EMAIL
EXCHANGE

Forget about simple email servers: Groupware is the message.

    
  by Jack Fegreus      

Computer cognoscenti would never be caught uttering the word email. For some time, unified messaging has been the epicenter of all buzz. It’s a marvelous catch phrase for all things to all people.  From voice mail and faxes to workflow management, unified messaging has come to span the mundane to the truly mind-boggling. As a result, a full installation of Microsoft’s Exchange Server 2000 requires 2GB of space on the “installation drive,” 500MB of space on the system drive, a recommended minimum 300MHz CPU with 256MB RAM, and a swap file at least twice the size of RAM!

However extreme those minimum requirements may sound, the reality is email has gone from internal curiosity to external essential and in the process revolutionized the way business is conducted. As a result, the notion that email serving is an essential driver bringing software built on an Open Source software engine into the enterprise should come as no great revelation.

A year ago, openBench Labs first examined SuSE’s eMail Server II, which demonstrated the power of Open Source for IT. Assembled from various Open Source products, SuSE’s eMail Server was an easy-to-install product that fit the email needs of small and medium enterprises (SMEs). The combination of a POP/IMAP email server, browser-based email client, and an SMTP mailer worked quite well for most SME scenarios. In particular, SuSE’s eMail Server II was an amalgam of the Postfix SMTP server, the Cyrus IMAP and POP3 server, and the Horde IMP web-based email.

         
 

openBENCH LABS SCENARIO

UNDER EXAMINATION
SuSE eMail Server 3.1
http://www.suse.com
 

HOW WE TESTED
Dell PowerEdge 2200
Ximian Evolution 1.0
http://www.ximian.com

KEY FINDINGS
 Instalation was quick and simple as the distribution is meant to perform a single role that of a mail server.
 SASL within Postfix worked perfectly to secure SMTP authorization and eliminate the possibility of an open relay.
 HELO address parameters in Postfix provided the ability to filter highly probable SPAM at the server.
 SKYRiXgreen provided an elegant highly functional HTML-based interface for both systems management and performing groupware tasks at the user level.
 Outlook presented problems running groupware tasks because of an inability to deal with the tightened level of security we required and had implemented in SuSE Email Server 3.1.
 

The newly released SuSE eMail Server 3.1 replaces the Horde IMP web interface with SKYRiXgreen from SKYRiX Software AG, which significantly enhances the product for larger end-user sites. From the new interface, the scope of the user data the administrator can process was expanded to include address data. By means of Access Control Information (ACI), the administrator can determine either globally or on an individual basis the data that a user is permitted to modify. Administrators can also monitor which clients are currently connected to the system for load monitoring.

For users, SKYRiXgreen adds some serious groupware panache including support for Outlook group scheduling. Outlook can retrieve appointment data for contacts via HTTP. Users of SuSE eMail Server 3.1 can enable their mail profile to share their ‘freebusy’ data, which the server stores in a personal folder. While that aspect of the new capabilities will gather a lot of attention, the fact remains that Outlook’s group scheduling is distinctly primitive. If you want to exploit the true power of SuSE’s new groupware features, you’ll forget about Outlook and use the native web interface. But that too can be a bit problematic as openBench Labs later discovered.

We installed SuSE eMail Server 3.1 on the same system that we tested the previous version: an old Dell PowerEdge 2200 with dual 266MHz Pentium II CPUs and 384 MB of memory. Under typical usage, total system and user CPU load was spread evenly across both processors with the total utilization in the realm of 12-to-15%. Nonetheless, SuSE recommends a minimum clock speed of 1GHz for the CPU and hardware RAID for storage.

  

 

The installation itself is a breeze. A simplified YAST2 installation is tailored specifically for the email server. All of the typical options are removed, which reduces the number of installation screens, as there are no significant package choices to make. On completion of the installation, we placed the server in a DMZ behind a firewall.

