Topic: SME - How secure?

[SuperFly]

Hi

I am considering using SME server for a site that needs something easy to administer and so forth. The site has just under 50 employees with a few of them being on the road so the Web mail option is great but I am a bit worried about security. How secure is SME? I know its a question of how long is a piece of string but what do the experianced guys have to say?

Also, from my findings SME uses sendmail. Am I correct? Could I change this to Postfix?

Will I be able to block most ports, run IP tables, run portsentry, nmap and so on? Does it have its own firewall software?

How easy is it to update?

Can I create alias for users? Some people are going to need a number of email addresses. Could I forward mail to another POP3 account. Say a free service or something?

If I decided not to use Webmail users on the road download through pop3?

Thanks for all the help.

[Boris]

Also, from my findings SME uses sendmail. Am I correct? Could I change this to Postfix?

You are not correct.
It uses qmail with SMTP-front and built in rules prevent abuse of the email subsystem.

For your requirements SME fits perfectly in the design. If you don't do anything stupid and not recommended for use on firewall or beyond SME design concept, it’s fairly secure and very stable. Most (all) of your requirements are fulfilled with the stock options. Add Antivirus/Antispam solutions and you ready to go.

[SuperFly]

Thanks for the reply

I think I will download it and give it a try, I'll mess around with it for a while before I decide to use it so that I'm a little more confident. What do you mean by "If you don't do anything stupid and not recommended for use on firewall or beyond SME design concept"?

[Boris]

Typically new kids who want one-box-do-it-all setup are asking for installing x-windows, game servers, p2p clients, compilers, etc on the production server/firewall. That is stupid. Firewall should have minimum visibility and default package selection mostly sufficient. Choose carefully any additional software for installation and use “tailored for SME” packages where possible. Start with stock options, after you learn of SME specifics and internal structure (after few reinstalls J) add one by one add-ons like System-monitor, Antivirus, Spam filters etc… Once achieved desired minimal usable configuration, declare it “production”, leave it alone and do further testing on separate internal test/development server.

[SuperFly]

Okay, well the plan is to use it as a mail and file server so I'm not going to be trying anything stupid. Thanks for the help. I'll download it ASAP and check what it can do. I'm sure that it will be more than fine for what I want it for but after reading a few posts around here I doubt that I will enable the Webmail option and rather have the external users just download their mail. I am also going to have to do some sort of traffic shaping but I will work that out, I'm sure there is a contrib for that already anyway.

[StuC]

"I doubt that I will enable the Webmail option and rather have the external users just download their mail"

I may be wrong here, but from a security viewpoint normal pop/imap mail is to be avoided as the user passing his/her username and password over the net.

pagefault.org have a ssl mail option that could get over that or at a push (for a few people only) give people duplicate log-ons that have no access rights to files or VPN, at least that way if the user/password is sniffed they don't get credentials that are useful on your server. Forward the mail for the real user to the duplicate user. joe.blogs logs on for email as joebloggs-mail or similar.

Just because I'm paranoid doesn't mean I know what I'm talking about  

[Boris]

Webmail via HTTPS is secure enough and included with the SME. It is ok to use and it doesn't put your server in the big risk.

[arne]

Have used SME server for years, privat and on work. No problems at all. I think web mail via ssl is much bether (safer) than the Windows outlook client. Have allways writen my own firewall scripts and used them as an replacement for the standard firewall. If the SME server is installed as "server only" and not as gateway it is no problem to run a firewall script, like any other 2.4.x Linux.

[SuperFly]

I may be wrong here, but from a security viewpoint normal pop/imap mail is to be avoided as the user passing his/her username and password over the net.

pagefault.org have a ssl mail option that could get over that or at a push (for a few people only) give people duplicate log-ons that have no access rights to files or VPN, at least that way if the user/password is sniffed they don't get credentials that are useful on your server. Forward the mail for the real user to the duplicate user. joe.blogs logs on for email as joebloggs-mail or similar.

The main reason for me saying this was due to a post about spam being pushed through a server. The dude mentioned that as soon as he enabled Webmail he started having problems. I will take a look at it all when I download it.

Just because I'm paranoid doesn't mean I know what I'm talking about  

You are a funny guy!!

[SuperFly]

Have used SME server for years, privat and on work. No problems at all. I think web mail via ssl is much bether (safer) than the Windows outlook client. Have allways writen my own firewall scripts and used them as an replacement for the standard firewall. If the SME server is installed as "server only" and not as gateway it is no problem to run a firewall script, like any other 2.4.x Linux.

The box will be running as a gateway