[CentOS] Replacing my Scalix mail server

Tue Mar 31 18:11:26 UTC 2009
Robert Moskowitz <rgm at htt-consult.com>

Les Mikesell wrote:
> Robert Moskowitz wrote:
>> Les Mikesell wrote:
>>> Robert Moskowitz wrote:
>>>>>      Qmail is fantastic, have sued for years, but for workgroup, 
>>>>> calendaring feaures, Zimbra is the way.
>>>> I have decided to give SME a go. It provides Qmail on Centos 4.7, with 
>>>> Centos 5.2 in beta.
>>>> I chose SME because I also have to replace an NT server here as well, so 
>>>> it makes a good fit.
>>>> I have a test system working and building the mailserver replacement 
>>>> system now. Then I will build the NT server replacement.
>>> Depending on the number of users, a single machine might easily serve 
>>> both roles (and your internet gateway/firewall too, if you need one).
>> Not many users, but there are security/privacy issues for the separation.
>> Also I would NEVER consider running SMB services on a gateway/firewall 
>> and I need IPv6 support anyway on the gateway/firewall. So far I have 
>> used Astaro with roll-your-own (Astaro predates the IPv6 /48 
>> allocation), and I am getting a 'nice' box from a vendor I work with...
> Agreed that separation is theoretically safer, but the scripted 
> configuration on SME takes care of most of the things you would be 
> likely to forget if you did it by hand (setting up iptables firewalling, 
> hosts.allow, binding services only to the appropriate interface, adding 
> ip range restrictions within the app configs, etc.).

My concern is not 'out of the box', and even there I have problems with 
their 1st update procedure. I have problems with the time lag between 
security bugs and updates applied.

Gateway/firewalls have to be very conservative on services offered. 
There are ways to virtualize this, but SME has not done that.
> The down side of two machines is that stock SME doesn't use LDAP network 
> authentication and it does some handy tricks with groups that span both 
> email and file permission/sharing concepts.

In my case, all the more reason to separate them, as many of the people 
with emails, even in my domain do not get shares access. They are my 
remote family members.

And most emailing is done via Thunderbird.