Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Microsoft The Internet

Exchange 2003 vs. Sendmail Mail Routing? 95

Posted by Cliff from the do-you-change-the-exchange dept.
good soldier svejk asks: "I am a unix sysadmin at a medium sized (~10,000 user) organization. We currently using Exchange 5.5 for messaging, calendaring etc., and sendmail for mail routing and relaying. We arrived at this architecture because Exchange 5.5 was neither flexible enough to route our mail nor secure enough to meet our relay control standards (my Windows counterparts tell me it has since improved it's relay control). Now we are looking to upgrade to Exchange 2003 and the boss wants to know if we can eliminate the sendmail layer. We use LDAP mail routing across multiple domains and Brightmail Anti-Spam. We have not yet implemented Active Directory. Does Exchange 2003 offer a sendmail comparable level of configurability and flexability regarding routing, access control, filtering, virtual hosting and queue management? Just as important, is the Windows 2000/Exchange 2003-SMTP combination adequately securable for use in the DMZ?"
This discussion has been archived. No new comments can be posted.

Exchange 2003 vs. Sendmail Mail Routing? More

Exchange 2003 vs. Sendmail Mail Routing?

Comments Filter:
  • Sorry, I am a member of the old school "if it ain't broke, only improve it for an identified need rather than update for the sake of it".

    • The more layers there are in a solution like this, the more work is required to maintain it and the greater the chances are that something could go wrong. Just because execs aren't computer geeks doesn't mean they don't know this fundamental principle. Also consider that they don't want some "weird" setup that no other sysadmins will understand or be able to maintain. And reread the original comment. It seems to me like they are upgrading to Exchange 2003 for some other reasons, and the boss only wants
      • The more layers there are in a solution like this, the more work is required to maintain it and the greater the chances are that something could go wrong.

        Impossible. We're talking about implementing a Microsoft product. The chances of something going wrong are already 100%.
        • yuo == teh suck.
        • Ohhhh...what?!?! I can't believe I got an anti-MS joke modded down on slashdot.

          ATTENTION MODS: The above is a joke, as was the original comment. Obviously its safer just to label it. Jeez.
        • ...and more if any ports besides 25 are world-visible. (-:

          PostFix does a lot less work generally than either SendMail or Exchange, so if I got to call any of the shots I'd start referring to a Linux (or *BSD, yadda yadda) as "the mail router" and sit PostFix in there to protect Exchange from spam, the internet in general, and overloads (you can set PostFix up to limit the send rate for "local" - ie bound for MSX - connections) on inbound mail separately, and also as a canary on outbound mail (chirp and/or

    • Exchange 5.5 is virtually EOL. It's definitely time to change or there won't be anymore patches like the ones that come out for it this week. The risk isn't worth it.
  • If you want to upgrade to Exchange 2003, then you will need to get Active Directory setup, prepared and configured as stated in the Exchange 2003 documentation :)

  • There are others (Score:3, Insightful)

    by mnmn ( 145599 ) on Thursday October 16, 2003 @01:46PM (#7231187) Homepage
    I dont get why the boss ASKS for Exchange, but offer him a list of email systems including Lotus Domino, Courier MTA, Sendmail, Qmail, Exim, Postfix and others you think are appropriate for such sized organizations.

    Then run a few basic tests. It doesnt take too many hours to install and configure each of the above mail MTAs (or routers) for demonstration purposes.

    Heres how you can explain the thing... Microsoft is insecure. Thats a given (show the documents proving so) and you will need an additional layer in front of Exchange to go through the emails, maybe including Bayesian filters like spamassassin. You could run it unprotected, but working unprotected is something you just dont do...

    Theyll understand.

    • Re: (Score:3, Interesting)

      by account_deleted ( 4530225 )
      Comment removed based on user account deletion
      • Kolab [kde.org] is going to be a possible replacement. Though, it's still very young and has to prove itself via a couple of case studies before it can actually be a real replacement. I'm looking forward to the day where Kolab [kde.org] and Kontact [kde.org] can actually fully replace the Exchange/Outlook functionality.
      • Microsoft *IS* insecure, but find a decent mail solution, that has scheduling and can also deal with groupware aspects such as Project in a single package...I'm not talking about individual packages...I'm talking ONE package that works seamlessly.

