Malicious content
The majority of virus and malicious content such as worms are still spread these days via the Internet e-mail system, therefore it would be advisable to evaluate and deploy a separate dedicated e-mail antivirus application, for more information see the review I performed in the April 2004 edition of T&B "Stop MyDoom being your doom".
Spam, spam, spam, glorious spam
Another e-mail borne nuisance is spam, this requires a fair bit more planning and evaluation once you have settled on a mail server platform you can start down that path. For more information see the three reviews we have performed in the past for T&B in the July 2003, October 2003, and December 2004 editions.
E-mail security gateways and services
Due to the fact that in some way, shape, or form e-mail servers need to be publicly accessible and online 24x7x365 then a definite consideration when looking at your e-mail systems security would be to consider a gateway device. Two that we have come across in the past are Ironport who provide robust network attached security appliances which process the network traffic prior to delivery and after messages have been sent. For a complete managed e-mail security solution in a similar vein then see the folks at Network Box they deliver, configure and remotely maintain and monitor an e-mail gateway server at your own premises.
Harden the servers O/S and batten down the perimeter
Next on the list is to ensure that the server's operating systems are correctly hardened, primarily by turning off or disabling all services, processes and ports that are running unnecessarily. Also it would be assumed that the network perimeter security is correctly setup and fire-walled, (see our firewall review in the March 2004 edition of T&B), to allow a certain level of port access, preferably with an adequate multi-homed firewall, not just a default de-militarised zone (DMZ).
Avoid the common mis-configuration traps
There are a couple of configuration items that some engineers commonly overlook or misconfigure when setting up an e-mail server. Mail servers must never be allowed to run open relays and ensure the domain name servers are correctly configured for reverse IP address lookups as well as forward name lookups.
Don't be a relay point for spammers
Firstly get your relaying correct, identify the public and private domains that the mail server will be responsible for handling and make sure that those and only those machines on those networks are explicitly allowed to relay e-mail even to the point of using individual IP addresses on your subnets in the configuration files. If relaying is not correctly setup then those with nefarious intentions, generally spammers, could discover the open-relay server and start using that mail server as the launching point for their spamming activities, this generally would result in that mail servers IP address being added to a registered black list (RBL) service and therefore subscribers to that service would no longer receive messages from that mail server even if they were legitimate. Not a good look if you are a high profile organisation. Plus it can sometimes be quite difficult and time consuming to discover which RBL your mail servers IP address has been added to and then have it removed.
Ensure name servers can resolve forwards as well as back
To ensure those with designs on taking over a domain name for their own purposes don't get their hands on it one must ensure that the company domain name servers are correctly configured to not only resolve from domain name to IP address but also reverse lookups from IP address to domain name. It is also critical to ensure that the secondary name server (which automatically updates its name databases from the primary server) is setup to only accept update data explicitly from the primary servers IP address this stops those with nefarious intentions from uploading a changed zone file to the secondary server and then crashing the primary server causing the secondary server to start feeding out the unauthorised server IP information for that domain name.
Interesting review, however, it misses in a nunber of areas.
1) At the low end of the market, the appropriate Microsoft product would be SBS2003. It is quite difficult to price the e-mail component as a number of products are bundled, however, I suspect the SBS2003 is a more appropriate product when compared with some of the lower end e-mail systems you have reviewed. Are you comparing apples with apples? or apples to oranges?
2) The the high-end of the market where clustering / high availability and a large number of users is concerned most of the reviewed packages couldn't deliver. Where is the indication of where these products sit in terms of number of users?
3) The most important criteria for purchasing an e-mail system has not even been considered, i.e. user understanding and productivity. Given the article asks the question about alternatives to Exchange, surely there needs to be some indication as to why customers continually purchase this product. And the answer is they understand how to use the client interface, i.e. Outlook, and individuals are productive. My feedback from people is they hate Notes (especially after using Outlook / Exchange) and they love the functionality and integration that Outlook / Exchange provides. An e-mail system is provided to enhance user/worker productivity and, essentially, they don't give a stuff about the e-mail server. They want functionality they can easily use on their client device and this is what IT Managers respond to.
4) I would suggest you have under-estimated Notes and Exchange for their back-end automation. Notes is a powerful database / workflow solution that provides much more than e-mail, so if you have such a requirement the other e-mail solutions look very ordinary. Likewise with Exchange, there is a huge amount automation / programming that can be achieved and an organisation with such requirements would seek a single solution rather than 2 separate systems.
Regards,
Russell Sumich