Mail server location

[HodgeHi]

Hope everyone is OK now so close to crimbo.

I have been looking into running our own mail server and have come a step closer today after looking into some info that Plexor gave me about nominet.

I have got registration details and have logged in and checked the server registered with them.

I spoke with the guys where the domain name points to and they say we can route the domain name to our servers.

Now, thats all great but where do i put the mail server. inside the network or run it in the DMZ?

At the moment the mail server is also an OD replica and so holds the passwords and stuff although it should be secure.

What would be the best way to configure this so as it is secure and everyone is happy.

I would like t to be set up well as Broadband Sandwell host them currently and said that as soon as we join their network then we will need to lose all our services as it will be a security risk. If we can make it secure now then we could possibly keep them in the future.

Hope you guys can help me.

Cheers

[SYNACK]

ISA 2006 has some really nice email server publishing wizards that filter out suspicious looking connections and allows you to run a local network server in reasonable comfort and security.

[HodgeHi]

we are using an os x mail server as we purchased an xserve to do computer management so wish to utilise the software fully.

Thanks for the reply though.

[GrumbleDook]

If you are going to use it for computer management then don't put it in the DMZ.

[HodgeHi]

I could move the mail service onto the replica (dual 1.8 Ghz G5) and the demote back to a stand alone server. Just means i will have a little more work if anything happens.

But how would i authenticate back to the main server correctly. I would need to open some pinhole ports in the DMZ and firewall the server itself pretty strongly i would think. This server would also act as the webmail server and possibly host our website.

I thought about relaying Mail through a dyndns account to our servers at one point.

This is the point where i start to get a little lost. I know what i want to achieve but lack the knowledge to get the most secure and best implementation.

[webman]

Ideally, servers that communicate with the outside world should be in the DMZ - should a server be compromised it would only potentially affect other DMZ servers and not mission-critical ones on the LAN.

Opening up a small number of ports on the firewall into the LAN server (authentication, for example) with strict IP restrictions is a lot better than having an internet server in the LAN with ports forwarded from the internet directly to it.

[HodgeHi]

excellent. The sort of information I was looking for. How do you guys do it?

Is it like webman has said or a different variation

[djm968]

Ideally, servers that communicate with the outside world should be in the DMZ - should a server be compromised it would only potentially affect other DMZ servers and not mission-critical ones on the LAN.

Opening up a small number of ports on the firewall into the LAN server (authentication, for example) with strict IP restrictions is a lot better than having an internet server in the LAN with ports forwarded from the internet directly to it.

With Exchange 2007, the client access roll (OWA OMA VOIP etc..) can sit in a DMZ with a secure connection to the Mailbox server on the LAN.

[HodgeHi]

I will be using an OS X mail server. I will look at whether it is possible to split the 2 (webmail and mail Service) to run on separate boxes. I can't see why not. Well not yet anyway.