I don't buy it. Those are weak excuses for bad policies. I'm not aware of any problems with Exchange working in a DMZ, as long as the clients inside the trusted network initiate the connection, even so, lets say you dont want Exchange in a DMZ because it sucks, fine. You run a fetchmail from your Exchange to get the mail from the DMZ. As for passwords, DONT USE PLAIN TEXT PROTOCOLS, this isnt 1985, Exchange and everyother groupware solution on the planet supports secure authentication, besides if someone 0wns the relay server in the DMZ, they can read all the mail anyway and dont need any passwords. You should not allow conections from the DMZ to the trusted network, its not secure.