Exchange as a gateway?

Nobody with an ounce of security sense would plug a Web connection directly to an e-mail server behind the firewall. That’s one reason why, around the time the firewall was invented, the DMZ was born. A DMZ is a network segment that sits between two firewalls: one facing the dangerous Internet and the other protecting the safe interior of the LAN. If the SMTP gateway is kept in the DMZ, the risk of a hacker taking over the mail server and using it as a jumping off point to attack the rest of the network is reduced by that extra firewall.

Until recently, Exchange wasn’t really suited for edge server duty in the DMZ, because an Exchange SMTP relay server required a full Exchange implementation, with all of the associated overhead and license costs, when all that was required was a mail gateway to relay between outside and inside.

As a result, many organizations that run Exchange internally have been opting for an open source e-mail server to act as their SMTP gateway. Common choices include Sendmail or Postfix running on Linux. These free, open source choices can be bundled with anti-virus and anti-spam packages to create a full e-mail security gateway.

Exchange 2007, however, introduces the Edge Transport Server role. This is a modified Exchange installation that includes only functions that need to run on a gateway server. And, more important, the server does not need to be a member of the Active Directory domain, reducing the chance hackers can bust open your network directory. Instead, it uses ADAM (Active Directory Application Mode) to manage a list of Exchange users permitted through the gateway. In short, e-mail that is not addressed to a valid Exchange mailbox is denied at the gateway, rather than coming all the way to the destination server.

But does that really mean it’s time to give up Postfix and go all-Redmond, all the time? Microsoft sure makes a good case for it. For one, it’s done a lot more than just basic SMTP relay functionality. Anti-virus and anti-spam functions are part of the edge transport server role, assuming the Exchange enterprise license has been purchased, and you can get it as either an in-house software purchase or as part of the Exchange Hosted Filtering Service, similar to the type of off-site e-mail filtering provided by MessageLabs.

An especially nice feature is the safe-sender function. When an Outlook user chooses to flag a specific sender as either “safe” or “blocked,” this information is now distributed to the Edge Server. This means that blocked e-mail, on a per-user basis, can now be denied at the gateway as well. Conversely, a sender known to be safe can be allowed through the anti-spam filter. And it is handled per user; Bob’s blocked sender can be Irving’s safe sender.

So with all these new features, why consider using anything else as your SMTP relay server? Cost. Microsoft’s not requiring another Exchange server license, and you’ll already have the Exchange CALs (client access licenses), but you will need a new Windows 2003 server license. Anti-virus and anti-spam also cost extra, with the hosted version requiring monthly fees. Also note Exchange 2007’s requirement for 64-bit hardware.

If those numbers don’t bother your budget, however, then the Edge Transport Server role fills a significant gap in Exchange functionality and adds a few Exchange-only features that would be harder to configure using a third-party solution.