Configuring Microsoft Exchange 2000 Server for the Internet
This article presents a recommended configuration for deploying Exchange 2000 Server for the Internet and is an article in the Exchange Up-to-Date series. By limiting your Internet access to one machine and restricting all incoming Internet messages to a single entry point, this configuration protects your intranet while allowing Internet access. It gives smaller organizations direct, protected Internet access without the overhead of a firewall.
The following section details the recommended configuration for an Exchange server acting as a mail gateway. The basic configuration consists of a mail gateway configured with two network interfaces that act as the single connection point between your intranet and the Internet. You need to install a Simple Mail Transfer Protocol (SMTP) connector on one Exchange server that is configured with two virtual servers:
Virtual server 1 configuration:
Note: If your topology includes multiple Exchange organizations, you must configure virtual server 1 to relay mail.
- Home the SMTP connector to virtual server 1.
- Configure virtual server 1 to use external Domain Name System (DNS) servers, through the external DNS server list.
- Bind virtual server 1 to an intranet Internet Protocol (IP) address on port 25.
- Enter the local company domain (for example, winery_co.co).
Virtual server 2 configuration:
- Configure virtual server 2 to not relay mail (this is the default).
- Configure virtual server 2 to allow anonymous access (this is the default).
- Bind virtual server 2 to an IP address on port 25.
- Select the local company domain (for example, winery_co.co).
- Configure the SMTP connectors to use DNS to route to each address space on the connector. Home the SMTP connector to virtual server 1. Create an address space of *, or an equivalent.
- Verify that there is no IP routing configuration between the two networks on your server. (This is the default configuration.)
- Use two network interface cards (NICs): an internal NIC and an external NIC.
For more information on intranet-to-Internet mail flow, see your Exchange 2000 online documentation.
Generally, the Exchange server described above is not involved in internal mail transfer. Internal mail simply flows between internal servers.
Incoming Internet Mail
Messages originating from the Internet point to an IP address, and virtual server 2 monitors this IP address for mail. Virtual server 2 receives all incoming Internet messages. Because it is not configured to relay mail, it rejects mail that is not directed to the company's domain, for example, winery-co.co. When virtual server 2 receives a message from the Internet that is intended for a host inside the local domain, it contacts the Microsoft Active Directory™ service through the internal NIC to determine where to send the message. Therefore, messages received by virtual server 2 are sent directly to the internal host.
Note: Although virtual server 2 monitors an external IP address for incoming mail, it uses whatever IP address is appropriate for routing messages, based on the entries in the routing table. Virtual server 2 uses only internal DNS services for name resolution. It is not configured with an external list of DNS servers, so it does not resolve external addresses. It rejects all messages with addresses to a domain other than the company's domain, in this case, winery-co.co.
Outgoing Internet Messages
Outbound messages use the SMTP connector homed on virtual server 1. External IP addresses are not generally available on an internal DNS server. When virtual server 1 receives a message directed to a remote domain, it uses the list of external DNS servers to find the IP address of the message recipient, and uses the external NIC to deliver the external mail. It is important to note that although virtual server 1 is configured to monitor the intranet IP address, it uses the Internet NIC for external mail.
Figure 1 illustrates the flow of mail through the connectors. The left side of the diagram illustrates the flow of mail that originates from intranet users.
When an intranet user sends mail to an Internet recipient, the mail is sent to virtual server 1. Because the SMTP connector is configured with the SMTP address space * and uses virtual server 1 as a local bridgehead, all mail with an external SMTP address is first routed to virtual server 1 from the appropriate internal server. Virtual server 1 uses the list of external DNS servers to resolve the Internet address and then routes the message to the Internet recipient's IP address.
The right side of the diagram in Figure 1 illustrates the flow of incoming Internet mail that is directed to internal recipients. All inbound Internet mail is sent to virtual server 2, the server that is monitoring the Internet IP address. When virtual server 2 receives an Internet message, it uses the internal DNS services to resolve the recipient address. Because virtual server 2 uses only internal DNS services, it accepts only messages directed to, in this case, [email protected]. In addition, because virtual server 2 is not configured to relay mail, all mail addressed to recipients other than those at winery-co.co is automatically rejected.
Use the following recommendations to enhance the security of this configuration:
- Use Internet Protocol security (IPSec) policies to filter ports on the Internet NIC. Ensure that the computer is configured to accept incoming connections only on port 25 of that NIC. This diminishes the possibility of an Internet host attacking the server. For more information about IPSec policies, see the Exchange 2000 Server Resource Kit or the Microsoft Windows® 2000 online documentation.
- Strictly limit the users you allow to log on to the server. This configuration allows a company to limit its vulnerability by minimizing the entry points from the Internet to its intranet. By preventing the virtual server on the Internet from relaying messages to other Internet hosts, you ensure that the virtual server routes only mail that is addressed to valid internal recipients. Because virtual server 1 uses an external list of DNS servers only for outgoing Internet mail, and not for routing internal mail, internal mail traffic is not affected by problems with external DNS servers. Local mail delivery continues regardless of the condition of external DNS servers. By separating incoming Internet mail, internal mail, and outgoing Internet mail processes, points of failure for any of the three processes remain distinct and more manageable.
This article is one of a series of articles on Exchange 2000 Server deployment developed from the real-world experience of early adopters See http://www.microsoft.com/Exchange/techinfo/e2kuptodate.htm for additional information.
Tuan Nguyen is K-12 Education Marketing Manager for Microsoft Corporation's Southern California District. He may be reached by telephone at (310) 449-7408 or by e-mail at [email protected]