 
         
 

Safely tucked behind a firewall, the new version Postfix underpinning SuSE eMail Server 3.1 provides significant enhancements for dealing with outside purveyors of unsolicited commercial email (UCE): both those simply intent on flooding your users with junk mail and the truly malicious ne’er-do-wells who attempt to hide their mischief by hijacking sites to relay their trash anonymously.

We were never able to force the previous version 2.0 of SuSE eMail Server to use the Simple Authentication and Security Layer (SASL) for authentication. This is important for allowing authorized remote users to utilize the server as a relay host while excluding those individuals seeking ways to masquerade their UCE—SPAM by any other name still stinks. Click for a detailed analysis of how to fight spam.

  
Now making SuSE eMail Server secure is a click away. In the basic Postfix configuration screen, the systems administrator can choose to force all users to authenticate with a password in order to relay mail to other sites via SMTP.

 

As a workaround for version 2, we had used Dynamic Relay Authorization Control (DRAC), which authenticates against the POP3 server and then allows SMTP access from the authenticated host, It’s a good—but far from perfect—solution, which is still an option in the new release. Much better news on the security front is that SASL now works without a flaw.

In addition, Postfix also can be configured to place some well-advised restrictions on UCE. The easiest is to implement the verification of HELO addresses. A common technique used by SPAMmers is to hide behind a phoney address in the ‘From:’ mail header. As with most mail servers, by default Postfix does not attempt to verify the validity of the HELO address. That, however, is very easy to rectify in the Postscript advanced configuration screen by setting up the smtpd_helo_restrictions parameter. Here we reject incoming packets when the sending host name is malformed, the host does not have a proper DNS record or when the host uses SMTP pipelining. Unfortunately, there is no explanation on the screen of what the parameters do and what the permissible values are. An excellent place to start is at the Postfix home page: http://www.postfix.org.

Within the SKYRiXgreen interface, users also have the opportunity to filter their own mail. This is done using a built-in mail filtering system based on SIEVE. Within the configuration screen for their mailbox, users can define conditions and then select an action to perform if those conditions are met. Automatic ‘out-of-the-office’ and ‘on-vacation’ replies to incoming email are considered special cases of SIEVE filtering.

While the new and improved features of SuSE eMail Server 3.1 make it more appropriate for larger end-user sites, it still will not be appropriate for many ISVs. That’s because of the way that Postfix handles multiple domains. Although Postfix can be configured to receive mail for multiple domains, there is one ‘real’ host domain and multiple ‘virtual’ domains, which are instances of the real domain. As a result, any user account created is created must first be a member of the real domain. Then virtual users are created in the virtual domain and mapped to a user in the real domain. That maps all of the attributes of the real user onto the virtual user including any aliases for that real user.

         
 

This scheme fits nicely into the operations of a single company or parent company, such as Custom Communications, which has multiple lines of business and people working across those lines. For our tests, we created the real domain Custom Communications and then created virtual domains for such entities as Open magazine, and Boston Publishing. We then created virtual users for everyone working on Open and mapped them back to our Custom Communications account.

Replacing the IMP interface and adding groupware functionality for Outlook and Evolution clients is the job of the SKYRiXgreen software module. (Click for a review of SuSE Pro Office with Evolution and Star Office 6.0), The module comes from SKYRiX Software AG, which develops secure web groupware applications based on HTTPS, group authorizations, and authorization certifications for intra-business communications.

  
The SKYRiXgreen web interface presents an elegant easy-to-use interface. The price of this simple and totally cross-platform GUI can turn out to be a serious increase in CPU load when generating a well-populated folder structure. In our tests, presenting the contents of a large mailbox with 4,000 messages consumed 80% of the total CPU power of our dual 266MHz processor system.

 

Like all SKYRiX applications, the SKYRiXgreen interface is entirely based on HTML and PERL scripts with no Java applets. As a result, the client interface is truly platform independent. What's more, the interface is exceptionally well laid out—preferred screen resolution is 1024x768 with 800x600 an acceptable minimum—and there are pop-up tool tips on all of the buttons. For those familiar with the previous quirky interface on SuSE eMail Server II, SKYRiXgreen presents a very much welcome change of pace.

