Robert Moskowitz wrote: > > >>> Also I would NEVER consider running SMB services on a gateway/firewall >>> and I need IPv6 support anyway on the gateway/firewall. So far I have >>> used Astaro with roll-your-own (Astaro predates the IPv6 /48 >>> allocation), and I am getting a 'nice' box from a vendor I work with... >>> >> Agreed that separation is theoretically safer, but the scripted >> configuration on SME takes care of most of the things you would be >> likely to forget if you did it by hand (setting up iptables firewalling, >> hosts.allow, binding services only to the appropriate interface, adding >> ip range restrictions within the app configs, etc.). >> > > My concern is not 'out of the box', and even there I have problems with > their 1st update procedure. I have problems with the time lag between > security bugs and updates applied. Nearly all config changes on SME are done though it's web interface and all of the appropriate iptables/hosts.allow/apps configs are re-written as needed each time by the underlying scripts. The updates for the applications themselves should track Centos very closely since much of it is unchanged (except the mail system). You can just log in as root and do a 'yum update' if you have any trouble with the admin page hiding that from you. You just have to run a couple of commands that it will suggest afterwards. > Gateway/firewalls have to be very conservative on services offered. > There are ways to virtualize this, but SME has not done that. >> The down side of two machines is that stock SME doesn't use LDAP network >> authentication and it does some handy tricks with groups that span both >> email and file permission/sharing concepts. > > In my case, all the more reason to separate them, as many of the people > with emails, even in my domain do not get shares access. They are my > remote family members. Having many different groups with different settings isn't a problem. You don't have to give shares to any particular group. But it saves time to be able to add members to a group and end up with both a mail alias that includes them and a group that can be given access to a file share or ftp location. > And most emailing is done via Thunderbird. That's not particularly relevant - if you access from more than one location you might want to set up imaps access so all the messages are stored on the server and available through the hoard web interface if you aren't at you usual client(s). -- Les Mikesell lesmikesell at gmail.com