MailScanner on Exchange

Stephen Swaney steve.swaney at fsl.com
Tue Nov 1 18:12:17 GMT 2005


> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Dennis Willson
> Sent: Tuesday, November 01, 2005 12:13 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: MailScanner on Exchange
> 
> Well, unfortunetly, my experience tells me it's over for you. How do you
> defend a bad decision when Management is willing to ignore both cost and
> security? I have worked a lot with exchange and found that it should
> NEVER directly receive from the Internet (send either for that matter).
> It's something the company will pay for, over and over and over again.
> However it's doubtful if they will ever see (because they don't want to)
> the real cost of that decision.
> 
> Dennis
> 
> hermit921 wrote:
> 
> > The idea is to get rid of the MailScanner systems as being a waste of
> > time, money, hardware, etc.  There will be a cluster of Exchange
> > servers facing the internet that do something, and then pass email to
> > the back end where users will interact.
> >
> > "All the functionality of MailScanner" will be replicated on either
> > the front end or back end - that isn't clear.  Of course we will have
> > to go from free products to much more expensive commercial products,
> > but that doesn't seem to be relevant.
> >
> > My question is very specific.  Do people have a comparison chart, or
> > even product list, of applications that run on an Exchange server to
> > duplicate MailScanner functionality?
> >
> > hermit921
> >
> >
> > At 08:46 AM 11/1/2005, Stephen Swaney wrote:
> >
> >> > -----Original Message-----
> >> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >> > Behalf Of hermit921
> >> > Sent: Tuesday, November 01, 2005 11:20 AM
> >> > To: MAILSCANNER at JISCMAIL.AC.UK
> >> > Subject: MailScanner on Exchange
> >> >
> >> > My company decided to move to Exchange for its main mail server
> >> "It's a
> >> > Management decision".  The two people hired to manage Exchange
> >> claim there
> >> > are products that run on the Exchange server that do everything
> >> > MailScanner
> >> > (and associated programs) can do.  I don't believe it.  Could I be
> >> wrong,
> >> > or even mostly wrong, about this?
> >> >
> >> > hermit921
> >>
> >> This question should set off a flurry of responses :) An Exchange
> >> server can
> >> work quite well if you have many $$$, plenty of good technical
> >> support and
> >> lots of computer resources but they should always be protected from the
> >> Internet. I come from a paranoid investment banking environment and
> >> there
> >> they always protect the Exchange servers behind gateways!
> >>
> >> A few of my comments:
> >>
> >> 1. Exchange servers tend to be relatively BUSY. Having a MailScanner
> >> gateway
> >> in front of the Exchange server will GREATLY reduce the load on the
> >> Exchange
> >> server because it will stop most of the Junk at the gateway. We have
> >> installed MailScanner gateways on sites that thought they needed an
> >> expensive Exchange hardware upgrade. The load was so greatly reduced;
> >> the
> >> old hardware is still running quietly with no strain.
> >>
> >> 2. You can run multiple free (or lower cost) Virus scanners on the
> >> MailScanner gateway. You'll still want a virus scanner on the Exchange
> >> server to internal mail for viruses but if you have an enterprise
> >> license
> >> for a virus scanner, you can probably also use that scanner on the
> >> gateway
> >> at no additional cost.
> >>
> >> 3. I like to keep Microsoft servers as far away from the Internet as
> >> possible. Having a gateway and configuring your Exchange server
> >> correctly
> >> will keep it a lot safer, more reliable and quieter.
> >>
> >> 4. Read Microsoft's white paper on how to stop spam :) The list is
> >> down so I
> >> can't find the link but it's quite amusing and quit sophomoric.
> Possibly
> >> some packrat can send you the link.
> >>
> >> Stephen Swaney
> >> Fort Systems Ltd.
> >> stephen.swaney at fsl.com
> >> www.fsl.com
> >

I can tell you from personal experience that no New York Investment bank
(think names like Goldman Sachs, USB, Morgan Stanley, Chase, etc.) would
ever think of connecting an Exchange server directly to the Internet. Their
security officers would not allow it.

While most New York Investment banks use Exchange servers, I'm fairly
certain that most, if not all, are protected by non- Microsoft gateways.

Google for: Microsoft Exchange security vulnerabilities. I'd list the
results but there are a few too many:

Results 1 - 10 of about 2,030,000 for Microsoft Exchange security
vulnerabilities. (0.29 seconds) 

So if:

Your "consultant" knows more about security than the big Investment banks.

Your "consultant" wants to spend many $$$ on adding third party software to
the MS server to try and stop spam and viruses.

Your "consultant" wants to impose unnecessary load on your new Exchange
servers

You want to throw away a perfectly good MailScanner gateway that can be
easily modified to compliment and protect your new Exchange servers.

You can easily add such new free anti-spam features such as grey-listing,
greet_pause, connection_rate_throttle (and many more) to your Exchange
servers.

Just tell the boss to bend over and proceed.

I've seen this before where a clueless "consultant" just wants to sell and
install the very profitable Microsoft and third party accessories plus the
"consulting: fees to install and configure all these products. They help
justify the excessive costs by saying that you can "save money by retiring
the MailScanner gateway(s)". 

If they had a clue they would retain the MailScanner gateway(s).

Hope this helps,

Steve

Stephen Swaney
Fort Systems Ltd.
stephen.swaney at fsl.com
www.fsl.com!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list