There are some things that should never be done. One of those things is deploy an unprotected Internet facing Exchange server. Yet, it’s done all the time and sometimes with disastrous consequences.
As a Networking Administrator and now a Consultant there is something I learned a long time ago: security is a dish best served in layers. This is one of those written-in-stone laws of networking that when ignored or flaunted will always end badly. It is my firm belief – if you can help it – there should never, ever be a clear path from the Internet to an Exchange server on anyone’s network.
With the release of Exchange 2007 and now 2010 Microsoft is really addressing this and making it much easier, albeit expensive, to protect the primary Exchange server holding the mail-store where everyone’s email messages, calendar events and contacts live. I say expensive because in order to protect that primary server you need at least two other machines which means two more operating systems and the associated hardware and service costs.
Thankfully though, there are technologies available that can mitigate threats before they become a problem. One of those technologies is Linux. A free, opensource operating system that has been around for a good many years now and in fact, is responsible in no small way for keeping the internet running. Setting up a Linux machine, even on older hardware, to serve as an email gateway which faces the internet and sits between the internet and an Exchange server is a very well tested method of protecting a company’s Exchange server.
Since there are no licensing costs, the only costs involved are all at the front end and if the gateway is prepared properly requires very little in the way of maintenance. One of the things I personally like most about Linux mail servers is that simply run and keep on running until you shut them down. They don’t complain, or crash or require gobs and gobs of extra software to protect them thus raising operational over-head. That is not to say you can simply load the OS, connect it to the network and expect everything will magically sort itself out just the way its supposed to be. There is some work that needs to be done; configuration on the system itself that needs to happen before all the really cool stuff can take place, but when its all said and done, for any small to medium sized business who wants to host their email in-house without a lot of cost or hassle you can more than adequately protect your Exchange server with a Linux gateway.