none
Port 25 on CAS server - any security concerns? RRS feed

  • Question

  • We are thinking about moving away from using a smarthost provided by our ISP for delivering mail and using opening up port 25 on our hub transport server to deliver mail directly to the Internet.  At the moment we have 2 servers:

    Server1: CAS/MBX/HUB

    Server2: CAS/MBX/HUB

    Server1 is accessible from the Internet for OWA so if we were to open up port 25 for SMTP would this pose any sort of security concern or are we better off with a seperate hub transport server witht the relevant ports open?

    Wednesday, June 22, 2011 7:46 PM

Answers

  • You aren't gaining anything from a security point of view using a separate hub transport server. They are deployed for load reasons.

    If you are concerned about security, then look at deploying TMG/ISA in front.

    Personally I have no issue with having traffic coming directly in to Exchange and have done so for most of my clients.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by adamf83 Friday, June 24, 2011 12:06 PM
    Wednesday, June 22, 2011 9:59 PM

All replies

  • You aren't gaining anything from a security point of view using a separate hub transport server. They are deployed for load reasons.

    If you are concerned about security, then look at deploying TMG/ISA in front.

    Personally I have no issue with having traffic coming directly in to Exchange and have done so for most of my clients.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by adamf83 Friday, June 24, 2011 12:06 PM
    Wednesday, June 22, 2011 9:59 PM
  • For mail flow to Internet, you should open port 25 on Hub transport server. Regarding to the mail flow security, I would like to share you the following article about SMTP Connectivity security.

     

    http://www.shudnow.net/2008/02/10/client-to-server-secure-smtp-connectivity-in-exchange-server-2007/

     

    Thanks.

    Novak Wu

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
     
    Thursday, June 23, 2011 7:44 AM
  • How is thing going on? If there is any progress or question, please feel free to post it here.

     

    Thanks.

    Novak Wu

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, June 24, 2011 7:35 AM
  • You aren't gaining anything from a security point of view using a separate hub transport server. They are deployed for load reasons.

    If you are concerned about security, then look at deploying TMG/ISA in front.

    Personally I have no issue with having traffic coming directly in to Exchange and have done so for most of my clients.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.


    Simon,

    Thanks for that, it answers my question.

    Cheers

    Adam.

    Friday, June 24, 2011 12:06 PM