The strength of SKYRiXgreen is that there is no Java. Nonetheless, the weakness of SKYRiXgreen in that it is pure HTML and PERL. Go in to the SKYRiXgreen interface and open a well-populated mail folder with hundreds if not thousands of email messages and you immediately understand why the minimum CPU recommendation is for a 1GHz processor. On our dual 266MHz processor Pentium II system, the CPU load jumped from 10-to-12 percent with multiple Outlook, Eudora, and Evolution clients connected up to 80-to-90% for one web client as SKYRiXgreen attempted to construct a web page for an inbox bursting with messages. In cases like this, a graphic indicating that the screen was being constructed would be a welcome addition.

Unless you have cycles to burn, our recommendation is to use POP3 with your favorite email client of choice. In that way, the load caused by an occasional remote user logging in over the web will be an utterly transparent event and not a disruptive calamity. What’s more, you are going to need those cycles because to utilize the SKYRiX groupware software effectively in a secure environment, you will need to run the SKYRiXgreen web interface.

         

The heart of the problem lies with the oxymoron of ‘secure Outlook’ for groupware scheduling. As we noted earlier about email configuration in general, you want to take extra care to keep your server secure not only from malicious hacking—no one wants confidential company memos posted prominently on the web—but also to prevent your site from becoming an open relay for SPAMmers.

As a result, you will want HTTP and FTP access to the web directories that hold the 'freebusy' schedule data belonging to your users to be password protected. Not so much because there is anything in the least possible value in these time stamps—they simply indicate a time period is busy and not what's happening—but because that type of open access would leave open a back door to your email server. Now here’s the rub, Outlook’s default for storing all those time stamps is Microsoft Passport. Should you be so recalcitrant as to not make use of their service, you can read and write the data to another location, but with a few interesting caveats.

For both Evolution and Outlook, a secure email server played havoc with group scheduling. Outlook makes no provisions for entering passwords for getting freebusy data. As a result, neither Outlook nor Evolution returned freebusy data when we attempted to schedule a meeting, even though the data was readily available (green insert). Only by triggering Outlook to schedule the meeting would it request a password. Mouse over the image to view the data showing a schedule conflict only after the conflict was created.
         

Outlook makes no assumptions about the web address at which it is pointing for freebusy data. In other words, it does not assume that it is being pointed at the email server on which you require that there be a secured password login. Without a password, neither Outlook nor Evolution could access the freebusy data until we triggered an event that would cause the website to force the client application to request a password. On Outlook, we could trigger such a request by scheduling a meeting before we had any freebusy information about the participants. That way we could always review our actions with perfect 20/20 hindsight.

The alternative is of course to go in directly through the SKYRiXgreen interface for all of the groupware functionality. This was a much more enriching user experience. While the default view of the calendar is to view only your own schedule information, simply clicking on the freebusy option shows all of the times any of the other team members are busy.

Going directly to the web interface provides a far more intuitive and useful set of tools for group scheduling. Here a single timeline shows the open time to schedule a meeting for all involved.

For a large team, this method will probably not be very efficient. That’s why SKYRiXgreen offers a very slick simplified meeting scheduler. Entering a time frame and all of the team members, the scheduler will return a simple time line that indicates when everyone is free (green and white) and when someone is busy (red). It’s as easy as that.

Finally there is the issue of cost. For those familiar with Linux, the price of $998 might induce a case of sticker shock. For an enterprise-class mail server, however, this is actually quite a bargain. First, $998 is the complete cost. There are no extra fees should you decide you need more than 5 Client Access Licenses.

Also included is 12 months of product support. which naturally includes fixes and patches by both downloads and quarterly CDs. Also included is basic configuration support for external client mail packages such as Outlook, Netscape, Mozilla, and Eudora. There is also help for basic DNS, SPAM protection, content filtering, setting up a virus scanner based on AMaViS and H+B AVMailGate, and choosing a backup strategy as well. Not to mention the fact that any good administrator can have this out of the box and running in a matter of hours.