        Ever hear of "embrace and extend"? Now, instead of a mail server being expected to efficiently route mail, its expected to fill the roles of a mail server, file server, database server, web server, directory server, desert topping AND a floorwax. Gee, thanks MS!
        • Comment removed based on user account deletion
          • For my personal business with 12 employees total, we use sendmail and use a web based group management software.

            BUT the minute you are talking about 30k worth of employees, you need something like this.

            Why does it have to a single application? Integration can occur at many points.

            Exchange does what it needs to do -- its a business solution that businesses need and have asked for.

            You're just avoiding any specific discussion of the features or merits of outlook by saying "business" a lot as if to imp
          • I failed to make one point I guess -- it isn't necessarily the idea of an integrated scheduler/tracker/calander/mail server from the end users view point that I have a problem with...it's the twin issues of anyone taking some standard protocols and twisting them so nothing else can interoperate fully, and the fact that Exchange epitomizes feature-poor, underengineered, unreliable Microsoft software.

            Its important to seperate the technical architecture of these solutions from their appearance to the end user
            • Comment removed based on user account deletion

              • No -- Exchanges standards for how it operates and stores the messages does suck. I hate the fact I can't get to this stuff without using a crappy almost not supported web interface...

                You must be using the old OWA 5.5, which was rather limited in its interface. OWA 2000 was a welcome improvement, and OWA 2003 is an even bigger improvement. Try the free trial of OWA2003 here [microsoft.com].

          • Anybody ever use oracle for an enterprise mail system? http://www.oracle.com/ip/deploy/cs/
      • Haven't used it yet (it's a new product) but for the usual SMB Exchange features (calendaring, tasks, contacts, email, public folders, etc.) MDaemon Groupware [altn.com] might be a viable alternative. A lot cheaper than Exchange, has anti-spam filtering built in, and uses IMAP instead of MAPI, but has a plugin so you can use Outlook as the client.

        FWIW, I've used MDaemon Pro (POP3/SMTP/IMAP/LDAP server) for years now, and have been very happy with it.

      • Point of information - Lotus Notes has handled mail, scheduling, groupware, and more since Day 1, and has done so seamlessly. (Where do you think Microsoft got the idea for Exchange?)

        Plus, the server package (Domino) runs on a variety of hardware platforms and OS's; encryption is native to both server and clients; replication is faster and more reliable than Exchange/Outlook; and the whole setup is much easier to secure against crackers and viruses.

        As an added bonus, there are even open-source projects [openntf.org] d
        • Comment removed based on user account deletion
        • And you forgot to mention that it is the worst, nastiest, buggiest, clunkiest, and most limited mail client ever invented. I am forced to use it every day and it is a terrible step backwards from /bin/mail.

          It doesn't really help that our fascist administrators won't let anyone but themselves use IMAP.
      • Lotus Notes ( http://www.lotus.com/ [lotus.com]) is MUCH more than Exchange is.

        Runs on many platforms including Linux and IBM mainframe, does not require any existing infrastructure (latest exchange requires Active Directory & win2003 server), the new web based mail component fully supports Mozilla (and not a dumbed down version but the whole DHTML experience), It not only does mail/calendaring etc but is a platform for making your own DB apps, program in LotusScript or Java, has it's own webserver, is a secure pub

      • find a decent mail solution, that has scheduling and can also deal with groupware aspects such as Project in a single package...I'm not talking about individual packages...I'm talking ONE package that works seamlessly.

        If you look sharply at Exchange, you'll find that it really is a whole pile of separate apps, and the appearance of seamlessness is given by wrapping it in the administration tools very carefully.

        I'm a Mac / Linux user at home (except when I pull up XP so I can play my video games).

