Webmail

[Maestr0]

Originally posted here by RoadClosed
yes that is what I am saying, in active directory the user name is the same as the mailbox name. It has to be and if that isn't true then I am implementing things wrong. The inbox IS the same as the log in name under active directory.

Yes, this is true, I was a bit hasty in my last statement,the exchange server identifies the mailbox by the NT account but when connecting will use the Display name made from lname,fname but can be whatever you want(I believe). So your NT account may be smithr03 but will display as Smith,Bob not that it really matters since exchange will attempt to match the name for you Regardless, without an exploit for exchange I dont see a brute force attack on an exchange server as worth anything(especially since we're assuming you already have a user account, unless the admin is a talking donkey and leaves his exchange server on the internet) when there are much better and faster ways to skin the cat.

-Maestr0

[gore]

I added to my how to be leet thing:

http://www.antionline.com/showthread...hreadid=245824

Heh, just in case someone needed to be an awesome Hax0r quick.

[RoadClosed]

unless the admin is a talking donkey and leaves his exchange server on the internet)

Hee Haw Hee Haw, loved that quote. I am so paranoid of my exchange server I have considered placing another send mail server in front of it to hide it's actual IP. But I figure I am ok since I am ONLY allowing port 25 to that box. Still.... always thinking, always thinking...

[ammo]

Originally posted here by RoadClosed


Hee Haw Hee Haw, loved that quote. I am so paranoid of my exchange server I have considered placing another send mail server in front of it to hide it's actual IP. But I figure I am ok since I am ONLY allowing port 25 to that box. Still.... always thinking, always thinking...

As long as you don't allow POP with cleartext passwords... That really would be a bummer!
"It ain't paranoia when there really is someone after you!"


Ammo

[mohaughn]

maestro- we are agreeing. I never said that a brute force attack against OWA would be effective, just given what little the person who opened this thread said, that is the only thing I can figure that they were trying to do. Determine the NT account name, based on the email address to then try and hack the email account.

Roadclosed- It is a very very good idea to put a unix based sendmail system(or other SMTP mail daemon) in front of an exchange server. The main reason being that there are a lot of really good and free SMTP utilities for Unix that do not exist for Exchange. We actually have three layers in front of our exchange servers. But we are moving a couple million messages a day.

[RoadClosed]

no POP at all, not even Diet Pepsi. Considering opening Exchange's web interface. It's a nifty tool, weighing the benefit or access vs. risk.

Yes indeed, I am moving toward adding that nix sendmail in front as time allows. I figure my bandwidth could do just fine with the little 400mhz box I see begging to be loaded with nix over in the corner.

[gore]

Originally posted here by RoadClosed
no POP at all, not even Diet Pepsi. Considering opening Exchange's web interface. It's a nifty tool, weighing the benefit or access vs. risk.

Yes indeed, I am moving toward adding that nix sendmail in front as time allows. I figure my bandwidth could do just fine with the little 400mhz box I see begging to be loaded with nix over in the corner.

Just my personal opinion but I would use Postfix instead of sendmail.

Sendmail has alot of insecurities and postfix is a little more secure. Might wanna look into that. Not going at telling you what to do but just a suggestion