Exchange 2003 vs. Sendmail Mail Routing? 95
good soldier svejk asks: "I am a unix sysadmin at a medium sized (~10,000 user) organization. We currently using Exchange 5.5 for messaging, calendaring etc., and sendmail for mail routing and relaying. We arrived at this architecture because Exchange 5.5 was neither flexible enough to route our mail nor secure enough to meet our relay control standards (my Windows counterparts tell me it has since improved it's relay control). Now we are looking to upgrade to Exchange 2003 and the boss wants to know if we can eliminate the sendmail layer. We use LDAP mail routing across multiple domains and Brightmail Anti-Spam. We have not yet implemented Active Directory. Does Exchange 2003 offer a sendmail comparable level of configurability and flexability regarding routing, access control, filtering, virtual hosting and queue management? Just as important, is the Windows 2000/Exchange 2003-SMTP combination adequately securable for use in the DMZ?"
But why change? (Score:1)
Re:But why change? (Score:2)
Re:But why change? (Score:1)
Impossible. We're talking about implementing a Microsoft product. The chances of something going wrong are already 100%.
Re:But why change? (Score:1)
Re:But why change? (Score:1)
ATTENTION MODS: The above is a joke, as was the original comment. Obviously its safer just to label it. Jeez.
Probably closer to 110%... (Score:2)
PostFix does a lot less work generally than either SendMail or Exchange, so if I got to call any of the shots I'd start referring to a Linux (or *BSD, yadda yadda) as "the mail router" and sit PostFix in there to protect Exchange from spam, the internet in general, and overloads (you can set PostFix up to limit the send rate for "local" - ie bound for MSX - connections) on inbound mail separately, and also as a canary on outbound mail (chirp and/or
Re:Probably closer to 110%... (Score:2)
The boss just wants to know if windows can do the work. It couldn't when I built the current system.
Re:But why change? (Score:2)
Better get Active Directory setup... (Score:2, Informative)
There are others (Score:3, Insightful)
Then run a few basic tests. It doesnt take too many hours to install and configure each of the above mail MTAs (or routers) for demonstration purposes.
Heres how you can explain the thing... Microsoft is insecure. Thats a given (show the documents proving so) and you will need an additional layer in front of Exchange to go through the emails, maybe including Bayesian filters like spamassassin. You could run it unprotected, but working unprotected is something you just dont do...
Theyll understand.
Re: (Score:3, Interesting)
Re:There are others (Score:1)
Re:There are others (Score:1)
Ever hear of "embrace and extend"? Now, instead of a mail server being expected to efficiently route mail, its expected to fill the roles of a mail server, file server, database server, web server, directory server, desert topping AND a floorwax. Gee, thanks MS!
Re: (Score:2)
Re:There are others (Score:1)
BUT the minute you are talking about 30k worth of employees, you need something like this.
Why does it have to a single application? Integration can occur at many points.
Exchange does what it needs to do -- its a business solution that businesses need and have asked for.
You're just avoiding any specific discussion of the features or merits of outlook by saying "business" a lot as if to imp
Re:There are others (Score:1)
Its important to seperate the technical architecture of these solutions from their appearance to the end user
Re: (Score:2)
Re:There are others (Score:1)
You must be using the old OWA 5.5, which was rather limited in its interface. OWA 2000 was a welcome improvement, and OWA 2003 is an even bigger improvement. Try the free trial of OWA2003 here [microsoft.com].
Re: (Score:2)
Oracle 9i (Score:1)
Re:There are others (Score:1)
Nobody bought it. Literally.
With Exchange 2000, SMTP replaced X.400 completely, it's FAR from an afterthought.
Re:There are others (Score:2)
FWIW, I've used MDaemon Pro (POP3/SMTP/IMAP/LDAP server) for years now, and have been very happy with it.
Re:There are others (Score:1)
Plus, the server package (Domino) runs on a variety of hardware platforms and OS's; encryption is native to both server and clients; replication is faster and more reliable than Exchange/Outlook; and the whole setup is much easier to secure against crackers and viruses.
As an added bonus, there are even open-source projects [openntf.org] d
Re: (Score:2)
Re:There are others (Score:1)
It doesn't really help that our fascist administrators won't let anyone but themselves use IMAP.
Re:There are others (Score:1)
Runs on many platforms including Linux and IBM mainframe, does not require any existing infrastructure (latest exchange requires Active Directory & win2003 server), the new web based mail component fully supports Mozilla (and not a dumbed down version but the whole DHTML experience), It not only does mail/calendaring etc but is a platform for making your own DB apps, program in LotusScript or Java, has it's own webserver, is a secure pub
The seamy side of life (Score:2)
If you look sharply at Exchange, you'll find that it really is a whole pile of separate apps, and the appearance of seamlessness is given by wrapping it in the administration tools very carefully.
Tr
Re:There are others (Score:2)
It's important to remind PHB's that it's really the seamlessness that matters, not the single package part. There's no reason separate packages can't offer the end user the same experience. It just requires that the components interface using known standard protocols.
I'm not saying everyone plays together as nicely as this requires today, but I think it's an eventuality. There are simply too many people running too many different types of computing devices who want to communicate
Re:There are others (Score:2)
qmail is secure [cr.yp.to].
Re:There are others (Score:2)
You would have a very, very hard time proving that Exchange is more insecure than Sendmail.
Wrong layer (Score:3, Insightful)
Seriously, though, if you have a setup this large, and you're already willing to fork out the dough for Exchange 2003 and all that it requires to run, why don't you pick up the phone and talk to Microsoft about getting Exchange 2003 to route properly in your setup. It'd probably be worth the money to have the people that made it get you into a setup that will work.
I may be no fan of Microsoft, but I certainly understnd when it's prudent and cost effective to get the support I'm paying for with commercial software.
~GoRK
Why are you asking us? (Score:1, Flamebait)
This is like asking Iron Horse readers if you should replace your Hog with an ATV.
Why exchange? (Score:2)
Re:Why exchange? (Score:2)
Remember that Microsoft's MTA is -also- a MAPI-server, IMAP-server, addressbook server, calendar server, etc etc. Many (annoying) Exchange functions like return receipts take advantage of this integration.
I can almost guarantee that there is some MS-touted bell or whistle in Outlook or elsewhere that depends on you using the full suite of MS-approved servers. Be prepared to explain why it doesn't work or to offer a suitable alternative.
Re:Why exchange? (Score:1)
You would never, ever justify Exchange as a pure-play MTA. The data store was designed by Satan on crack, it's expensive, slow, painful and slow to admin, its SMTP does not play nicely with neighbors, and (post 5.5) it won't even think about talking to you unless you give it Active Directory.
Think you're cool 'cuz you got multiple ADCs? Wrong, bucko. Exchange will not function unless it can talk to the (single-point-of-failur
Re:Why exchange? (Score:2)
I'm just wondering why the fuck that needs to be part of the same program as the MTA in the first place. Why not use separate programs for those tasks? That would be much better for security, stability, performance, and peoples' sanity...
Re:Why exchange? (Score:2)
Lost mail (Score:1)
Lost mail, erroneous error messages, and 100% dependance on Windows severs.
If you only send/receive e-mail to other users on the same MS-exchange server and 100% of your client workstations run the same version of MS-Windows, then it might be usable, especially if it is not connected to the Internet. Otherwise, stick with a traditional MTA like Sendmail, which is highly configurable, or postfix, qmail or
Re:Lost mail (Score:1)
I recently rolled out a postfix+spamassassin+maildir+courier-imap installation, and I have to say I have been extremely pleased, and impressed. It took a little while to figure everything out, as I'm not very experienced in mail administration, but I got the job done.
I chose postfix over sendmail because my limited experience with sendmail, while not too bad, lead me to believe postfix would be easier to maintain.
So we're using an MTA with a proven security, reliabi
Re:Lost mail (Score:2)
And there's your basic value proposition of Open Source Software. I actually send money to the software creators/vendors (well, OK, sometimes I send pizza instead) and it's *still* vastly cheaper than proprietary software.
Less money flushed down licensing ratholes = more money converted to profit = bigger paycheck for me.
Th
Ever Hear of a Test Lab? (Score:1)
In a 10,000 person company I would belive the bean counters will understand spending a couple dollars per employee to ensure the enterprise network will still function. And throw phrases like "It will speed up our ROI, and lower the long term TCO for our infrastructure" if they don't bite right away.
Spank This (Score:1)
I saw nothing in the original post to indicate that this was the sole method of research being used. I do consider asking peers for their advice to be a valid tool... and part of a valid research methodology.
Contrary to popular belief, there are some good ideas floating amongst the scum... you just need proper filtering.
/. is a great resource! (Score:2)
I have a long list of bookmarks from AskSlashdots like these! I read thru and pick things for my own projects to come back to as needed. It saves time, and many /.ers are fairly high-up and have a great deal of experience to draw from. You'd be stupid NOT to look here first. If only /. comments were more easily searchable for such things...A little d
You have a major problem. (Score:5, Informative)
I would investigate the repercussions of that requirement before moving forward with any other research or comparisons.
Re:You have a major problem. (Score:2)
Not only that, but it requires Windows 2003 AD, IIRC.
Re:You have a major problem. (Score:2)
No. Exchange 2003 runs fine on Windows 2000 Server. It's Exchange 2000 that won't run on Windows Server 2003 (in any supported configuration).
Re:You have a major problem. (Score:1)
You can implement Exchange 2003 in a Windows 2000 AD. Here... [microsoft.com]
Re:You have a major problem. (Score:2)
A large organization without an AD or LDAP-like infrastructure would certainly benefit from it.
Capabilities aside....... (Score:2)
My $.02
Re:Capabilities aside....... (Score:2)
Re:Capabilities aside....... (Score:4, Insightful)
security debate (which can get political).
It can get political, emotional and religious if the discussion gets away from the facts.
Defense in depth is sound security strategy; a strategy whose soundness is manifest to people of all political persuasions.
Let Exchange do what it's good at: storing user mail messages in a database, serving IMAP clients and helping do group calendaring.
Switch out sendmail for qmail, which is more secure. Keeping a pure MTA like qmail costs very little in the way of setup and maintence and helps purify the traffic seen by your Exchange servers.
Also... (Score:2)
I wouldnt recommend Exchange for you (Score:3, Insightful)
As I read your post, you dont want mailboxes or calendaring but simply mail routing.
You would probably be better building a big OpenBSD box and spending some time with Exim, or sendmail if you are happy with that.
Exchange 2003 uses the Windows 2000 SMTP service for mail routing anyway so really you dont need Exchange 2003, just a copy of Windows 2000 server or server 2003.
Exchange 2003 does mailboxes and calendaring - it's a good product and does this very well but you only seem to need mail routing.
Re:I wouldnt recommend Exchange for you (Score:3, Interesting)
Not Related : But Editors please SEE (Score:1)
and what happened to me was that I saw the list of stories
I clicked on this one and got thru.. the next one (about today's kids playing 70s games..) gave me "you've nothing to see here, move on"
so I guess that is a loophole or something whe
Well, start with AD (Score:1)
I can predict the answers... (Score:1)
ha! (Score:2)
Lots of work... (Score:4, Informative)
Anyway, first off, I'd like to say that if you have a 10,000 person organization, and you'renot running AD yet, handle that first. I'd guess that you're looking at at *least* 4 months for planning and implementation of your AD environment.
Also, you might as well go right to Windows 2003 (AD 2.0) since Exchange 2003 can only run in an AD 2.0 environment and on Windows 2003 server.
Finally, yes, Exchange 2003 routing is much better than 5.5 (which was hooooriiiible). Now, if you're familiar with sendmail routing, who cares?
If you question is "can it be done" the answer is "sure it can". Just remember that just like any major infrastructure change, it ain't gonna be easy or quick to do.
Luckily, we were able to upgrade to Exchange 2k3 with little trouble. I'm still trying to get the hang of the custom event sinks, but it's coming along. I'm a perl guy and trying my best to use Perl.NET but there's few resources out there to help out with the nook I've created for myself.
If you're looking for spam/anti-virus management - definitely check out Postini (www.postini.com) - they rock and are pretty cheap ($1.25/month/user). Setting us up with this service removed 4 front-end mail relays from my DMZ and dropped our spam over 90%.
That's my $0.02.
Exchange 2K3 on Win2K (Score:2)
Re:Lots of work... (Score:2)
Sure. I think the Windows guys are up to two years of planning at this point. It isn't clear to me why they haven't reached critical mass yet.
Re:Lots of work... (Score:1)
cheers,
chris
Alternatives (Score:2)
PHB's live by their Calender (Score:1)
Just a few thoughts... (Score:1)
Second - You will need a larger exchange server to handle the additional duties. Your typical exchange server with bells and whistles handling all aspects of email including all those mapi clients shouldn't handle over 5000 users max, and 3000 optimally.
Third - Mixed environments make good security.
Fourth - Build for growth
Fifth - Sell your arms and legs for the cost.
--
This sig meta-moderates
Stick with Sendmail (Score:2, Insightful)
Second, as noted before, both 2k and 2k3 require active directory, which means upgrading at least your pdc and bdc's to windows 2k or windows server 2k3.
Exchange 2k and 2k3 are both more secure and more reliable than Exchange 5.5, but I would not recommend them for DMZ use (if you want to sleep at night). Also, it will take you quite a bit of work to move your work
Re:Stick with Sendmail (Score:2)
Re:Stick with Sendmail (Score:1)
"Q. Mainstream support for Exchange 5.5 was scheduled to end on December 31, 2003. Why are you providing the first year of extended support for no charge?
A. Customers gave us feedback that they would like more time to migrate from Exchange 5.5. Based on this feedback, we are offering the first year of extended support at no charge. Extended support (pay-per-incident and security hotfix support) is still scheduled to end on December 31, 2005. We also invest
Re:Stick with Sendmail (Score:1)
However, running Exchange 5.5 on Windows Server 2003 is unsupported. (And for all I know impossible... i haven't tested it yet). Believe me when I tell you that the changes in AD schema between 2000 and 2003 are massive, and in fact so massive that running Exchange 2000 on server 2003 is impossible. And I have tested that
Keep the relays (Score:2)
I feel much safer with Postfix and ssh being my only two internet-facing ports, and having Exchange well removed from the rest of the world.
Another note would be to keep an inbound and outbound relay system, primarily so you don't get bitten by your own configuration mistakes. It's possible to make a slip that would allow open relay.
Not to start a Postfix/Sendmail flam
I've been an exchange admin for 5+ years (Score:1)
Re:I've been an exchange admin for 5+ years (Score:2)
I found some documentation and it looks to me like the basic SMTP service is part of IIS, but that the routing functionality is AD dependent and only added to the service when you install Exchange. As you say, that means putting Exchange and AD, in the DMZ, not to mention whatever other parts of IIS you can't disable. It also looks like the AD access is by necessity read/write. Gack!
If it's not broken ... (Score:2)
Why should sendmail be ripped out of it's role ? Are you wary because of the recent security bugs ? If yes, replacing it with Postfix or qmail might be easier. If not, what is your boss reasonning for replacing sendmail ? Does he have problem keeping sendmail expertise in-house (I agree that sendmail administration is close to black magic) ?
shameless plug (Score:1)
Install a Novell Groupwise server. It can run on Novell and windows servers. Lusers can use either the groupwise client, or Outlook. Groupwise is comparable to exchange, but it's far more stable. Pricing might be very competitive.
Groupwise doesn't hog the processor, and is relatively low on resources. This means that we have over 500 users on one server (PIII-550, Raid5, 1024 MB). If you need webmail you might need another server.
Novell is currently investing in Open Source and Linux, so methi
Re:shameless plug (Score:1)
Re:shameless plug (Score:2)
And for those looking for alternative systems... (Score:3, Informative)
SamsungContact [samsungcontact.com]
SuSE Openexchange Server [suse.com]
Oracle Collaboration Suite [oracle.com]
and
Lotus Notes [lotus.com]
are viable products that don't rely on AD and MSFT-products.
I use qmail for myself, but it's not something for people who need calendaring.
Disclaimer: my company re-sells SuSE's product.