
	Home > Ask the Security Experts > Network Security Questions & Answers > How to configure firewall ports for webmail system implementation

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to configure firewall ports for webmail system implementation

EXPERT RESPONSE FROM: Mike Chapple, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 19 January 2009
A reader previously asked you; "If public mail servers are located in a DMZ, what is the procedure for channeling internal mail through the firewall?" What you explained in this article is exactly what my company is implementing. Under such a network structure, how could I implement a webmail system? Is it secure to configure the firewall to open port 80 and port 433 and allow direct access to my internal mail server without going through the DMZ? If not, what other options do I have?

BROWSE BY TAG

Network Security, DMZ Setup and Configuration, NAC and Endpoint Security Management, Enterprise Network Security, Application and Platform Security, Email Protection, Email Security Guidelines, Encryption and Appliances, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Network Security
	How to set up a split-tunnel VPN in Windows Vista
	What is the difference between static and dynamic network validation?
	Port scan attack prevention best practices
	Securing the intranet with remote access VPN security
	How to prevent network sniffing and eavesdropping
	How to implement virtual firewalls in a complex network infrastructure
	How to manage network bandwidth with distributed ISP bandwidth
	How to edit group policy objects to give a user local admin rights
	How to prevent operating system cloning with AES 256-bit encryption
	How to securely connect a LAN POS to a remote point-of-sale device

DMZ Setup and Configuration

Endpoint protection best practices manual: Combating issues, problems

How to set up a DMZ

When should a database application be placed in a DMZ?

How will many firewalls serving as the default gateway affect the DMZ?

Should a domain controller be placed within the DMZ?

If one server in a DMZ network gets attacked from outside, will the other servers be corrupted?

Should an ISP keep corrupted machines off of a network?

A security checklist: How to build a solid DMZ

Server considerations for internal network application setup

How is internal mail channeled through an enterprise firewall?

Email Security Guidelines, Encryption and Appliances

How to confirm the receipt of an email with security protocols

Best Email Security Products

Can an IP spoofing tool be used to spam SPF servers?

WatchGuard acquires email and Web security vendor BorderWare

McAfee to acquire email SaaS vendor MX Logic

What does 'invoked by uid 78' mean?

Fierce competition prompted new Cisco email security options

Cisco brings email security appliances closer to SaaS

Cisco offers more email security choices, but lacks vision

Information security book excerpts and reviews

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

DMZ (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

There isn't a clear-cut answer to your question, as this is a topic of debate in the security and email communities. Generally speaking, I'm a member of the camp that recommends always placing any server accessible from the Internet into the DMZ. If you're going to allow users to access webmail without requiring a VPN connection, this is definitely my first choice. Placing the webmail server in the DMZ limits the ability of an attacker to use the webmail server to compromise the internal network.

However, there are several factors that complicate the answer to this question. Many email systems, especially Microsoft Exchange, make it quite difficult to separate the webmail front end from the email back end. They require punching so many holes in the firewall -- to allow communication between the two systems -- that they limit the effectiveness of placing them in different network zones.

If you have some flexibility in your network topology, one potential workaround is to create a separate email network zone that is firewalled from both the DMZ and your internal network, and then place both the email and webmail servers in that zone. You may then allow client access there over traditional "fat client" ports from the internal network and webmail ports from the Internet.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy