What are the security norms that one should consider to meet these objectives?
From a security perspective you need to make a decision concerning:
- How sensitive the assets are on your internal network and Exchange server.
- How much you're willing to invest in securing the assets concerned.
I would recommend at a bare minimum a well-configured firewall between your Exchange server and the Internet. Most organizations choose to have a front-end/back-end configuration involving two Exchange servers, with one in a Demilitarized Zone (DMZ) protected in the front end by a firewall and isolated from your corporate network by another firewall or well-configured router. The back-end server would be where all your mailboxes reside and would therefore not be directly on the Internet.
Depending on the size of your organization and how sensitive and valuable your corporate assets are, there are all sorts of incremental enhancements to this architecture. Some involve pulling the front end servers back from the DMZ and using other SMTP relay hosts. Some involve multiple firewalls and isolated networks. It all depends on how much you're willing and interested to spend in order to secure your assets.
This was first published in June 2004