Exchange as a gateway?

(Written with Jamie Bernstein)

Nobody with an ounce of security sense would plug a Web connection directly to an e-mail server behind the firewall. That's one reason why, around the time the firewall was invented, the DMZ was born. A DMZ is a network segment that sits between two firewalls: one facing the dangerous Internet and the other protecting the safe interior of the LAN. If the SMTP gateway is kept in the DMZ, the risk of a hacker taking over the mail server and using it as a jumping off point to attack the rest of the network is reduced by that extra firewall.

Until recently, Exchange wasn't really suited for edge server duty in the DMZ, because an Exchange SMTP relay server required a full Exchange implementation, with all of the associated overhead and license costs, when all that was required was a mail gateway to relay between outside and inside.

As a result, many organizations that run Exchange internally have been opting for an open source e-mail server to act as their SMTP gateway. Common choices include Sendmail or Postfix running on Linux. These free, open source choices can be bundled with anti-virus and anti-spam packages to create a full e-mail security gateway.

Exchange 2007, however, introduces the Edge Transport Server role. This is a modified Exchange installation that includes only functions that need to run on a gateway server. And, more important, the server does not need to be a member of the Active Directory domain, reducing the chance hackers can bust open your network directory. Instead, it uses ADAM (Active Directory Application Mode) to manage a list of Exchange users permitted through the gateway. In short, e-mail that is not addressed to a valid Exchange mailbox is denied at the gateway, rather than coming all the way to the destination server.

But does that really mean it's time to give up Postfix and go all-Redmond, all the time? Microsoft sure makes a good case for it. For one, it's done a lot more than just basic SMTP relay functionality. Anti-virus and anti-spam functions are part of the edge transport server role, assuming the Exchange enterprise license has been purchased, and you can get it as either an in-house software purchase or as part of the Exchange Hosted Filtering Service, similar to the type of off-site e-mail filtering provided by MessageLabs.

An especially nice feature is the safe-sender function. When an Outlook user chooses to flag a specific sender as either "safe" or "blocked," this information is now distributed to the Edge Server. This means that blocked e-mail, on a per-user basis, can now be denied at the gateway as well. Conversely, a sender known to be safe can be allowed through the anti-spam filter. And it is handled per user; Bob's blocked sender can be Irving's safe sender.

So with all these new features, why consider using anything else as your SMTP relay server? Cost. Microsoft's not requiring another Exchange server license, and you'll already have the Exchange CALs (client access licenses), but you will need a new Windows 2003 server license. Anti-virus and anti-spam also cost extra, with the hosted version requiring monthly fees. Also note Exchange 2007's requirement for 64-bit hardware.

If those numbers don't bother your budget, however, then the Edge Transport Server role fills a significant gap in Exchange functionality and adds a few Exchange-only features that would be harder to configure using a third-party solution.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Oliver Rist

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?