        Tr

      • ..in a single package

        It's important to remind PHB's that it's really the seamlessness that matters, not the single package part. There's no reason separate packages can't offer the end user the same experience. It just requires that the components interface using known standard protocols.

        I'm not saying everyone plays together as nicely as this requires today, but I think it's an eventuality. There are simply too many people running too many different types of computing devices who want to communicate
    • Heres how you can explain the thing... Microsoft is insecure.

      You would have a very, very hard time proving that Exchange is more insecure than Sendmail.

  • Wrong layer (Score:3, Insightful)

    by GoRK ( 10018 ) on Thursday October 16, 2003 @01:49PM (#7231235) Homepage Journal
    Have you considered removing the Exchange layer and preserving the Sendmail layer? :)

    Seriously, though, if you have a setup this large, and you're already willing to fork out the dough for Exchange 2003 and all that it requires to run, why don't you pick up the phone and talk to Microsoft about getting Exchange 2003 to route properly in your setup. It'd probably be worth the money to have the people that made it get you into a setup that will work.

    I may be no fan of Microsoft, but I certainly understnd when it's prudent and cost effective to get the support I'm paying for with commercial software.

    ~GoRK
  • This is Slashdot. We don't do Windows.

    This is like asking Iron Horse readers if you should replace your Hog with an ATV.

  • Yes, I'm ignorant. What does exchange offer that other MTAs, such as sendmail or postfix, don't?

    • Short answer: full integration with Exchange the MAPI-server.

      Remember that Microsoft's MTA is -also- a MAPI-server, IMAP-server, addressbook server, calendar server, etc etc. Many (annoying) Exchange functions like return receipts take advantage of this integration.

      I can almost guarantee that there is some MS-touted bell or whistle in Outlook or elsewhere that depends on you using the full suite of MS-approved servers. Be prepared to explain why it doesn't work or to offer a suitable alternative.
    • What does exchange offer that other MTAs, such as sendmail or postfix, don't?

      You would never, ever justify Exchange as a pure-play MTA. The data store was designed by Satan on crack, it's expensive, slow, painful and slow to admin, its SMTP does not play nicely with neighbors, and (post 5.5) it won't even think about talking to you unless you give it Active Directory.

      Think you're cool 'cuz you got multiple ADCs? Wrong, bucko. Exchange will not function unless it can talk to the (single-point-of-failur

      • Using calendars and tasks and notes does not make the MTA suck any less, of course.

        I'm just wondering why the fuck that needs to be part of the same program as the MTA in the first place. Why not use separate programs for those tasks? That would be much better for security, stability, performance, and peoples' sanity...

    • Yes, I'm ignorant. What does exchange offer that other MTAs, such as sendmail or postfix, don't?

      Lost mail, erroneous error messages, and 100% dependance on Windows severs.

      If you only send/receive e-mail to other users on the same MS-exchange server and 100% of your client workstations run the same version of MS-Windows, then it might be usable, especially if it is not connected to the Internet. Otherwise, stick with a traditional MTA like Sendmail, which is highly configurable, or postfix, qmail or

      • Heh, that's about what I figured...

        I recently rolled out a postfix+spamassassin+maildir+courier-imap installation, and I have to say I have been extremely pleased, and impressed. It took a little while to figure everything out, as I'm not very experienced in mail administration, but I got the job done.

        I chose postfix over sendmail because my limited experience with sendmail, while not too bad, lead me to believe postfix would be easier to maintain.

        So we're using an MTA with a proven security, reliabi

        • we're using an MTA with a proven security, reliability and performance track record, all for the cost of only my time, which was significantly less than the cost of Windows+Exchange

          And there's your basic value proposition of Open Source Software. I actually send money to the software creators/vendors (well, OK, sometimes I send pizza instead) and it's *still* vastly cheaper than proprietary software.

          Less money flushed down licensing ratholes = more money converted to profit = bigger paycheck for me.

          Th

  • I have always used a small staging environment that emulates the production network. It is a nice safe way to emulate your production environment without actually affecting the users.

    In a 10,000 person company I would belive the bean counters will understand spending a couple dollars per employee to ensure the enterprise network will still function. And throw phrases like "It will speed up our ROI, and lower the long term TCO for our infrastructure" if they don't bite right away.

  • You have a major problem. (Score:5, Informative)

    by Talonius ( 97106 ) on Thursday October 16, 2003 @02:05PM (#7231403)
    Exchange 2003 requires Active Directory, quite an undertaking in an organization of your size.

    I would investigate the repercussions of that requirement before moving forward with any other research or comparisons.
  • Having both in your network gives you more depth of security if you ask me. If your entire email infrastructure is based on a single piece of software and that software becomes vulnerable for some reason or another....at least you've partially mitigated your exposure. Having different MTA's for relaying and end-delivery is just a good 'defense in depth' strategy in general.

    My $.02
    • I agree 100%, as does our security officer. I was hoping for some insight into the technical capabilities of E2003's SMTP implementation. If it just plain won't work then it spares us the security debate (which can get political).

      • Re:Capabilities aside....... (Score:4, Insightful)

        by 4of12 ( 97621 ) on Thursday October 16, 2003 @02:42PM (#7231837) Homepage Journal

        security debate (which can get political).

        It can get political, emotional and religious if the discussion gets away from the facts.

        Defense in depth is sound security strategy; a strategy whose soundness is manifest to people of all political persuasions.

        Let Exchange do what it's good at: storing user mail messages in a database, serving IMAP clients and helping do group calendaring.

        Switch out sendmail for qmail, which is more secure. Keeping a pure MTA like qmail costs very little in the way of setup and maintence and helps purify the traffic seen by your Exchange servers.

    • Abstracting routing from messaging keeps all the data inside the firewall where it belongs. If my sendmail boxes are rooted, I can just rebuild them. If an Exchange box is systemed (or whatever the Windows equivalent of rooting is) our user data is all over the internet. In our industry that means uncomfortable questions from Uncle Sam.

  • I wouldnt recommend Exchange for you (Score:3, Insightful)

    by skinfitz ( 564041 ) on Thursday October 16, 2003 @02:13PM (#7231497) Journal
    From your post, I wouldn't recommend Exchange as if you are only going to be using it for mail routing, you are basically going to paying a LOT of money for something loaded with features that you will literally never use when you could have the same functionality for free with sendmail or Exim.

    As I read your post, you dont want mailboxes or calendaring but simply mail routing.

    You would probably be better building a big OpenBSD box and spending some time with Exim, or sendmail if you are happy with that.

    Exchange 2003 uses the Windows 2000 SMTP service for mail routing anyway so really you dont need Exchange 2003, just a copy of Windows 2000 server or server 2003.

    Exchange 2003 does mailboxes and calendaring - it's a good product and does this very well but you only seem to need mail routing.
    • Re-read the post. He's already using Exchange, he's only using Sendmail for routing. With his next upgrade, he wants to eliminate Sendmail and use Exchange for the routing, AS WELL AS the calendar/groupware/project/etc functionality already in Exchange.
  • ok I was searching for a story (it links to a website having some cool html code, came out in May / June so if you know please tell me)

    and what happened to me was that I saw the list of stories .. starting from the latest and going down.. and that had two stories extra and above the last story (napster2.0) on the main page...

    I clicked on this one and got thru.. the next one (about today's kids playing 70s games..) gave me "you've nothing to see here, move on"

    so I guess that is a loophole or something whe
  • You will need Active Directory setup before you even think about exploring Exchange 2003.
  • I would love to know the "real" benchmarked and "proven" answer. Slashdot hearsay will mostlikly say "no." in many unpolite terms.
  • you picked the wrong place to ask about removing sendmail and depending completely on "M$".

  • Lots of work... (Score:4, Informative)

    by seigniory ( 89942 ) <bigfriggin@@@me...com> on Thursday October 16, 2003 @02:58PM (#7231999)
    I'm in the same predicament here. We're a small company (~500) but handle more email than most 10,000 shops - mostly customer service-related mails.

    Anyway, first off, I'd like to say that if you have a 10,000 person organization, and you'renot running AD yet, handle that first. I'd guess that you're looking at at *least* 4 months for planning and implementation of your AD environment.

    Also, you might as well go right to Windows 2003 (AD 2.0) since Exchange 2003 can only run in an AD 2.0 environment and on Windows 2003 server.

    Finally, yes, Exchange 2003 routing is much better than 5.5 (which was hooooriiiible). Now, if you're familiar with sendmail routing, who cares? :-) The only way you're going to be able to do the Exchange 2k3 (or 2k) routing you require is to program some custom COM event sinks in a .NET language.

    If you question is "can it be done" the answer is "sure it can". Just remember that just like any major infrastructure change, it ain't gonna be easy or quick to do.

    Luckily, we were able to upgrade to Exchange 2k3 with little trouble. I'm still trying to get the hang of the custom event sinks, but it's coming along. I'm a perl guy and trying my best to use Perl.NET but there's few resources out there to help out with the nook I've created for myself.

    If you're looking for spam/anti-virus management - definitely check out Postini (www.postini.com) - they rock and are pretty cheap ($1.25/month/user). Setting us up with this service removed 4 front-end mail relays from my DMZ and dropped our spam over 90%.

    That's my $0.02.
    • Exchange 2003 can be used on Windows 2000 SP4 as well. That said, if you're going to upgrade, just go to 2003 for the Exchange side and for AD even if you still ned 2000 for other apps that don't yet run on 2003. We've been running Exchange 2003 on Windows 2003 (small shop) for about two months. Zero problems and my users are happy.

    • Anyway, first off, I'd like to say that if you have a 10,000 person organization, and you'renot running AD yet, handle that first. I'd guess that you're looking at at *least* 4 months for planning and implementation of your AD environment.

      Sure. I think the Windows guys are up to two years of planning at this point. It isn't clear to me why they haven't reached critical mass yet.

      Also, you might as well go right to Windows 2003 (AD 2.0) since Exchange 2003 can only run in an AD 2.0 environment and on W

    • In regards to spam filtering, take a look at CanIT. It runs $6/user for the first year and $3/user/year after that. It is very quick and easy to set up and provides incredible control over how the spam is filtered (a happy user of it).

      cheers,

      chris
  • While it is good that your boss wants to take a working system and replace it with a new unknown ( :) ), why not try some of the other exchange replacements that have been thrown around. I suspect that you can lower your costs (software, hardware, and admin) significantly while increasing your uptimes. But I would certainly look at MS offers as well and test it. Just becuase it is a .0 version from MS does not always mean that it will not work.
  • I've had to set up Exchange for one purpose...Calendaring, its integration into email, and Outlook. Along with groups that made it "mandatory" to the boss. I once had to bring up Exchange during a Love Letter infestation so that my boss could check their calendar for a meeting with our VP. Couldn't call the VP's secretary, that would have been political suicide. I didn't like it, but when the powers that be speak, you have to listen. I do like the idea of multiple layers, cuts down on vulnerability.
  • First - Setup Active Directory 2.0 (ouch)

    Second - You will need a larger exchange server to handle the additional duties. Your typical exchange server with bells and whistles handling all aspects of email including all those mapi clients shouldn't handle over 5000 users max, and 3000 optimally.

    Third - Mixed environments make good security.

    Fourth - Build for growth

    Fifth - Sell your arms and legs for the cost.

