[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Protecting Exchange with Suse proxy & postfix relay



Markus,

Great!!!

Do you know of any good books on Squid 3.0? or any docs out there that explain how to do this? Setting up SSL is new to me in general so I want to make sure I can get a decent understanding of how Squid would work in this situation. Would the SSL session just get transparently forwarded to the Exchange box? or would there have to be some sort of authentication on the SuSE box for Squid to let it through?

Thanks again!!

Eric


Markus Gaugusch wrote:

I am currently trying to implement an Exchange 2000 server and it was
suggested by a friend that I put a SuSE box between the internet and
Exchange.  He suggested having Postfix relay incoming mail only to the
Exchange box and then allow Exchange to send out its mail through the
firewall (Watchguard).
I've implemented this in my company and it is relatively easy. But we use
two relay servers (+ MX entries), to make the relay redundant (of course
exchange is not, but at least the relay :)

Then for the OWA/SSL connectivity, he suggested using Apache's mod_proxy
& mod_ssl to protect IIS.  I am only going to allow https traffic to my
exchange server.
I did this with squid. The 3.0 version has a special feature called
"front_end_https", which is needed if the OWA doesn't use https (which is
ok, in the LAN).

My question is, is this plan feasible? and does anyone know if there is
a how to out there for this type of configuration?  I've never setup
Postfix or these Apache modules so I am hoping to find out if its
possible since I don't have a lot of time to set this up due to the
launch date of Exchange.
Yes, it is absolutely feasible! But I wouldn't do it with apache.
In any case, don't forget regular updates of BOTH machines using windows
update and fou4s/YOU.

Markus


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here