Slashdot Mirror
Exchange 2003 vs. Sendmail Mail Routing?
good soldier svejk asks: "I am a unix sysadmin at a medium sized (~10,000 user) organization. We currently using Exchange 5.5 for messaging, calendaring etc., and sendmail for mail routing and relaying. We arrived at this architecture because Exchange 5.5 was neither flexible enough to route our mail nor secure enough to meet our relay control standards (my Windows counterparts tell me it has since improved it's relay control). Now we are looking to upgrade to Exchange 2003 and the boss wants to know if we can eliminate the sendmail layer. We use LDAP mail routing across multiple domains and Brightmail Anti-Spam. We have not yet implemented Active Directory. Does Exchange 2003 offer a sendmail comparable level of configurability and flexability regarding routing, access control, filtering, virtual hosting and queue management? Just as important, is the Windows 2000/Exchange 2003-SMTP combination adequately securable for use in the DMZ?"
Sorry, I am a member of the old school "if it ain't broke, only improve it for an identified need rather than update for the sake of it".
--
FreeNET user? Comfortable with the adverse selection?
If you want to upgrade to Exchange 2003, then you will need to get Active Directory setup, prepared and configured as stated in the Exchange 2003 documentation :)
I dont get why the boss ASKS for Exchange, but offer him a list of email systems including Lotus Domino, Courier MTA, Sendmail, Qmail, Exim, Postfix and others you think are appropriate for such sized organizations.
Then run a few basic tests. It doesnt take too many hours to install and configure each of the above mail MTAs (or routers) for demonstration purposes.
Heres how you can explain the thing... Microsoft is insecure. Thats a given (show the documents proving so) and you will need an additional layer in front of Exchange to go through the emails, maybe including Bayesian filters like spamassassin. You could run it unprotected, but working unprotected is something you just dont do...
Theyll understand.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Have you considered removing the Exchange layer and preserving the Sendmail layer? :)
Seriously, though, if you have a setup this large, and you're already willing to fork out the dough for Exchange 2003 and all that it requires to run, why don't you pick up the phone and talk to Microsoft about getting Exchange 2003 to route properly in your setup. It'd probably be worth the money to have the people that made it get you into a setup that will work.
I may be no fan of Microsoft, but I certainly understnd when it's prudent and cost effective to get the support I'm paying for with commercial software.
~GoRK
This is like asking Iron Horse readers if you should replace your Hog with an ATV.
If all this should have a reason, we would be the last to know.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I have always used a small staging environment that emulates the production network. It is a nice safe way to emulate your production environment without actually affecting the users.
In a 10,000 person company I would belive the bean counters will understand spending a couple dollars per employee to ensure the enterprise network will still function. And throw phrases like "It will speed up our ROI, and lower the long term TCO for our infrastructure" if they don't bite right away.
Mail proxy, relay, with virus checking, anti spam, filters etc etc. Top stuff.
Exchange 2003 requires Active Directory, quite an undertaking in an organization of your size.
I would investigate the repercussions of that requirement before moving forward with any other research or comparisons.
My reality check bounced.
Having both in your network gives you more depth of security if you ask me. If your entire email infrastructure is based on a single piece of software and that software becomes vulnerable for some reason or another....at least you've partially mitigated your exposure. Having different MTA's for relaying and end-delivery is just a good 'defense in depth' strategy in general.
My $.02
From your post, I wouldn't recommend Exchange as if you are only going to be using it for mail routing, you are basically going to paying a LOT of money for something loaded with features that you will literally never use when you could have the same functionality for free with sendmail or Exim.
As I read your post, you dont want mailboxes or calendaring but simply mail routing.
You would probably be better building a big OpenBSD box and spending some time with Exim, or sendmail if you are happy with that.
Exchange 2003 uses the Windows 2000 SMTP service for mail routing anyway so really you dont need Exchange 2003, just a copy of Windows 2000 server or server 2003.
Exchange 2003 does mailboxes and calendaring - it's a good product and does this very well but you only seem to need mail routing.
ok I was searching for a story (it links to a website having some cool html code, came out in May / June so if you know please tell me)
.. starting from the latest and going down.. and that had two stories extra and above the last story (napster2.0) on the main page...
and what happened to me was that I saw the list of stories
I clicked on this one and got thru.. the next one (about today's kids playing 70s games..) gave me "you've nothing to see here, move on"
so I guess that is a loophole or something where a non-subscriber can actually see the story before it comes on the main page..
Eureka ????
There was an article in the linux journal had an article in issue 106 on how to replace the excange server with a linux replacement so that users won't know the difference. here's the link
You will need Active Directory setup before you even think about exploring Exchange 2003.
I would love to know the "real" benchmarked and "proven" answer. Slashdot hearsay will mostlikly say "no." in many unpolite terms.
