Open-source Challenge To Exchange Gains Steam

jbrodkin writes "An open-source, cloud-based e-mail alternative to Microsoft Exchange called Open-Xchange has signed up two new service providers and predicts it will have 40 million users by the end of 2011. Based in Germany, Open-Xchange has tripled its user base from 8 million to 24 million paid seats since 2008, with the help of three dozen service providers including 1&1 Internet, among the world's largest Web hosting companies. Microsoft is still the 800-pound gorilla, with a worldwide install base of 301 million mailboxes in 2010, expected to reach 470 million by 2014. But Open-Xchange is luring numerous service providers who are wary of Microsoft's attempts to compete against its own partners by selling hosted e-mail services directly to its customers."

Re:google apps ftw!

[Sarten-X]

Unfortunately, it's also wholly unsuitable for any business needing absolute confidentiality, just like every cloud solution.

Re:google apps ftw!

[seifried]

There's a solution for that, it's called "encryption".

OpenChange and SOGo - Truly free/freedom Exchange

Don't worry about Open-Xchange, OpenChange + SOGo is the real open source alternative:

http://www.openchange.org/index.php/component/content/article/7-news/55-openchange-and-sogo-the-first-interoperable-and-exchange-compatible-groupware-solution

- OpenChange Server is a transparent and native Exchange replacement for Microsoft Outlook users working on top of Samba 4. With OpenChange, you don't need costly MAPI connectors anymore.

- SOGo is a reliable groupware server with a focus on scalability and open standards. Let your Mozilla Thunderbird/Lightning, Apple iCal/iPhone, BlackBerry and now Microsoft Outlook users collaborate using a modern platform.

No per-seat CALS or license fees whatsovever.

PCI compliance?

[Mathinker]

Judging from a cursory perusal of the PCI DSS quick reference guide, as long as the business has in place a policy which forbids sending payment card numbers over email in the clear, it should still be able to use a cloud-based email solution. Do you have personal knowledge which contradicts this?

Re:PCI compliance?

[shaper]

A policy has to be auditable for it to be valid and PCI compliant. A PCI audit will be considerably more involved than just browsing through your gmail inbox. The audit will cover network communications, hardware, software, change processes and accountability and access controls. Anybody in human resources, finance or accounting who doesn't already know this needs to be fired.

And don't forget HIPPA, SOX and a host of other rules and regulations involving the handling different data that can so easily slip into email. Add in legal liability from privacy breaches and a whole lot of other concerns which make some kinds of data processing and storage outsourcing difficult there days.

Re:PCI compliance?

HIPPA appears to be largely unenforced:

Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved.

I'd be very concerned about any company that is sending info by email that related to the HIPPA rules.

I read up on SOX. Does seem to be a big deal although I still can't see how Google's solutions don't comply.

If such claims are going to be made specify what doesn't comply. I'm not saying you are wrong. Only that people have made these claims repeatedly without backing it up.
 

Re:PCI compliance?

[linuxrocks123]

As far as I can tell, SOX is probably the second-most over-hyped piece of legal misunderstanding promulgated as fact on Slashdot, position #1 being the recurring myth that ISPs are subject to common carrier regulations.

SOX applies to public companies only. From Wikipedia, it does not appear to place any specific requirements on corporate IT, except that the corporate IT will be audited for compliance with the "normal" parts of the law -- so you have to keep records on various things. This hasn't stopped people from making shit up -- if the law specifies that certain data must be "retained" for X months, Slashdotters and charlatans selling "SOX compliance" services are going to say that means the law says you have to use RAID 1000000 and update your offsite backups every 2 days. Just, cuz, you know, that's standard practice.

The law -- and I haven't read it, but I can guarantee you OP hasn't either -- doesn't say anything like that. Just like it doesn't say you have to chisel your non-digital documents in titanium sheets in case the building catches fire. It's not specifying particular standards -- it's just saying you can't be Enron. If the building catches fire or the hard drive crashes, well, you know, shit happens. Whether not installing sprinklers or not having backups was negligent or in bad faith is for a court to decide. So far, it hasn't come up.

