Here are my $.02, YMMV.
1) Security should always be layered (belt & suspenders / whatever).
2) If the site is large enough to warrant the expense, I don't run anything on the firewall other than NAT, packet filtering, and IPSec.
3) HTTP Proxies (both ways), smtp proxies, web servers, etc., all go into separate DMZs. VLANs and Cisco switches are your friends.
4) I'm not a big fan of Symantec as a corporation, but Symantec Antivirus Corporate Edition is pretty easy to lock down and make reasonably user-proof at a site. Remote Admin is not bad at all (you'll need to remote-control a local server). My main gripe - they really want you to use a Windows box as the local update & quarantine server. It's my understanding that you can do some clever stuff with ftp, but I've not taken the time to figure it out.
5) If you want a no-brainer inbound MX proxy, spam filter, and virus blocker, check out Barracuda Networks. Their products are very reasonably priced (small site can be up and running for $2K, clustered solutions start at $12K, both figures include first year's maintenance contract), and they are dead simple to install and maintain. No per-user or per-server licenses - you pay a flat fee for the boxen, and a flat fee for annual maintenance. This is one of those areas tha can eat up a lot of time if you let it; I 'outsource' the problem. They're also based on F/OSS if that makes you happy.
Smith wrote:
After mulling over the idea of having a virus/spam filter on an MTA, I believe that the best solution is to use an enterprise anti-virus program like Norton Anti-Virus and an email client that supports Bayesian spam filtering. The setup should be where the anti-virus server downloads the latest updates and sends them to each Windows workstation to update their Norton Anti-Virus client. Why?
1. If you have a bunch of Windows workstations, you would need this setup anyways even if you have a virus filtered MTA. A virus filtered MTA couldn't stop CEO John Doe from getting infected if he accessed his Hotmail account. Or Jane Smith from taking her laptop home and connecting it to her cable modem and getting infected and proceed to infect everyone else when she comes back to work. Or Jack Daniels bringing in an infected floppy disk.
2. Have the workstations do all the work, not the MTA.
3. No need to add 3rd party software to your MTA, thus avoiding security holes and program bugs.
4. If spam gets through, have the email client do all the work with Bayesian spam filtering, not your MTA.
But of course, I say this based off the assumption that your MTA is OpenBSD using sendmail and OpenBSD's spamd. Why?
1. No need to add 3rd party software. Thus you take full advantage of OpenBSD's quality assurance and security auditing. Plus you don't have to keep track of all the security and bug issues of each 3rd party software you install, just OpenBSD.
2. Most viruses and spam come from a compromised machine (typically Windows) that act as an unauthorized MTA. If you use OpenBSD's spamd, receiving viruses and spam from them is mitigated.
That's just my thoughts; I'm interested in any constructive criticisms
L. V. Lammert wrote:
We're planning on upgrading some mail servers with 3.7, .. but we're having an internal 'debate' over the architecture.
Keeping things simple (sendmail - don't need antoher MTA debate!), the question is three-fold:
1) Vilter/Milter - using sendmail to scan incoming messages in realtime.
Pro: Reject messages before being accepted.
Con: Possibility of locking up sendmail daemon; performance hit for large messages.
2) Mainscanner - passing emails to external programs for scanning virus/spam.
Pro: Can be restarted automatically if a scan crashes. Con: Messages are accepted even if invalid.
3) Amavisd - alternative to Mainscanner, same architecture
4) Cyrus - doesn't seem to be a package nor complete port in the tree?
There are a variety of notes available, but not a lot of good information about *why*. Prefer to stay with sendmail as it's in the base install, and we have used SM/MS/ClamAV/SA in the past with some success so there's a little intertia towards that solution.
Any pointers to good resources for details would be greatly appreciated.
Lee