Abstracting routing from messaging keeps all the data inside the firewall where it belongs. If my sendmail boxes are rooted, I can just rebuild them. If an Exchange box is systemed (or whatever the Windows equivalent of rooting is) our user data is all over the internet. In our industry that means uncomfortable questions from Uncle Sam.
It is cowardly, and a betrayal of whatever it means to be a Jew, to act as a white man
-James Baldwin
you picked the wrong place to ask about removing sendmail and depending completely on "M$".
I'm in the same predicament here. We're a small company (~500) but handle more email than most 10,000 shops - mostly customer service-related mails.
:-) The only way you're going to be able to do the Exchange 2k3 (or 2k) routing you require is to program some custom COM event sinks in a .NET language.
Anyway, first off, I'd like to say that if you have a 10,000 person organization, and you'renot running AD yet, handle that first. I'd guess that you're looking at at *least* 4 months for planning and implementation of your AD environment.
Also, you might as well go right to Windows 2003 (AD 2.0) since Exchange 2003 can only run in an AD 2.0 environment and on Windows 2003 server.
Finally, yes, Exchange 2003 routing is much better than 5.5 (which was hooooriiiible). Now, if you're familiar with sendmail routing, who cares?
If you question is "can it be done" the answer is "sure it can". Just remember that just like any major infrastructure change, it ain't gonna be easy or quick to do.
Luckily, we were able to upgrade to Exchange 2k3 with little trouble. I'm still trying to get the hang of the custom event sinks, but it's coming along. I'm a perl guy and trying my best to use Perl.NET but there's few resources out there to help out with the nook I've created for myself.
If you're looking for spam/anti-virus management - definitely check out Postini (www.postini.com) - they rock and are pretty cheap ($1.25/month/user). Setting us up with this service removed 4 front-end mail relays from my DMZ and dropped our spam over 90%.
That's my $0.02.
I think it does everything you need and runs on a dozen or so platforms.
www.stalker.com
Exchange 2003 can be used on Windows 2000 SP4 as well. That said, if you're going to upgrade, just go to 2003 for the Exchange side and for AD even if you still ned 2000 for other apps that don't yet run on 2003. We've been running Exchange 2003 on Windows 2003 (small shop) for about two months. Zero problems and my users are happy.
There is no reason that a person can't post to /. as a *part* of doing their job.
I saw nothing in the original post to indicate that this was the sole method of research being used. I do consider asking peers for their advice to be a valid tool... and part of a valid research methodology.
Contrary to popular belief, there are some good ideas floating amongst the scum... you just need proper filtering.
--Phillip
Can you say BIRTH TAX
While it is good that your boss wants to take a working system and replace it with a new unknown ( :) ), why not try some of the other exchange replacements that have been thrown around. I suspect that you can lower your costs (software, hardware, and admin) significantly while increasing your uptimes. But I would certainly look at MS offers as well and test it. Just becuase it is a .0 version from MS does not always mean that it will not work.
I prefer the "u" in honour as it seems to be missing these days.
I've had to set up Exchange for one purpose...Calendaring, its integration into email, and Outlook. Along with groups that made it "mandatory" to the boss. I once had to bring up Exchange during a Love Letter infestation so that my boss could check their calendar for a meeting with our VP. Couldn't call the VP's secretary, that would have been political suicide. I didn't like it, but when the powers that be speak, you have to listen. I do like the idea of multiple layers, cuts down on vulnerability.
Anybody ever use oracle for an enterprise mail system? http://www.oracle.com/ip/deploy/cs/
First - Setup Active Directory 2.0 (ouch)
Second - You will need a larger exchange server to handle the additional duties. Your typical exchange server with bells and whistles handling all aspects of email including all those mapi clients shouldn't handle over 5000 users max, and 3000 optimally.
Third - Mixed environments make good security.
Fourth - Build for growth
Fifth - Sell your arms and legs for the cost.
--
This sig meta-moderates
PostFix does a lot less work generally than either SendMail or Exchange, so if I got to call any of the shots I'd start referring to a Linux (or *BSD, yadda yadda) as "the mail router" and sit PostFix in there to protect Exchange from spam, the internet in general, and overloads (you can set PostFix up to limit the send rate for "local" - ie bound for MSX - connections) on inbound mail separately, and also as a canary on outbound mail (chirp and/or drop dead if Exchange starts doing weird stuff). Once set up, the buffer box should be pretty much self-maintaining. I understand that qmail is good for this too, if a lot more baroque.
Calling it a "mail router" helps the PHBs to think of it as a low-cost appliance rather than a server which costs them $10k in hardware and $30k in software (plus a worshipful and increasingly specialised MCSE to keep the thing alive) like the Exchange box does.
