[CentOS] Replacing my Scalix mail server

Tue Mar 31 23:39:45 UTC 2009
Robert Moskowitz <rgm at htt-consult.com>

Les Mikesell wrote:
> Robert Moskowitz wrote:
>   
>>>> Also I would NEVER consider running SMB services on a gateway/firewall 
>>>> and I need IPv6 support anyway on the gateway/firewall. So far I have 
>>>> used Astaro with roll-your-own (Astaro predates the IPv6 /48 
>>>> allocation), and I am getting a 'nice' box from a vendor I work with...
>>>>     
>>>>         
>>> Agreed that separation is theoretically safer, but the scripted 
>>> configuration on SME takes care of most of the things you would be 
>>> likely to forget if you did it by hand (setting up iptables firewalling, 
>>> hosts.allow, binding services only to the appropriate interface, adding 
>>> ip range restrictions within the app configs, etc.).
>>>   
>>>       
>> My concern is not 'out of the box', and even there I have problems with 
>> their 1st update procedure. I have problems with the time lag between 
>> security bugs and updates applied.
>>     
>
> Nearly all config changes on SME are done though it's web interface and 
> all of the appropriate iptables/hosts.allow/apps configs are re-written 
> as needed each time by the underlying scripts.  The updates for the 
> applications themselves should track Centos very closely since much of 
> it is unchanged (except the mail system).  You can just log in as root 
> and do a 'yum update' if you have any trouble with the admin page hiding 
> that from you.  You just have to run a couple of commands that it will 
> suggest afterwards.
>   

Les, security IS my business. Now I work mostly on secure protocols, 
having co-chaired the IPsec work in the IETF, contributed to 802.11i, 
invented HIP, was the designer of the Federal PKI's Bridge CA, and a 
number of other activities. But I work with my company's (ICSAlabs) 
certification program, and the Firewall program is one of the major ones.

I have seen attacks and mitigations that often never make it out to the 
public, or make it out after we have worked with the vendors for weeks 
to get patches before the S* hits the fans. I am particularly paranoid 
about what may be exposed on a gateway/firewall while waiting for that 
all so important patch.

I don't like SME's laid back attitude to getting a 1st install patched, 
for example. One 1st install, all services on the server MUST be blocked 
until current updates are installed and configured, and only then opened.

So, no, your explaination does not make me feel more comfortable. But 
then as indicated, I am a hard one to make comfortable....

>> Gateway/firewalls have to be very conservative on services offered. 
>> There are ways to virtualize this, but SME has not done that.
>>     
>>> The down side of two machines is that stock SME doesn't use LDAP network 
>>> authentication and it does some handy tricks with groups that span both 
>>> email and file permission/sharing concepts.
>>>       
>> In my case, all the more reason to separate them, as many of the people 
>> with emails, even in my domain do not get shares access. They are my 
>> remote family members.
>>     
>
> Having many different groups with different settings isn't a problem. 
> You don't have to give shares to any particular group.  But it saves 
> time to be able to add members to a group and end up with both a mail 
> alias that includes them and a group that can be given access to a file 
> share or ftp location.
>   

There is going to be further migration of both services. I felt, after 
being locked for years to some platforms, that more was better until 
things settled down here.

I want to be able to experiment with the server functions before I 
commit to shutting down the NT server, and I don't want to disrupt mail 
that I know I can get going quickly.

>> And most emailing is done via Thunderbird.
>>     
>
> That's not particularly relevant - if you access from more than one 
> location you might want to set up imaps access so all the messages are 
> stored on the server and available through the hoard web interface if 
> you aren't at you usual client(s).

I was at the IETF when IMAP was brought out of CMU and standardized, I 
know the beast all too well. I still use POP. A few users (like son #2) 
use the web interface. Most have one computer, either in the house or in 
their house for mail. POP works just fine. Plus once they POP their 
mail, it is no longer my problem!