Using Mail Relays to Enhance Exchange Security
What Is A Mail Relay?
The first mechanism to be used against attacks is a mail relay. A mail relay is basically just a simple mail server that accepts e-mails, filters it according to pre-defined criteria and then delivers them to another server. Your mail relay will only allow mails that are destined to user in your SMTP domain to be relayed to the internal server. A mail relay could also filter out viruses and junk e-mail if you install the right software package for it.
You would definitely want one of those so that your Exchange server will not be directly connected to the Internet for inbound connections. A mail relay is typically placed in a DMZ, which a dedicated network, protected by a Firewall and separated from both the internal LAN and the Internet. This allows the Firewall administrator to determine who is trying to get into the mail relay and what is passing from the mail relay to the internal LAN.
Tips Regarding Mail Relay deployment
- Don't forget the mail relay! Make sure that you secure the mail relay as much possible, install new security related patches, etc. One of the perks of having a mail relay is that you can reboot it more often than you could an Exchange Mailbox server.
Linux is no more secure than Windows and more difficult to manage, so make sure you have the knowledge to handle it if you choose Linux as your solution.
- Don’t over-do your junk e-mail detection or you'll be fishing out deleted e-mails from your mail relay forever. Better choose a solution that blocks some junk mail at the mail relay level, and the rest at the server level, delivering suspected mail to a folder in the users' mailbox.
- Using a different anti-virus at the mail relay level than the one you use internally can lessen the chances of infections.
- Usually backing up mail relays is not really required but when your Exchange server is unavailable due to maintenance, internal virus outbreak or a Firewall problem you should be able to backup your mail relay so that a sudden crash doesn't take all your mail away.
- Monitor your mail relay queue to find out if there is a problem sooner rather then later.
- If you have POP3/SMTP clients, use the mail relay as an outgoing mail server instead of Exchange. This allows you to uncheck the SMTP authentication checkbox of the Exchange SMTP virtual server Relay options that is used by Trojan attacks.
Trojans hijack username and password on workstations using various methods. They use this information to authenticate to the Exchange SMTP virtual server. Then they spoof the mail so that it appears as if it is coming from a valid IP for a large Internet E-mail supplier. However if you uncheck this option regular SMTP clients that you might find in most large enterprises such (For example, UNIX and Mac clients) will not be able to use Exchange to send mail. This quite alright as your mail relay can be configured for this purpose.
Can I Use My Front End Server as a mail relay?
Front End Servers are the not the ideal candidate for a mail relay, security-wise, they can be configured as such like any other Exchange server. You would need to have at least on mailbox store available for some SMTP operations.
However I think it is best to separate this functions and place them in separate DMZs so that hacking one of them doesn't expose both of them.
Virus, Trojan and denial of service attacks are quite common these days and Exchange is a popular target for these attacks due its popularity and inherent vulnerabilities. Mail relays can be used to thwart most attacks. I'm constantly discovering that although the concept of mail relays is not new they can be used against the latest sophisticated attacks, just long as they're not the weakest link in the chain of e-mail delivery.