OP -- and I don't know him, and he's probably a nice guy -- may now tell me about his personal experience with how Fortune 500 companies DO chisel Xeroxes into titanium and DO use RAID 1000000 and daily updated offsite backups AND ANYTHING ELSE IS NEGLIGENT AND WOULD GET ME THROWN INTO JAIL IN THE "REAL WORLD". And I'm probably going to ignore him because this post took all the time I want to spend talking about this. But: unless he backs his claims up with a statute, a court case, or at least a letter ruling from some relevant executive branch agency ... I'd be suspicious, man. Think of all the corporate incompetence with information management (laptops with credit cards gone missing ... oops) you hear about on Slashdot. Now think if Slashdot talks about anyone going to jail for that, or even getting in any real trouble.

---linuxrocks123

Re:PCI compliance?

[mvdwege]

Right on.

I work in computer security, and I have had training in SOx compliance, and all that you say is exactly what I learned.

All SOx requires is a clear chain of responsibility. In theory, a company could be SOx compliant if the CEO were to sign a statement saying he is personally responsible for the outcome of all business processes. Practically, no CEO will do so, therefore a clear, documented process is necessary, so that when the company does something contrary to the law, a responsible employee can be identified (and prosecuted).

Mart

Re:PCI compliance?

[S.O.B.]

Shhhhh. Don't tell the business users. They never want to pay for system improvements because they don't "see" the effects. We used to slide in all sorts of system improvements they never would have paid for by saying that it was a "SOX requirement".

SOX is the pot of gold at the end of the rainbow.

A link would have been nice

[skrowl]

Here's the direct link to go read about it if you don't want to go through the networkworld blogspam article: http://www.open-xchange.com/

The "Server edition" is $1300, and they make you open a blind link to a PDF to figure that out.

Here's a handy feature matrix but noticeably absent is the free "community edition": http://oxpedia.org/index.php?title=OX_Product_Matrix

Also, the activesync thing (oxtender) is completely non-free and only available in the licensed versions.

Re:A link would have been nice

As opposed to:

http://www.openchange.org

Which only has the free/freedom community edition.

Re:A link would have been nice

[mysidia]

This is why all the Exchange "alternatives" are doomed to failure. The free/inexpensive options all lack the critical functionality of Activesync or Outlook interoperability.

When software makers add these worthy functionality, they immediately try to start pricing their product at the same level as Exchange.

This is obviously some sort of shared greed complex. "We have the same functionality as this really expensive (overpriced) software, so we can charge a lot for it too...."

Well, they're not Microsoft. And if they want to charge more than 30% of the cost of Exchange (which is already massively overpriced), then they should just get out, because they are cluttering the market place and contributing to making simple functionality expensive.

Re:A link would have been nice

[jimicus]

Not really.

Most businesses want a solution, not a religion. When you are already comfortable with Exchange, any alternative will have to offer some real, tangible benefits.

The most likely potential benefits are:

• Greater functionality: No chance. None of the F/OSS clones offer even comparable functionality, let alone greater functionality unless you go out and pay for the commercial version. There are one or two solutions which claim not to fall into this trap, but they fall into the age-old F/OSS trap of doing things so differently that there is no way the Powers that Be will sign off on the change and when challenged, the developers insist that their way is better.
• Significantly cheaper: Nope, you either go for the free version (with seriously reduced functionality) or the commercial version (which is probably still slightly less capable than Exchange but costs about the same).
• Resolves a problem that exists in Exchange. Well, despite the traditional /. view, Exchange is not that bad a product, and for most businesses their existing Exchange server is perfectly adequate and they don't have any significant complaints.

Re:How much does it cost to set up local BSD/Linux

[buchner.johannes]

It needs an immense expertise.

Re:google apps ftw!

[Swampash]

it's also wholly unsuitable for any business needing absolute confidentiality, just like every cloud solution

Just like every solution that involves clients, nodes, servers, networks, and software not designed, built, operated, and controlled only by you. Which is pretty much all of them.

If your communications are so sensitive that HTTP over SSL with a corporation that offers you an SLA isn't enough, and you choose to send email in the clear without encryption, then your communications obviously aren't as sensitive as you think.

Alternatives are good

[93+Escort+Wagon]

For example, I think Slashdot needs to come up with an alternative logo for Microsoft stories. Sure, the old one was really stale - but at least it looked like a Borg. With the new one, it just looks like Gates is wearing a really poorly-designed Bluetooth phone headset.

Re:Alternatives are good

[flyingfsck]

Actually, it is a Bluetooth headset, with a poorly designed version of Bill Gates....

Re:google apps ftw!

[rtfa-troll]

If you use encryption on Gmail you lose the entire benefit since you become unable to search the mails. You end up with a slightly inconvenient IMAP server. You might as well just get a traditional Unix mail instead.

How are they better?

[NiteRiderXP]

First of all, it is technically open source, but the license the community edition uses means it cannot legally be used by businesses.
It is definitely not a free alternative to M$ Exchange.
Each user license costs $52 for this product, an M$ Exchange CAL costs about as much, maybe a few bucks more.

Whoever designed the web access GUI went icon crazy and they are not very meaningful either.
Outlook Web Access is simple, this contraption had me guessing at what buttons do.

I manage an Exchange 2007 environment with roughly 700 users depending on it.
Originally having no experience, I got a test server up and running within a day.
The administrator tools are simple, powerful, and reliable; overall we have not had any serious issues in the past three years.
I also know that if something goes wrong, there is M$ support, service packs, backup software, DB repair tools, forums, etc.

Here is what happens with an open source product:
You install the product and spend the next couple of hours wading through text config files.
When you do manage to get the product to work, the thing does not work as expected.
You spend the next couple of hours cranking up debugging output and wading through source code.
If you are really masochistic you end up compiling your own build after you have found a bug.

Now in some cases going open source is worth the pain, especially when it brings additional functionality and cost savings.
Unfortunately, this open source product has the goal of duplicating functionality at a similar price point.
An additional thing to consider is that most open source products need more maintenance and labor.
This additional labor is highly in demand and is not at all cheap, which might make this an even more expensive solution than the original.

Re:How are they better?

[ADRA]

I can't say for the functionality, benefits, complexity, etc.. of the article's software, but I can think of many better things to spend 36K on than licensing Exchange. Don't even mention the server side licensing (Unless they've subsequently dropped server CAL requirements for exchange boxes), server first time costs, and yearly subscription fees to keep up to date with all the latest updates and support features that you list so highly. Throwing money at a problem may be -a- solution for -some- companies, but that can't be said for everyone. Of course that all assumes that Exchange is the better maintenance system, but as I see nobody doing empirical analysis, or even anecdotes, its hard for you, me, or the rest of the mob to come up with any sort of rational discourse.

"Here is what happens with an open source product:"

I really like how you pulled the old bait and switch here. Instead of listing the behavior of quoted product, you instead drill into why open source software is bad. Well, if you just took the software and didn't pay a dime for it, then maybe a few of those points apply. Maybe if you paid for the software, you could get paid support and the assurance that when a problem is found that it can actually be addressed without waiting quarters before a company decides to release an update to fix a bug. For real money, you can (for a lot cheaper seemingly) get a system that does more or less what Exchange does. As said earlier, I'd like someone who's actually used both systems in a real world scenario to talk about pros and cons, but since that isn't happening yet, lets keep the rhetoric to ourselves.

Re:How are they better?

