[CentOS] Replacing my Scalix mail server

Tue Mar 31 21:30:00 UTC 2009
Les Mikesell <lesmikesell at gmail.com>

Robert Moskowitz wrote:
> >
>>> Also I would NEVER consider running SMB services on a gateway/firewall 
>>> and I need IPv6 support anyway on the gateway/firewall. So far I have 
>>> used Astaro with roll-your-own (Astaro predates the IPv6 /48 
>>> allocation), and I am getting a 'nice' box from a vendor I work with...
>> Agreed that separation is theoretically safer, but the scripted 
>> configuration on SME takes care of most of the things you would be 
>> likely to forget if you did it by hand (setting up iptables firewalling, 
>> hosts.allow, binding services only to the appropriate interface, adding 
>> ip range restrictions within the app configs, etc.).
> My concern is not 'out of the box', and even there I have problems with 
> their 1st update procedure. I have problems with the time lag between 
> security bugs and updates applied.

Nearly all config changes on SME are done though it's web interface and 
all of the appropriate iptables/hosts.allow/apps configs are re-written 
as needed each time by the underlying scripts.  The updates for the 
applications themselves should track Centos very closely since much of 
it is unchanged (except the mail system).  You can just log in as root 
and do a 'yum update' if you have any trouble with the admin page hiding 
that from you.  You just have to run a couple of commands that it will 
suggest afterwards.

> Gateway/firewalls have to be very conservative on services offered. 
> There are ways to virtualize this, but SME has not done that.
>> The down side of two machines is that stock SME doesn't use LDAP network 
>> authentication and it does some handy tricks with groups that span both 
>> email and file permission/sharing concepts.
> In my case, all the more reason to separate them, as many of the people 
> with emails, even in my domain do not get shares access. They are my 
> remote family members.

Having many different groups with different settings isn't a problem. 
You don't have to give shares to any particular group.  But it saves 
time to be able to add members to a group and end up with both a mail 
alias that includes them and a group that can be given access to a file 
share or ftp location.

> And most emailing is done via Thunderbird.

That's not particularly relevant - if you access from more than one 
location you might want to set up imaps access so all the messages are 
stored on the server and available through the hoard web interface if 
you aren't at you usual client(s).

   Les Mikesell
    lesmikesell at gmail.com