Hosting Your Own Exchange

[joeypesci]

Just messing with some VMs and DCs. Looking at Exchange now. Being running a small domain for over a year at home. Not much on it. Want to stick exchange on to test. I've done it before so it just can send e-mails internally but was thinking of getting a domain name and just messing with the MX records to point to my exchange. However, I know the exchange should always be in the DMZ (which I've never set up). Just wondered how much an exchange box is targeted? A mate run his own very basic website from home testing and it lasted a day before it was wiped by someone getting in :)

[digininja]

I'm not sure about Exchange but I had a similar setup with Postfix, which is similar but in Linux, and didn't need to expose anything to the outside world. What I did was to set it all up to run internally and had my MX records pointing at the mailbox my ISP gave me. I then had Postfix just use IMAP or POP3 to pull the mails down from there. Don't know if Exchange can do this but I would have thought it could.

You can also set it up to relay mails outbound through their SMTP server as a lot of mail recipients won't take mail from home ISP addresses so relaying it through your ISP gives it validity in the eyes of other mail servers.

Doing it like this you don't have to open any ports to the world so it doesn't matter about a DMZ.

[joeypesci]

Hmm. That's a good idea, will have to look into it. I'm with little know Xilo.net as they do a monthly contract BB. Little more expensive than the big players but customer service is so much better. 8 free static IPs but not sure if I got free hosting or e-mail address with them.

[digininja]

You can do the same thong with a free google apps account

[justapeon]

1) Zimbra (commercial and free versions available)

* Desktop client compatibility. Sync mail, contacts, and calendar to Microsoft Outlook and/or to Apple (Mail, Address Book, iCal).

* Professional administration. Real time mailbox backup and restore, high availability clustering, storage cost management.

* Zimbra Mobile. Over-the-air synchronization of mail, contacts, and calendar data with mobile devices.

* Advanced web productivity. Ability to search for content inside attachments and view attachments as HTML instead of downloading.

* Domain management. Ability to re-brand the web client and administer multiple customer domains.

2) Open Xchange (commercial and free versions available)

* Linux Compatibility. Support 30 different linux distributions.

* All Information in One folder. Using one folder, users can store all information needed for a particular project, including all contacts, meetings, and background information.

* Document Management. Automatic versioning, locking of documents during editing, saving from MS Office applications, and access from MS explorer.

3) Scalix (commercial and free versions available)

* Outlook Support. Offers automatic offline mailbox caching and improved PDA syncing.

* Plug-in support. Provides certified plug-ins support for Google Desktop and MSN Search, McAfee VirusScan, Symantec Norton Utilities and Captaris RightFax Outlook Extension.

* Search and Indexing Services. Real-time indexing of private and public folder messages. This results in sub-second mailbox-wide search and retrievals, even in very large mailboxes and folders.

4) Citadel

* Ajax Support. An intuitive, easy-to-use AJAX interface.

* Domain Management. Multiple domain support.

* Easy Installation. installs in minutes without the need to manually integrate all the different components together.

5) opengroupware

* Contact Management. Saves and organizes thousands of personal and company contacts, telephone, fax, addresses, e-mail contact addresses just to mention a few. Easily configurable with extensive and speedy search capabilities, categorization and remotely accessible.

* Group Calendar. Manage meetings and events for an entire group or individual set of accounts. Attach notes to appointments. Link appointments to contacts and projects. Automatic detection of conflicts.

* Resource Planner. Keep track of your company’s resources such as automobiles, projectors or conference rooms. Searchable timeslots to check for availability of specific resources or resources assigned to a specific group. Automatically check for resource conflicts upon appointment creation.

[joeypesci]

Thanks Inventoman but the question was about Exchange and if it gets attacked a lot, not what other ones I could use instead, as I want to learn Exchange as most companies, including ours, use it. Oh and all my training videos I watch our on MS Exchange :)

But might have a look at the above some time.

[Infiltrator]

I used to run a small mail server at home and while I didn't registered for a domain name I used dyndns.org instead.

Very easy to maintain and no annual fees charged. My mail system was http://netwinsite.com/, never had problems with virus or spam.

It can be quite challenging to configure it at first, but once you get it up and running you can leave it running 24/7, with minor or no issues at all.

I did however run a small DC, mainly for local DNS resolutions and for distributing IP addresses, but I never set up my servers in a DMZ, I always enable port forwarding on my router.

For example, instead of placing my mail server in a DMZ, I would simply forward ports 110 and 25 on the router's end.

And if you need to manage your servers remotely, you could use either openVPN or SSH.

Edited May 17, 2011 by Infiltrator

[Jason Cooper]

Just messing with some VMs and DCs. Looking at Exchange now. Being running a small domain for over a year at home. Not much on it. Want to stick exchange on to test. I've done it before so it just can send e-mails internally but was thinking of getting a domain name and just messing with the MX records to point to my exchange. However, I know the exchange should always be in the DMZ (which I've never set up). Just wondered how much an exchange box is targeted? A mate run his own very basic website from home testing and it lasted a day before it was wiped by someone getting in :)

Exchange boxes like most systems can be big targets, especially if you don't keep them patched. A lot of organisations like to set up a Unix/Linux/BSD box running one of the more secure mail transfer agents (MTA), e.g. postfix. They then use that MTA server to do a lot of the processing of emails (e.g. spam-filtering, dropping malformed emails, virus scanning attachments) before forwarding the emails on to their exchange servers.

This gives them a number of benefits, the exchange server is never in direct communication with a potential attacker which reduces the number of possible attacks against the exchange server. Also when the exchange server fails or is taken down for maintenance the MTA server can store up the email and then forward them on when the exchange server is back up again.

The MTA server is almost always heavily locked down, just running the SMTP service and SSH. The latter of which is only accessible from a limited number of machines.

The downside to this approach, other than the extra hardware requirement, is that your mail admins need to understand both exchange and the MTA system in use.

[joeypesci]

Thanks. Looking into this. Last time I had SSH on one of my machines running putty, I would check the logs daily and noticed it would get hammered by at least one bot per day attempting to guess the user name and password for it.

[Infiltrator]

Thanks. Looking into this. Last time I had SSH on one of my machines running putty, I would check the logs daily and noticed it would get hammered by at least one bot per day attempting to guess the user name and password for it.

This is not fool proof, but try changing the default port of your SSH server to a higher number and use a strong password.

I know this is not an effective approach to mitigate bots attacks but try blocking the ip address if you can.

[Jason Cooper]

Thanks. Looking into this. Last time I had SSH on one of my machines running putty, I would check the logs daily and noticed it would get hammered by at least one bot per day attempting to guess the user name and password for it.

The best solution I have found for this is to not allow password authentication. Move over to using public/private keys only and suddenly those failed login attempts in your logs stop appearing.