Exchange - SMTP
- Security Issues -

Microsoft's Security site is a good place to start looking at general NT issues: http://www.microsoft.com/security

In addition, there is a relevant knowledge base article:
Q176466: XGEN: TCP Ports and Microsoft Exchange: In-depth Discussion

There is an NT Security Mailing list that discusses these issues in depth. To join, send e-mail to request-ntsecurity@iss.net and, in the text of your message (not the subject line), write: subscribe ntsecurity

1. Proxy and Exchange are separate servers.
   Your outbound mail will flow fine as it can use the generic Winsock Proxy to make the outbound SMTP connection.  But inbound you need something extra. In particular, you need to add an SMTP relay agent on the Proxy server.  The EMWAC mailer that is in the NT Resource Kit and available from http://emwac.ed.ac.uk. There are also others available.  You configure inbound mail to go to the Proxy server, then the mail relay sends it to your Exchange server.
2. Proxy and Exchange are on the same server.
   This will work just fine.  The security is a disaster though. Make sure you disable the bindings for NetBIOS-over-TCP on the RAS adapter.  We would also recommend installing RRAS and tightly filtering the ports allowed in.

The latest proxy 2.0 FAQ describes this quite well (posted to the microsoft.public.proxy or microsoft.public.proxybeta newsgroups at msnews.microsoft.com weekly). To paraphrase:

1. Install proxy server
2. Enable Dynamic Packet Filtering on the Proxy Server
3. Install the Winsock Proxy (WSP) client software from Proxy 2.0 on the internal Exchange Server
4. In the %ExchangeServer%\Connect\MSEXCIMC\BIN directory create a file
   "WSPCFG.INI" with contents:
   [MSEXCIMC]
   ServerBindTcpPorts=25
   Persistent=1
   KillOldSession=1
5. Restart the IMC / IMS
6. Configure External DNS records to point MX record at Proxy Server

Based on the assumption the firewall relays SMTP, you have separate internal and external DNS, and there is a Unix mail community in addition to your Exchange community. (If you only have Exchange inside the firewall, it is much simpler).

Both of these are an increasingly severe problem.  SPAM is typically Unsolicited Commercial Email (UCE), adult material, or general junk sent to thousands of recipients and containing forged or spoofed headers.  The result is extra load on your server, and extra load on the poor soul whose address may have been put in the reply-to header.   Since most reputable ISP's will cancel the account of anyone sending this type of mass mailing, the spammers have resorted to Unauthorized Mail Relaying.  Instead of sending out all the mail through their ISP's mail host, they find a random mail host on the net that is configured to relay mail and use it.  If you are not careful, it may be your Exchange server that is used to send 10,000 - 10,000,000 mail messages advertising the latest ponzi scheme.  In addition to the crisis the sending itself creates, the backlash from the net will surely crash your system.

Blocking SPAM is pretty tough, though Outlook 98 adds a rather efficient rules engine to handle a good bit of the mail (it's cutting out about 75% of our junk mail).  You can also block inbound mail from particularly nefarious IP addresses.  The problem with this is that most of you have secondary MX records (you really should too).  When you block delivery from a particular IP address, it will fall back to your secondary MX and deliver it there.   The secondary host will then, with full acceptability, deliver the message to you.   You could remove the secondary MX, but this would create other reliability problems.  You could also have your ISP block the same list of IP's - though they may be unwilling to maintain this list for you as a special case.

Exchange 4.0 - will not relay mail unless the BOResKit IMCEXT.DLL is installed. Solution - do not install it.