Ask the Expert

The risks of putting the e-mail server in the DMZ

Currently our internal e-mail server is located on a computer behind the firewall like everything else. Our database administrator has asked that I move our e-mail server to the DMZ so that the database can link with the e-mail system. Apparently, the functionality he wants will only work if the e-mail server is in the DMZ. Is there a particular risk in doing this, and if so, how can I eliminate or reduce the risk?

    Requires Free Membership to View

Anytime you put a corporate system open to the Internet there is a risk involved. However, if you build the system properly you can reduce the risk. Start by using two network adapters. One for the DMZ and the other for internal access. Make sure you set up port filtering on the networks cards and only let traffic that is needed through. If you can move Web mail off your mail server and onto another server this will also help (keeping IIS out of the DMZ). Thoroughly check all NTFS permission for security vulnerabilities. For example, replace the "Everyone Group" with "Authenticated Users" wherever possible. As, always make sure you system is up-to-date with patches.

For more info on this topic, check out these resources:
  • Network Security Tip: Choose the right firewall topology
  • Guest Commentary: Secure content management -- Looking beyond antivirus software
  • This was first published in August 2003

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: