If you’ve been following this saga, you’ll know that the initial brief I set of replacing Exchange Server expanded into a need to replace the underlying Windows server operating system as well with one of the many Linux variants out there. But which?
Fedora Core 6 is the answer – at least for me. Being based on Red Hat it had the blend of server functions and management tools I was looking for as well as access to the latest stable versions of Samba.
The first thing to like is the clean and simple management interface. For anyone used to Microsoft’s muddle of tools spread across different management consoles, Kerio’s approach will come like a bolt out of the blue. A single console window provides access to all functions of the server from configuration, choice of protocols, user management through to logs on its behaviour. Setup is a breeze – complete a few forms to set up the domains and users you want to give access to (with convenient import functions for large setups) and you’re up and running. Safely! Which brings me to the second thing to like …
Antivirus is built in to the mailserver itself. You can either use the supplied McAfee with its automatically updated database or one of several alternatives from the likes of Sophos, Grisoft etc that you supply separately. You can even use several AV engines in tandem if you want. Spam is equally well covered with a comprehensive arsenal of filters, blocklists, repellents, caller-ID lookups, SPF checks and SpamAssassin bult in. Less than 2% of spam gets through even the lightweight configuration I have implemented with very few false-positives.
The server’s database can be automatically backed up and archived without user intervention. It can retrieve email from other servers or external accounts (such as Yahoo or Hotmail) and drop the messages into recipient mailboxes directly. It can handle multiple identities and email addresses, aliases at individual or group level. And it has good status and logging functions that keep this administrator well informed of what is going on.
The latest version even has ActiveSync functionality built in so sync’ing a Windows based PDA or mobile phone over a Bluetooth or wireless connection is automatic and seamless. Wonderful!
But the very best thing to like about Kerio MailServer 6 is that it just works. It sits there and does its job of delivering, sorting and sifting emails, storing calendar, tasks and notes while demanding zero attention from me.
And that makes it worth every penny of the price I paid for the licence to use it.
There are a number of Linux based email server products that claim at least some level of Exchange compatibility:
For links and reviews of most of the competitors try the ServerWatch web site at http://www.serverwatch.com/stypes/index.php/TWFpbA==
I had just tried Scalix with the Xandros Server product that I had been forced to send back. Exchange “compatibility” can mean many things it seems. To Scalix it seems to mean that they might provide (I never found it) an Outlook plugin that makes their back-end server look like Exchange. Of the promised migration tools there was no sight. I was not alone among the user forums in experiencing a distinct level of underwhelment with Scalix!
Open Exchange looks like a possible contender. It’s available in commercial and free variants with an Outlook plugin (the “Oxtender”) that – again – promises to make the back-end look like Exchange to Outlook. I haven’t tried it.
The reason is that I – somewhat belatedly – remembered that I have previously used Kerio MailServer as a (then) cheaper replacement for Exchange Server in several client installations - and all had worked very well. Again the product relies on an Outlook plugin (this time called the “Kerio Outlook Connector”) to connect the Outlook desktop client to the back-end server.
Why all these connectors? Well, Microsoft being Microsoft, OE not only use proprietary protocols to communicate with each other, MS keeps the details of the protocols close to its corporate chest. In the Open Source arena there is a surprising and woeful lack of standards for groupware message exchange. This is a subject I may come back to in a later post as – to this grey-bearded old software designer – it encapsulates a lot of the problems that beset the Open Source community and prevent wider up-take of the technology and product offerings.
So – anyone who wants to provide a back-end email/groupware server and wants any kind of market share needs to address Outlook (I haven’t looked up the figures lately but it is surely the dominant email client in the corporate world) – and that means at the very least writing a connector to bridge the gap.
Why, you may ask, is Exchange compatibility so important to me? At heart, it’s because I travel. And when I travel, I don’t always want to carry a laptop with me or be reliant on Internet cafes to catch up with email and my diary. For several years, I have carried an IPAQ combined PDA/cellphone that runs Windows PocketPC operating system – this wonderful device has GSM (mobile phone) Bluetooth and 802.11b WiFi access built in and does a pretty good job of providing me with telephony (expensive cellphone and cheap VOIP), email, contacts database, diary/calendar, todo reminders and all my notes on which I rely so much. It synchronises with Outlook and my desktop file system as soon as I get it in reach of my desk.
For the past year, I have also carried a Nokia N70 mobile phone. This has most of the functionality of the IPAQ (lacking the WiFi connectivity and decent screen size) including all the essentials of email/calendar/notes. Again, it synchronises automatically and seamlessly (via Bluetooth) whenever it’s near my desk. The advantage of the Nokia over the IPAQ is its size and its 3G plus quad-band cellular access.
2007 is looking likely to be the year when these two devices get replaced by a single device like the soon to be released Nokia N95 that (if its screen is as good as claimed) should offer everything the combined IPAQ/N70 provides in a smaller (read “more pocketable”) package and with better integration of the cellular and VOIP telephony for good measure.
This mobile access to all my important data at all times has been a personal holy grail for over 25 years. And my quarter-century-old prediction that we would all, one day, be wirelessly interconnected with access to data held privately back at home or publicly has become a reality.
In fact, there’s quite a choice of devices that you can carry round with you to gain remote access to data and people using email, web, file transfer, speech and video calling. And they use a fair variety of platforms and technologies to achieve these goals. But regardless of platform, technology, vendor or format, the one common denominator among them almost all of them is that when it comes to synchronising data changed while you are on the move with the master copy back at the ranch or getting updates of data added or changed on the servers, they will all work with Outlook/Exchange.
Moan as we may about monopolies, the fact is that the makers of these devices (sensibly) follow the market … and the market is led by Microsoft – so strongly in fact that even devices that don’t use Windows based operating software (such as the Nokia, Symbian based phones, Blackberries, Palm Treo etc.) all sync up with Outlook/Exchange.
And very, very few offer any kind of alternative – and none will sync with (say) Thunderbird or other non-MS email/PIM clients.
My researches did reveal a few projects and even a couple of working programs that replace the ailing ActiveSync technology that MS foists on mobile users with a more flexible and open alternative. But – here’s the rub – with mobile device technology moving at a pace that sees new devices released daily with an expected life cycle of maybe a year or two at best, the alternatives are never going to keep up. What works today will almost certainly not work tomorrow. Or, an update to the phone/PDA firmware will suddenly break that all important connection with home.
Like it or not, Outlook/Exchange – for me at least – is a must-have. Or at least compatibility with OE …
Before looking at what I chose and why, it’s worth looking at the budget I had for this project. In moving away from Windows I was writing off a sizeable (for an individual) chunk of change invested in the server operating systems and software. My goal was to replace software that was proving far too costly – in management time and poor reliability – with functional alternatives that would be easier to manage and less costly to run – in both time and pounds sterling!
My Microsoft server environment harks back to my time as owner of an international software development company. In company terms, a few thousand pounds spent on something as essential as email and company-wide network access controls is small change. At garage level, those costs are witheringly unaffordable. To be fair to Microsoft, If I were starting from scratch and buying an MS server environment, their Small Business Server (SBS) product provides most of what I need. For $600 per copy I’d get the base OS, Exchange Server and a primitive firewall. This would buy me 5 user licences which barely covers my needs and once you exceed this figure, costs start to escalate enormously – especially as I’d be buying licences twice over (once for each server) or have to forego the backup and security of the two-server approach I was used to.
I set a purely arbitrary budget figure of $500 for my Linux replacements – as much to see what could be achieved for this small sum as to keep expenditure in scale with income. Xandros Server fit this budget pretty well (for a single server licence with Scalix email thrown in) and would have only exceeded it slightly once a second OS licence had been purchased. But, Xandros didn’t work.
Time to rethink the way to spend the budget.
Ditching Xandros left me back at square one – servers still running Win2k3 and no Exchange replacement.
My intention in using Xandros had been simple enough – replace the email server OS and application with a non-MS alternative – while retaining Exchange compatibility so that all my PIM data cold be held centrally – and in a way that allowed synchronisation with my PDA and phone.
Behind that simple requirement, of course, lies a morass of complexity. For a commercial grade network, the most important task performed by a Windows server is domain control – the central management and control of access to all network resources. Only after this basic requirement is met can you go on to provide network file shares, web and email services etc. In the Windows networking scheme, one (and only one) server acts as the Primary Domain Controller (PDC) holding the master copy of all login IDs and security authorities. One or more other servers can act as backup controllers (BDC) answering login and access requests by automatically synchronising their copy of the security database with the PDC. Since Windows Server 2000, this basic mechanism with its poor mix of MS proprietary (eg; WINS) and open services (eg; DNS) has been supplanted by Active Directory (AD) – still MS proprietary but easier to manage and automatically updating DNS etc. My Win2k3 domain was AD based.
In part, Xandros failure to live up to its promises is down to the fact that it uses the well-known and well-established Samba software to provide Windows-style domain services. None of which is a criticism of Samba, which is one of the best established, most reliable and useful Open Source projects around, backed up by people who really know their stuff and are very happy to support their “product”.
Simply put, Samba does not (at the time of this writing) support or understand Windows Active Directory – it only supports the older PDC/BDC mechanisms. More than this, interoperability between Samba domain controller services and their Windows equivalents is severely limited – you can’t, for example, have a Samba PDC with Windows based BDC – or vice-versa. For my simple needs, these restrictions would not be a problem – but they do mean that planning the migration from Windows to Linux server technology required a little thought. And again, for my relatively simple needs (and, I suspect, the needs of most small to medium sized businesses) the lack of AD support would not be an issue, especially as it’s not that hard to have a Linux DHCP service update a DNS domain automatically so that XP (and soon-to-be) Vista based PCs wouldn’t have to bother with the creaky old MS WINS directory service to find each other.
The problem is a simple one – it doesn’t work. At least the early release version I tried doesn’t and the problems I encountered with the product tell me that a LOT of work (possibly even a fundamental rethink of how they’re trying to achieve their objectives) is called for. I went so far as to say that they should not be taking money for this product right now.
Quick recap: The garage houses four servers;
The Trojan attack – and especially the cost to me in time and effort – was the nail in the coffin for Windows 2003. Though both machines were up to date with patches and protected by several layers of protection they still got hit and the fact is that Microsoft’s operating systems (especially the server versions) are too attractive to “the bad guys”.
Though it’s been a few years since I last used Linux in any serious way, I had been reading that the various new versions and distros had come a very long way in terms of usability and (relevant here) ease of management. So, after doing a lot of reading and research on the web I took the plunge and bought a copy of Xandros Server – a commercial Linux variant that includes a small-business copy of the Scalix email server that claims to offer full Exchange compatibility.
The plan was to get Christmas out of the way then get back to writing and being generally productive in a form that didn’t involve trips to IKEA and hours assembling office furniture.
It wasn’t to be.
In mid-December both the Win2k3 servers were hit by a zero-day Trojan. This was despite protection that included a hardware firewall and live-updated anti-virus and anti-spyware software on both servers, plus similar protection down to packet level within the mail server software. The first sign I had that anything was wrong was slow Internet connections. When I checked, the activity indicators on the router and modem were solidly lit – not the normal case round here. Just as I was pondering the cause an email arrived from my ISP advising me that my network had been reported as a source of spam … Aaaaarrrrrggghhhhh!!!!
Sure enough, both servers had been compromised and were spraying out junk mail at a rate of several hundred messages per minute. In the few gaps this left in my outbound bandwidth, they were also sending out port-probes methodically working their way through several IP sub-nets at the command of their new masters looking for other systems that the Trojan could compromise.
Now, despite all the protection in place here (protection I’d still say is among the best available) a successful attack like this is a risk run by anyone with a computer connected to the ‘net. Especially servers as they generally sit on fast pipes connected directly into the ‘net so can do the most work for the crooks behind the Trojan. My own servers sit on a domestic ADSL line with upstream bandwidth of only around 500-800kbps (my main web servers are hosted elsewhere) so they lucked out with me but even so, they managed to get several tens of thousands of spam messages out before I discovered and could solve the problem.
And the cost …!!
Like many people these days, I rely on email – as do the family and friends who also have email addresses here. So just “pulling the plug” was not an option unless I had a way of getting at least the email server back on line without too much delay.
More importantly, the other server also provided a raft of network services to all the other machines so taking it down causes everything else to collapse with, if delayed, still inevitable certainty. Not good. Having identified the nature of the beast, my first approach to fixing the problem was to download the removal tools and patches from the AV vendors and MS. So … both machines taken off the network (internal and external) removal software run – check OK – then patches installed.
Reconnect to Internet and ….
… BOOM! The blasted Trojan was back again!
Several hours later and it was obvious that the Trojan removal software had not done its work. Despite its efforts and mine (painstakingly trawling through system files all over a large server is NOT fun) it had managed to conceal some part of its payload somewhere that would take more time than I had or wanted to spend playing detective to find.
At this point, I want to restate that tired old advice to everyone who has or uses a computer anywhere for any purpose. Back it up. In fact, do more than that. Back it up in a way that allows you to go back and restore it to any point in time. If you’re sensible, you’ll back up the backup too.
Thankfully, that’s pretty much what happens here. I’ve used Acronis to back up both servers and PCs to a large NAS server at least nightly with other specialised software archiving the email repository and other fast-updating files in almost real time.
Plan B swung into effect. Machines taken off the Internet and restored to the point a few hours before the Trojan struck. Next the patches were installed to prevent the crooks getting back in the hot seat. Finally, the email and other databases were rolled forward to their last current position and, with a deep intake of breath, the servers were put back on-line …
Plan B worked. The servers stayed clean – though monitoring the firewall saw several thousand attempts by other distributed servers to talk to the now exterminated Trojans.
Lots to catch up on so I’ll break it down into several posts. Network first …
The network is running splendidly. All the machines that have wired connections (that’s all the servers in the garage and my office and recording PCs) have gigabit connections to each other and file transfers now take place at speeds limited by disk transfer rates rather than network bandwidth. The wireless segment runs flawlessly too. The Linksys WRT54GS (with replacement firmware – something I’d definitely recommend) is sitting inside the loft at the top of the house providing a strong, 54Mbps link to each of the laptops and a solid 11Mbps to my IPAQ handheld. As for range, it’s great for what I want.
I have SJphone (http://www.sjlabs.com/sjp.html) installed on the IPAQ so that when I’m away from home I can still receive and make calls using the Asterisk VOIP exchange in the garage at free/cheap network rates rather than the ludicrous rates charged by mobile (cell) phone companies, especially for international calls. This works extremely well – when away from home I just login to a WiFi access point and make calls while checking email and browsing the web. When at home, the IPAQ naturally connects up to the wireless network in the house so, if I wanted to, I can make and receive calls using it. Usually I don’t as I have a better phone on my desk (an Aastra 480i) but – here’s the good bit about the new network – the wireless extends to the garage and to the bottom of the garden. Which means that I don’t have to remember to carry one of the house mobile phones round with me – I just carry the IPAQ as normal – it already handles both cellular and VOIP calls.
