FW: MailScanner ANNOUNCE: New commercial product SMGateway

Stephen Swaney steve.swaney at FSL.COM
Wed Mar 2 20:01:40 GMT 2005

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of John Rudd
> Sent: Wednesday, March 02, 2005 1:28 PM
> Subject: Re: MailScanner ANNOUNCE: New commercial product SMGateway
> On Mar 2, 2005, at 6:29 AM, Julian Field wrote:
> > We are pleased to announce SMGateway, the first Secure Mail Gateway
> > product from Fortress Systems Ltd.
> - Active Directory Authentication?  What about Kerberos?  (POP/IMAP is
> good enough for us (since those check against our Kerberos pass
> phrases), but I'm curious if you're doing AD via LDAP, or AD via
> Kerberos, or some other aspect of AD authentication I'm not aware of
> ... and if you're doing it via AD's LDAP functionality, I wonder why
> you didn't also list LDAP authentication in the blurb)

Our design goal was "no user account maintenance on the Gateway" and we
tried to keep it as simple as possible and the word LDAP scares some people
:). Even older Exchange servers can be configure to use POP or IMAP so we
can pretty much allow any user to authenticate and log into the SMGateway
server to set spam preferences with no need to setup users on the gateway.

In the same vein, the ability to use milter-ahead means that for most back
end mailhubs, rejecting email for unknown users is as simple as clicking on
a checkbox

> - Redhat only?  No Solaris support?  Any Solaris support planned?

This is intended to be our lower cost, single gateway offering. As such, we
felt the right OS to support first would be Red Hat and CentOS. Other OS
support is being considered.  Also please see my remarks on clustering

> - Also, we use an array of machines to do our mailscanner work right
> now.  Does SMGateway support this (Ie. users only have to set their
> options on one machine, instead of having to touch all 4 of them?).  My
> impression is that because you're using MailWatch, which I thought uses
> mysql for various things, then it might be possible to put the mysql
> database on a separate machine, and thus have multiple work-horse
> machines that all use 1 configuration database.  Is that an
> appropriate/accurate assumption?

This will be our SMCluster configuration due out later in the year. The
architecture is already present in SMGateway. A SQL server stores
configuration data and checkpoints (for roll backs) and populates and LDAP
directory. In the SMCluster architecture, the web interface, database and
LDAP directory are hosted on a standalone server. Each gateway has an LDAP
replica and a few synchronized files. We have a few other tricks planned for
SMCluster setup but that is the basic plan.

> - When you say 1 year of updates, what do you mean exactly?  (I mean,
> if it's free to download, does that mean I could install the new
> versions by hand for free, but you have some stream lined auto-update
> engine that costs money to keep feeding it?  or is there some other
> aspect of updates that's not clearly being presented here? or what?)
> (don't get me wrong, the compelling part of the prices is the support
> contracts, and if we were to go down the SMGateway path, we would be
> getting a support contract regardless of what the updates part means
> ... but I'm curious what that part of the contract _actually_ means,
> considering the download is free)

Yet it's free to download and use and yes you could simply keep updating by
downloading and installing the new application and restoring your
preferences. An experienced administrator could update many parts simply by
building their own rpms to our specs. All of this would be fine with us.

Our target customer is an organization that can see the benefits and cost
savings of paying experts to do what experts do well and efficiently. We
believe that for most organizations the maintenance costs of our SMGateway
solution will be less than the cost of trying to keep all of the
applications updated in-house.

Our goal is to make an integrated MailScanner, SpamAssassin and MailWatch
server so simple to install, configure and maintain that it will become the
most obvious solution to the spam and virus problem. We hope to do this at a
cost that will be affordable for everyone.

Please note that the package consists of +70 rpms that all reside in
/opt/Fortress. It took a lot longer to develop this way but we are as
independent as possible from the Architecture and problems that can be
caused by Operating System Updates. Anyone who has seen the operating system
update package-skip-list(s) needed on Ensim or C-panel systems can
appreciate the benefits of this approach. It also means that we can more
quickly react to easily update individual applications as required. This has
been difficult for most of our competition. Timely updating is absolutely
essential for and anti-spam or anti-virus solution.

> Since I've asked those other questions, I might as well ask these:
> - instead of email forwarding being user configured, can the
> administrator(s) turn it off and make it completely unavailable to the
> end user?  We have other methods for setting up user forwards, and
> those need to remain our authoritative mechanisms.

We had not considered this but there is no reason that it could not be

> - does it allow per-user bayes databases?


> - does it allow bayes databases to be completely disabled?


> - it talks about mailwatch doing quarantine management; does MailWatch
> get upset if you turn off quarantining completely?

Not at all. MailWatch never gets upset. It is quite a happy application :)

> - I recently wrote a script that reads through the sendmail and
> mailscanner syslogs and extracts data about each virus (relay that sent
> it, mail queue ID, viruses that were in the message, claimed SMTP
> Mail-From, date and time of the message) and mails $relay at abuse.net
> with a report about each infected message that relay sent us (1 stanza
> per message) ... I seem to recall that one of the things that MailWatch
> does with mysql is logging to mysql; can I still have it also do
> logging to syslog, so I don't have to re-write my nightly report?

You would probably find the MailWatch Database a rich place to mine for any
customized reporting. I've had a peek at the latest cvs version and
MailWatch is definitely an application you want to keep an eye on.

> (we're actually evaluating vendor supported alternatives to
> MailScanner* right now ... including things like Sophos Pure Message
> and Ironport, etc.  So, it's very interesting to me that this product
> would come out right as we're doing that, it might allow us to put
> MailScanner into our list of products; but Solaris and Clustering are
> on our requirements list (as "must") ... Linux and FreeBSD are just on
> our "should" list; if Solaris and Clustering are there, I could easily
> add this to our list of products to evaluate)

I know that clustering will be coming and with clustering, we will need to
support the sleeker and more expensive hardware. Right now we are installing
and supporting some fairly large multiple gateway solutions using
MailScanner, SpamAssassin and MailWatch + custom programming and they work
very well. We know there are some very large installations that use
MailScanner successfully. We hope our clustering solution will make the
administration of MailScanner in the enterprise a bit easier to install,
maintain and operate.

If you or any other enterprise sites are interested in working with us on
the development of the SMCluster software, please email me off list.

> (* I'm not unsatisfied with mailscanner, it's just that we have a
> larger set of interests and requirements that are being evaluated, and
> we would have to "roll our own" to just use mailscanner in that new
> picture ... which we would rather not do, so we're looking at our
> alternatives; a lot of what we're looking for, though, is on the list
> of SMGateway's features)

SMGateway is not and was not intended to be the product for every site. For
smaller sites it can be the best solution available at any cost. While there
are no hard and fast rules because of the differences between sites, I'd
guess that for sites with under 75 users, outsourcing to an experienced site
that uses MailScanner for email processing will be the most cost effective
solution. Most of the MailScanner hosting sites here in the US appear to
charge about 1/2 the price charged by Brightmail and Postini (who won't even
talk to small sites).

For the 75 to 2000 mailbox sites, SMGateway can be a very effective

Thanks for the questions,


Steve Swaney
Fortress Systems Ltd.
Phone: 202 338-1670
Cell: 202 352-3262
steve.swaney at fsl.com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list