Newbie-ish advice needed on remote access and IIS and mail 1

[robatwork]

Hi,
I run a small network that has a hardware firewall/router and broadband, and a W2K server running some mail server software (POP3). All works fine, but now some users want to remotely access their email.

The mail server software will work with IMAP, and I've tested it internally, but to allow people in from home, (and I quote from the mail server instructions) "IIS is only needed for webmail. IMAP runs on port 143, so if you wish to use IMAP remotely then you need to open this port. If users need to send messages then the SMTP port will need to be open too (port 25)."

So I'm 1) frankly petrified of running IIS and opening the server up to the world 2) vaguely hearing the phrase DMZ in my mind but don't really know what it is.

Is it safe to open up port 143? Will I have to write a firewall rule to allow it?

Be grateful for reassurance, or otherwise...
-Rob

 

[dirtyhat]

Based on the information in your post, I am assuming that a remote VPN tunnel is not in place.

A quick solution is to hang the mail server off the DMZ and allow only your remote IP addresses to pass through the firewall via port 143. This can be a management nightmare with the likelihood of remote users being on broadband. From a management standpoint, this is not a very good solution.

The easiest way is to just hang the mail server off the DMZ and allow any external IP addresses to access the mail server on port 143. This is by no means secure.

Another way would be to use Outlook Web Access (OWA) via SSL (Supported with Exchange). This would require that all remote clients use a certificate authentic to your web server in order to access their mail. This solution also, creates a secure tunnel from the client’s remote workstation to your web server. NOTE: this operates over port 443 and the firewall would need to allow this inbound.

The final thing to keep in mind is that you are using broadband. If you do not have a business account with the provider, you have a good chance of your IP address changing on a regular basis (most DHCP leases are 7 days). A patch for this is Dynamic DNS and making sure that your remote clients use the name vice the IP address for mail access.

Hope this gives you some ideas. Your situation is not unique and I am sure you can find similar scenarios to follow step by step.

 

[robatwork]

Thanks for taking the time to reply - the problem is that the mail server IS the main windows server, at least for the time being.

I guess I need to move the mail server onto a different PC to get anything remotely secure...

regards
ROb

 

[dirtyhat]

Keep in mind that using the DMZ is an option. This is typically used for placing your externally accessed services.

This creates a separate segment on your network and reduces the amount of exposure.

You can however, place an ingress hole through the firewall that will allow external access of the main windows server on port 143 for IMAP or port 110 for POP3. You could also go the Outlook Web Access route with SSL and allow access on port 443 .

 

[robatwork]

Thanks,

Can opening up 143 on the firewall expose me to any nasties?

Rob

 

[dirtyhat]

Opening up any holes on your firewall can potentially expose you to nasties. Unless you are using a proxy/application based firewall it is very difficult to validate the integrity of the traffic that is flowing over the opened port.

Just make sure that your server us up to date on the patch department and that you are using the latest version of software.