[flyingfsck]

Really? The CItadel Easy Install script runs in about 20 minutes. Citadel is easier to set up and administer than Exchange and it costs nothing.

Re:How are they better?

[gbjbaanb]

Here is what happens with an open source product:

Here is what happens with an closed source product:

you install it with 1 click, but then spend the next few days going through GUI config screens./
When you do manage to get the product to work, the thing does not work as expected.
You spend the next week persuading your boss to send you on a week's training course, for only ten thousand dollars.
You come back with a couple of thick binders full of documentation that you already can't remember.
You spend a few more days tweaking and hope that it holds up when you take it live.

Much OSS is just the same as Close Source. Much of it is crap, but then much of the really expensive commercial software is equally crap. At least with OSS you don't have to stick with it because your boss who signed off the purchase order doesn't want to admit the project is a failure.OSS support (paid for) is nearly always better focussed on your needs, whereas support for commercial software is practically a marketing gimmick that can't keep up with the stack-it-high sales technique.

As it happens, the good OSS is far better than the commercial stuff. Sure, this doesn't always apply, but to prove a sweeping statement that OSS is crap is just childish.

Re:How much does it cost to set up local BSD/Linux

[Deviant]

The problem with this view is that it is missing some functionality that people now consider part of email thanks to Microsoft and Outlook/Exchange or Lotus Notes/Domino. If you have never worked in a company that makes use of these features you wouldn't understand - but if any of your coworkers have they will expect them from you and will find your IMAP mail system to inadequate and unacceptable.

First is Calendaring - inviting people to appointments and booking in meeting rooms and shared resources (projectors etc) to those meetings. They even will recommend times when all the attendees and equipment is free. If you change the time it informs everyone and moves in all their calendars. This is not to mention sharing your calendar with others so everyone can keep track of where/what your team is up to. And you can do all of this on your mobile phone (ActiveSync or Blackberry) and have it update your server/client immediately.

Contacts - you can see all the people in your team, department and company. You can share your contacts with your coworkers. When you or they change them your phone updates with the changes immediately. I've seen our director's assistant add contacts to his mailbox via Outlook and he can call them from his phone's contacts within less than a minute when on the road.

Delegation - your assistant/gatekeeper or the person filling in for you when you are on leave can respond to your email and meeting requests on your behalf. It even says Susie Q on Behalf of John Doe etc. You can also have a departmental or a support or an information mailbox that many people check and share responsibility for.

Not to mention that Exchange offers the significant advantages of a large ecosystem of applications, tools and trained professionals that can back it up, maintain it, fix it, merge it, replicate it and all kinds of other things that you will eventually need to do in the life-cycle of an average modern mail system. I am dealing with a merger of two companies at the moment and them both running Exchange is a godsend - I'm glad it isn't an OpenExchange system I am having to merge with...

Re:OpenChange and SOGo - Truly free/freedom Exchan

[stiller]

OpenChange is very promising, but hardly production ready.
SOGo is not a feature per feature match for OX, Scalix, Zimbra or Zarafa. These are all mature projects with a large installed user base. If you are worried about license fees (which usually include paid support), you can always use the free editions of these projects and not use Outlook.

...or you can use Citadel - for FREE

[flyingfsck]

http://citadel.org/ Citadel uses a proper database back-end and can handle terabytes of mail for thousands of users.

Re:How much does it cost to set up local BSD/Linux

[Deviant]

Exchange 2003 (now 8 years old) was really I/O heavy and wasn't really designed with large mailboxes in mind. Think back to the average mailbox and attachment size in 2003 (what was your HD size 8 years ago for example) and I think that they thought they exceeded what was necessary for a mail system but it is not really workable for a large organisation with modern needs any longer and buckles a bit under modern expectations - especially on older hardware.

2003 did a few things like single-instancing within a mail database which contributed to I/O and required them to limit the size of DBs to ~75-100GB. So in a large organisation you need many many mail databases and managing them all gets a bit overwhelming.

