[lug] Linux email server recommendations

Nate Duehr nate at natetech.com
Sat Apr 10 01:28:12 MDT 2004 

On Apr 9, 2004, at 5:03 PM, Michael Belanger wrote:

> Agreed.. But here are the reasons this wont fly...
>
> 1.  We are a grant-based project. We just don't have the resources to 
> farm out services like this.

Fair enough.  I still think it might be cheaper than you think to have 
someone else deal with it completely, long-term.

> 2.  Due to the sensitivity of the data being stored on the server,
> we just don't feel comfortable having them on a system on which we
> cannot guarantee privacy.

And this leads back to #1.  As a professional sysadmin for many years, 
I have a hard time taking this statement very seriously.  If there's 
one thing SMTP can never ever = it's Privacy.

And running anything sensitive on any network on RedHat 7.1 shows a 
basic lack of understanding of networked system security.  Or a number 
of years of neglect, and you're picking up the pieces.

You can probably get some good ideas from both hobbyist and 
professional admins on a mailing list like BLUG, but once you mention 
the system contains sensitive data and you're running multiple services 
on the same machine, using an OS that's highly outdated and full of 
security holes, and that you don't have a budget to match -- it starts 
to get pretty tricky.

Luckily, Free Software gives you both a great opportunity to fix the 
massive design problems that are already apparent and also to do it 
yourself.  Your biggest problem right now is the Alpha, and you're 
fixing that at least.

Here's the beginning of a requirements list that will easily narrow 
down your choices in what to use:

- Must run on your IBM hardware.  (You apparently already have the 
hardware.)
- Must be Free. (You apparently have zero budget.)
- Must have highly-automated package and patch management because 
you're not doing it anyway if you're on RH 7.1. (Only a very few Linux 
systems really do this well.)
- Must have reasonably sane installer, because you're not going to want 
to waste much time on getting the system up and running. (Again, limits 
options drastically -- most Linux installers are not as user-friendly 
as they can/should be.)

The next few are tricky -- you said it's both a mail server and a file 
server... that's a really bad combination for sensitive data.  
Especially if you're stating that the mail server has a public IP 
address!

- Must support encrypted mail transport. (If you're not already doing 
this, your reasoning for #2 above goes completely out the window.)
- Must support encrypted filesystems or reasonably "simple" way for 
others to access encrypted files.  (Assuming this thing has a public 
address and is also a file server, encrypting the data stored on it is 
the only way to assure the privacy level you're alluding to.)

And finally the most important one:

- Use something you enjoy.  If admin is not your primary job function, 
you'll ALWAYS admin something you like better than something you don't.

So... with that in mind... and since you mentioned it already, SuSE's 
server probably fits all of the above, nicely.  And you're already 
leaning toward it.

Tummy.com's KRUD server with an update subscription and their mail 
server work they've done on qmail would probably be a very viable 
solution too.  (And even less admin for you.)  I have no idea on their 
prices, but given that SuSE's product isn't exactly cheap -- it seems 
like there's at least SOME budget there to spend on this project.

Personally, if I were you and I wanted to spend my time doing serious 
coding, I'd lean towards finding some professional help if you really 
want the system to be a "no-brainer"... the latter option would do 
that.  The former is a complete roll-your-own, beyond the mail server 
functionality, and it sounds like you have some security considerations 
that really should get more than just a passive look.

A "second-opinion" from a professional admin is probably not a bad idea 
at all if you really have sensitive data on the machine.  (I'd almost 
say that in NOT getting some professional help on a critical machine 
that also contains sensitive data, whoever's responsible for the data 
might be downright negligent.)

Not a whole lot else really fits nicely in your requirements, and you 
seem to have some hugely conflicting goals -- data security and as few 
brain cycles spent on the solution is a very difficult mix.

If you're more comfortable with your risk-assessment than I currently 
am (GRIN), you can't be too far wrong in going with SuSE.  It's a 
well-known, highly-used distro, with a good track record for quality.

 From a systems-engineering/sysadmin standpoint, is sure seems there are 
other factors involved that only a pro with either experience in 
setting up your type of system, or a more concentrated effort towards 
engineering practices on your part, will provide.  If you can't or 
won't come up with a better requirements list than "mail server, easy 
to admin, must be secure", you really should consider finding someone 
who can help create a better one... and then design your system to meet 
the requirements.  That level of requirements should never be seen 
below the Marketing Department/Magazine Advertisement level.

Nate Duehr, nate at natetech.com

More information about the LUG mailing list