secure webmail to mail server?

[markrich]

I am about to install an instance of Scalix Webmail to a second machine in our DMZ seperated from the mail server via a firewall. In this case, ipCOP.

What is the most secure and practical way of allowing this machine to talk to the mail server inside the network?

A VPN perhaps? Fixed tunnel from mail server to Webmail?
I would rather limit the connections through the firewall only to those which the Webmail and the Scalix server needs.

Marky

[CharlieBrooks]

Wouldn't it make more sense to put the SWA server behind the firewall, and only allow HTTPS connections incoming to it? Keep your patchlevels up to date on apache and tomcat, get a cheap SSL cert, and you'll be simple, secure and easily maintainable.

If you put the SWA machine outside the firewall, you effectively have more holes in your wall (the holes are virtual if you VPN or CIPE or something, but that really doesn't matter) since the SWA machine needs to talk on more than one port... including the IMAP port which I personally would not open on my firewall. And your overall configuration will be much more complex, and therefore less reliable. I think you will also multiply the traffic through your firewall, since the communication between SWA and a scalix backend seems much bulkier than communication between the user and SWA.

Obviously if you don't keep up with patches on the SWA server you will be vulnerable to attack no matter what you do. A distribution with strong patch management, such as SuSE or Red Hat for example, seems like a good idea.

[markrich]

The new webmail machine is outside of the core network but in the DMZ. Both servers are protected by a firewall.

I just need to learn what the ports are which webmail uses to talk to the mail server then I'm fine.

Marky

[markrich]

I still am struggling to locate the ports I need to open between my DMZ webmail installation and the core mail server in the network.

Can anyone advise?

[florian]

are you running only SWA or a full front-end server with SWA, Scalix Messaging Services platform and Postgres database on your DMZ machine?

if swa and the rest is running on your backend server:
SWA-to-backend: port 143/tcp (IMAP), port 25/tcp (SMTP) OR - better - port 587/tcp (SMTP-SUBMIT - both Server and SWA need to be configured for this), port 389/tcp (LDAP) and port 80/tcp (HTTP)

If the SMS is running inside the DMZ, too:
port 143/tcp (IMAP), port 25 or 587/tcp (SMTP or SMTP-SUBMIT), port 389/tcp (LDAP), port 5768/tcp (Scalix Event Server)

This should actually be documented in the Installation Guide.

Florian

[markrich]

It's only webmail I want on the DMZ machine. All the other services are running on the main mail server.

I'll give your suggestions a go.

[evolvedix69]

I would rather absolute the access through the firewall alone to those which the Webmail and the Scalix server needs.