    --

    This sig meta-moderates
  • You have a small problem. First of all, Exchange 5.5 will be unsupported by the end of this year, so the upgrade to 2k/2k3 is somewhat mandatory.
    Second, as noted before, both 2k and 2k3 require active directory, which means upgrading at least your pdc and bdc's to windows 2k or windows server 2k3.
    Exchange 2k and 2k3 are both more secure and more reliable than Exchange 5.5, but I would not recommend them for DMZ use (if you want to sleep at night). Also, it will take you quite a bit of work to move your work

    • You have a small problem. First of all, Exchange 5.5 will be unsupported by the end of this year, so the upgrade to 2k/2k3 is somewhat mandatory. Second, as noted before, both 2k and 2k3 require active directory, which means upgrading at least your pdc and bdc's to windows 2k or windows server 2k3. Exchange 2k and 2k3 are both more secure and more reliable than Exchange 5.5, but I would not recommend them for DMZ use (if you want to sleep at night). Also, it will take you quite a bit of work to move your wo

    • Not exactly. Directly from the horse's mouth...

      "Q. Mainstream support for Exchange 5.5 was scheduled to end on December 31, 2003. Why are you providing the first year of extended support for no charge?

      A. Customers gave us feedback that they would like more time to migrate from Exchange 5.5. Based on this feedback, we are offering the first year of extended support at no charge. Extended support (pay-per-incident and security hotfix support) is still scheduled to end on December 31, 2005. We also invest
      • Thanks for the info, interesting.

        However, running Exchange 5.5 on Windows Server 2003 is unsupported. (And for all I know impossible... i haven't tested it yet). Believe me when I tell you that the changes in AD schema between 2000 and 2003 are massive, and in fact so massive that running Exchange 2000 on server 2003 is impossible. And I have tested that :)
  • We have implemented inbound and outbound Postfix relays, keeping the exchange servers safe. We're running Exchange 2000 native AD.

    I feel much safer with Postfix and ssh being my only two internet-facing ports, and having Exchange well removed from the rest of the world.

    Another note would be to keep an inbound and outbound relay system, primarily so you don't get bitten by your own configuration mistakes. It's possible to make a slip that would allow open relay.

    Not to start a Postfix/Sendmail flam
  • And while I think it's a good product for offering it's core functionality, integrated groupware, it is not something to be put at the edge for routing or relaying. Part of the problem with what your boss wants to do is that you'll have to extend Active Directory (AD) into your DMZ; exchange is very heavily integrated with AD, and as a security conscious admin I shudder at the thought of extending AD into the DMZ, you'd either have to open up the ports for AD to your backend, or even worse, put a domain co
    • Thanks. That is exactly the kind of feedback I was looking for.

      I found some documentation and it looks to me like the basic SMTP service is part of IIS, but that the routing functionality is AD dependent and only added to the service when you install Exchange. As you say, that means putting Exchange and AD, in the DMZ, not to mention whatever other parts of IIS you can't disable. It also looks like the AD access is by necessity read/write. Gack!
  • ... don't fix it!

    Why should sendmail be ripped out of it's role ? Are you wary because of the recent security bugs ? If yes, replacing it with Postfix or qmail might be easier. If not, what is your boss reasonning for replacing sendmail ? Does he have problem keeping sendmail expertise in-house (I agree that sendmail administration is close to black magic) ?
  • Groupwise!

    Install a Novell Groupwise server. It can run on Novell and windows servers. Lusers can use either the groupwise client, or Outlook. Groupwise is comparable to exchange, but it's far more stable. Pricing might be very competitive.
    Groupwise doesn't hog the processor, and is relatively low on resources. This means that we have over 500 users on one server (PIII-550, Raid5, 1024 MB). If you need webmail you might need another server.
    Novell is currently investing in Open Source and Linux, so methi

  • And for those looking for alternative systems... (Score:3, Informative)

    by rainer_d ( 115765 ) * on Sunday October 19, 2003 @10:34AM (#7253803) Homepage
    Exchange does more than just email, so you can't replace it with a qmail-toaster.

    SamsungContact [samsungcontact.com]
    SuSE Openexchange Server [suse.com]
    Oracle Collaboration Suite [oracle.com]
    and
    Lotus Notes [lotus.com]

    are viable products that don't rely on AD and MSFT-products.

    I use qmail for myself, but it's not something for people who need calendaring.
    Disclaimer: my company re-sells SuSE's product.

Slashdot Top Deals

"Money is the root of all money." -- the moving finger

Close