[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Protecting Exchange with Suse proxy & postfix relay

On Feb 5, Eric Kahklen <eric@xxxxxxxxxxx> wrote:

> Do you know of any good books on Squid 3.0? or any docs out there that
> explain how to do this?
I can send you my config file by private mail.

>  Setting up SSL is new to me in general so I want to make sure I can get
> a decent understanding of how Squid would work in this situation.
I use tinyca (a gtk-perl application for Linux with GUI) for creating
certificates. It's really easy with that :-)

>  Would the SSL session just get transparently forwarded to the Exchange
> box? or would there have to be some sort of authentication on the SuSE
> box for Squid to let it through?
No, because that would make everything senseless. Squid terminates the SSL
connection to the client and talks in cleartext to the Exchange box. Squid
does some sanity checking on the URLs to prevent "bad" commands from
reaching the Exchange server. In fact, I'd recommend to enable IMAP on the
exchange box and use something like Horde/IMP webmail and NOT IIS/OWA.
Apart from the calendar, everything works fine (even the address book over
LDAP!). Our users have had more complaints about OWA web interface
(especially when using Internet Explorer(!)) than with Horde :)

To get imap running smoothly, there is an option on the exchange server
that you should enable for the, because it slows down mailbox listing a
lot (it's something about "calculate exact size for each mail").

But, as someone else suggested, if there is ANY way to prevent using MS
Exchange, DO IT!! It's just a pain in the ass ... Our server doesn't even
start without manual intervention because the antivirus services (mcafee)
are not ready when started as service, so exchange can't start

Virus scanning is also done on the relay servers, which I would also
recommend to you (as well as spam checking with spamassassin), especially
in an outlook/exchange environment ...


__________________    /"\
Markus Gaugusch       \ /    ASCII Ribbon Campaign
markus(at)gaugusch.at  X     Against HTML Mail
                      / \

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here