From: Nataraj on
Noel Jones wrote:
> On 5/5/2010 1:06 PM, Nataraj wrote:
>> Mike A. Leonetti wrote:
>>>
>>> Thanks for the reply, Nataraj.
>>>
>>> I did see that online and the server does have SASL Auth working,
>>> but we
>>> are having a difficult time getting it to try and provide a
>>> username/password on the Exchange server so I was wondering if there
>>> was
>>> a way to get around that.
>> Personally, I have more experience with replacing exchange servers than
>> with making them work, however I would think that recent versions of
>> exchange would support SASL authentication. If you really can't
>> implement authentication, I can think of a few other ideas.
>>
>> I'm guessing that this situation might be internal to your organization.
>> If you DNS is fairly secure and the exchange server updates dynamic DNS
>> reliably, you could check that somehow. Alternatively you could run an
>> SMTP submission server on another port and protect it with a dynamically
>> updated firewall list, or something like fwknop, but you would probably
>> be challenged with getting the client to authenticate with FWKNOP. These
>> later approaches could have tiny holes in them, depending in the
>> freqency with which your dynamic ip address changes and how quickly you
>> verify on the new ip address, but if this is within your corporate
>> network it might not be too bad.
>>
>> Nataraj
>>
>
>
> Also, if the exchange server is a box under your control you can use a
> VPN. OpenVPN is pretty easy to set up and works under Windows and
> virtually every flavor of *nix.
> http://openvpn.net/index.php/open-source.html
>
The vpn idea is a good one, however I would want to make sure to either
have iptables access lists or something to protect my mailserver from
unrestricted access from the exchange server. This is fairly easy if
you know how to use iptables or one of the user friendly front ends to it.

Nataraj