In Exchange 2007 they did pretty much a complete rewrite and removed single-instancing of everything but attachments reducing the I/O by ~70% for the same workload. In Excahnge 2010 they removed even the single instancing of attachments (if you send an email with an attachment to all staff of a 2000 employee company it stores that 2000 times) but were able to improve I/O by 70% again over 2007. It means you need alot more disk space and a mail archiving solution but storage is cheap these days while I/O is not.

The product has gotten much much better and more scalable in the last two versions. Your IT department either needs to do better with it's storage subsystem to provide 2003 with the necessay I/O (FiberChannel or 10 Gig iSCSI SAN with lots and lots of spindles, transaction logs on RAID10) and/or upgrade to a newer version of Exchange.

Huh?

[jav1231]

That's one way to get it gaining steam. Call it "cloud based." Because the "Internet" isn't cool anymore. It's got to be "the cloud!" Marketing...

Re:How much does it cost to set up local BSD/Linux

[shia84]

Two weeks ago, I knew next to nothing about mail administration. I do however have enough experience as generic sysadmin. Took me about 3-4 hours reading into documentation for smtp, imap, exim (+addons), then about half an hour of configuration and now our working group (30 people) has a nicely working public facing mail server, all with aliases, mailing lists, synchronisation,...

Re:OpenChange and SOGo - Truly free/freedom Exchan

[DaMattster]

It is true that OpenChange and SOGo look very promising and I am following the news with quite a bit of interest. One day it will be production ready. That said, Open Xchange is open source to a point. I think Open-Xchange is more crippleware because you have to buy the product in order to get Outlook integration, or at least the last time I looked into it.

Not the only alternative

[kitserve]

This is an area I have been following with interest, as a number of clients have asked me about ditching their Exchange servers. There are several "open source" alternatives to Exchange, all with their own drawbacks. The main ones I know of are Scalix, Zimbra, Zarafa, OpenXchange, Citadel, and OpenChange/SOGo, although there are others.

OpenChange looks the most promising in the long term, as I believe it's the only one that promises 100% open source compatibility with Outlook. All the others require some kind of plugin, which generally isn't open source. However, as others have noted, OpenChange is nowhere near production ready.

So far I've been recommending Zarafa to clients, because it's the only one that includes an open source ActiveSync plugin for mobile synchronisation (it's called Z-push). Their support is also fairly good. I haven't tested the other alternatives extensively enough to see how they compare in practical terms though, it would be useful to see a simple objective comparison of them (certainly much more useful than fluff pieces like TFA).

Re:Citadel?

[Junta]

At a glance, they have no commercial entity trying to spam it all over the news for one. For another, they too require some commercial add-on to be 100% outlook compatible. Lastly, they make no effort to use buzzowrds like 'SaaS' or 'cloud', which I suppose ties into the first point.

It might also suck, I have no idea, I don't do groupware stuff anymore so I have no reason to try it out.

Re:Citadel?

[DaMattster]

Citadel requires the purchase of a third-party, MAPI connector to be fully integrated with Outlook. I believe the product is called Bynari Connector

Re:Citadel?

[RockPenguin]

I used Citadel a few years back. It was fairly easy to install and easy to manage, although there were definitely some quirks in their terminology which made figuring it all out a little challenging. However, the reason I stopped using it was the web interface for all of the functions (mail, calendaring, etc.). It was very strange to say the least. Just didn't feel like a normal mail server like Exchange or Zimbra. I think it was based on the old BBS model or something. I also seem to remember some odd IMAP behavior, but I can't say specifically what it was since it was about 3 years ago. I've since switched to Zimbra and am very happy. While there are some frustrating bugs (e.g. installing certs) it has proven to be very stable and easy to setup/administer.

When work becomes play.

[Ostracus]

Open-source Challenge To Exchange Gains Steam

Wonderful. When did Valve get into Groupware?