Having the buffer box scrutinising inbound mail there will pre-solve many of your maintenance issue. For example, if the buffer box eats viruses and obvious spam, that'll about halve the Exchange box's load. When the next way to mailbomb Exchange is discovered, you can put a filter rule in PostFix to protect Exchange until you're absolutely dead sure that Microsoft's hotfix (when it eventually arrives as a lukewarmfix) doesn't break anything you need.
Got time? Spend some of it coding or testing
If you look sharply at Exchange, you'll find that it really is a whole pile of separate apps, and the appearance of seamlessness is given by wrapping it in the administration tools very carefully.
Try AdvanceMAME, you'll never look back. (-:
Got time? Spend some of it coding or testing
You have a small problem. First of all, Exchange 5.5 will be unsupported by the end of this year, so the upgrade to 2k/2k3 is somewhat mandatory.
Second, as noted before, both 2k and 2k3 require active directory, which means upgrading at least your pdc and bdc's to windows 2k or windows server 2k3.
Exchange 2k and 2k3 are both more secure and more reliable than Exchange 5.5, but I would not recommend them for DMZ use (if you want to sleep at night). Also, it will take you quite a bit of work to move your working Sendmail setup to Exchange.
I would recommend building a test lab closely mirroring your current production environment, and see for yourself the impact of the migration to Exchange 2003.
If you only send/receive e-mail to other users on the same MS-exchange server and 100% of your client workstations run the same version of MS-Windows, then it might be usable, especially if it is not connected to the Internet. Otherwise, stick with a traditional MTA like Sendmail, which is highly configurable, or postfix, qmail or exim which are simpler and more focused on security. Sendmail, postfix, exim and qmail have proven track records for reliability.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
We have implemented inbound and outbound Postfix relays, keeping the exchange servers safe. We're running Exchange 2000 native AD.
I feel much safer with Postfix and ssh being my only two internet-facing ports, and having Exchange well removed from the rest of the world.
Another note would be to keep an inbound and outbound relay system, primarily so you don't get bitten by your own configuration mistakes. It's possible to make a slip that would allow open relay.
Not to start a Postfix/Sendmail flamewar, but if all you're doing is relay, why drive a nail with a cinder block instead of a hammer? Postfix is the good "middle ground" between the flexibility of sendmail and the security of Qmail, easy to configure, secure and fast.
I like music
I have a long list of bookmarks from AskSlashdots like these! I read thru and pick things for my own projects to come back to as needed. It saves time, and many /.ers are fairly high-up and have a great deal of experience to draw from. You'd be stupid NOT to look here first. If only /. comments were more easily searchable for such things...A little data mining action going on?
besides that, the admins thought it was interesting! That's a good enough reason.
And while I think it's a good product for offering it's core functionality, integrated groupware, it is not something to be put at the edge for routing or relaying. Part of the problem with what your boss wants to do is that you'll have to extend Active Directory (AD) into your DMZ; exchange is very heavily integrated with AD, and as a security conscious admin I shudder at the thought of extending AD into the DMZ, you'd either have to open up the ports for AD to your backend, or even worse, put a domain controller in the DMZ. Another annoying habit exchange has (although I don't know if exchange 2003 does this, haven't been able to get my hands on it yet) is that it will blindly accept all emails whether the recipient is a legitimate address or not. Only after accepting the email and writing it to disk does it check if the address is legit, then send an NDR if it is not. This is a waste of bandwidth and disk resources, especially if you have a large amount of spam coming into your organization with bad recipient addresses, a very common problem these days. Tell your boss it doesn't make good business sense to use exchange in this capacity, it's not what it was designed for.
Why should sendmail be ripped out of it's role ? Are you wary because of the recent security bugs ? If yes, replacing it with Postfix or qmail might be easier. If not, what is your boss reasonning for replacing sendmail ? Does he have problem keeping sendmail expertise in-house (I agree that sendmail administration is close to black magic) ?
:wq
Install a Novell Groupwise server. It can run on Novell and windows servers. Lusers can use either the groupwise client, or Outlook. Groupwise is comparable to exchange, but it's far more stable. Pricing might be very competitive.
Groupwise doesn't hog the processor, and is relatively low on resources. This means that we have over 500 users on one server (PIII-550, Raid5, 1024 MB). If you need webmail you might need another server.
Novell is currently investing in Open Source and Linux, so methinks that the Linux version is underway.
SamsungContact
SuSE Openexchange Server
Oracle Collaboration Suite
and
Lotus Notes
are viable products that don't rely on AD and MSFT-products.
I use qmail for myself, but it's not something for people who need calendaring.
Disclaimer: my company re-sells SuSE's product.
Windows 2000 - from the guys who brought us edlin