it is the
> firewall's responsibility. The also want to limit
> authorized IP
> addresses which can connect to the email server. The
> problems I see with
> this is that you cannot block the Internet from
> sending you an email.
> Perhaps I am wrong but I keep telling them it is the
> function of the
> email server to only allow emails destined to our
> domain and refuse all
> others rather than forcing the firewall to do this.
> Perhaps I am wrong
> and so I am hoping I can get some feedback. Thanks!
>
>
>
>
>
> Matt
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
