Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Zimbra Open Source vs Exchange 2010?

  • 07-02-2014 11:27pm
    #1
    Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭


    Hi guys,

    I'm involved in a small project to set up a mail server for a max of 50 email accounts. I've come to the conclusion that our main option is to go with Exchange (on SBS 2011) or Zimbra Open Source.

    Zimbra is open source, free, and it runs of Linux, so is much more secure.
    It can facilitate address books, calendars, email and tasks. It also integrates with AD. Calendars do not matter, though synced address books would be handy.

    Exchange 2010 on the other hand is not open source, certainly not free but integrates nicely with Outlook and AD. It is not as secure, and will go out of date. It also works nicely with Windows Phone. It already has been bypassed by 2013 and SBS is now on end of life.

    My question is which one should I go for? I'm reluctant to go with Exchange, but it drinks system resources like hell, and is not as light as Zimbra. But of course, Exchange is widely used. I would be interested to hear what experiences anyone has had or if they have any recommendations?

    Office 365/Google Apps not an option due to data protection, apart from the recent revelations regarding the NSA, not that any emails would be interest to them but it leaves another hole.

    Thanks


Comments

  • Closed Accounts Posts: 824 ✭✭✭Kinet1c


    Does either fit in to your current backup solution?

    Who will support it once it's installed? Do they have the required skillset?


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    Kinet1c wrote: »
    Does either fit in to your current backup solution?

    Who will support it once it's installed? Do they have the required skillset?

    Both do. Exchange would have more functionality for backups, whereas I would most likely run a script for Zimbra.

    I would. I've worked with Exchange before. The management of it isn't a problem, I'm look for other's opinions on which is best. Thing with Zimbra is that it is open source and probably more secure.

    It would never hit 50 in the next few years. More like 20.

    MS Exchange is appealing to me more so now, that with hosted security and mx backup should do it. What do you think? Though it's already been surpassed by 2013, and doesn't work well with other OS's in terms of clients.. All of them at the minute are Windows.


  • Registered Users, Registered Users 2 Posts: 357 ✭✭Ctrl Alt Del


    Hi,

    I'm using Exchange on SBS 2003/SBS 2007/SBS 2011.
    I'm using Exchange on Server 2003 / 2008.

    I never had to call Microsoft for issues and in case that support has expired for SBS2003 or Exchange 2003.
    I'm not so worried that SBS 2011 is end of life as the younger one SBS2003 is still running fine in some sites.
    They were surprisingly not supporting Exchange 201X on Server 2012 and now they've changed it around (afaik).

    "They" will push you so much to move away from local Exchange and /or SBS in to their locked "single option / single vendor" ... "all the NSA hands" in the cloud !
    "They" will not see me recommending to my clients to move to cloud hosting ! I will walk away if a current / potential client requests cloud based implementation !


    Re Zebra not familiar either,but open source,whos going to implement,support,update or ... speaking same language !?
    If you currently have Windows based Active Directory,get all of them in same language better in the long term. You may see a customized update from Microsoft that blocks/restricts connectivity from third party in to their AD database version 201X ! :)

    Re security...what a joke ! They has,had,have and will have access to your data no matter where you keep it ! "Only" if they want or need it.
    You need to protect your internal network with minimum settings against the children scripts and/or fcukers that have automated scripts that scans/guess easy overlooked settings in a easy quick scan of a range of IPs.
    Pay attention to such as stronger passwords,change of passwords every few days,use SSL on OMA/OWA,time-out on OWA sessions,enable accounts locking if login failed 3 times,remote wipe out of mobile phones, SMTP-TLS !

    Is like security on Wireless networks...you walk or drive around with a WiFI scanner on your phone.
    If you find a network called Eircom 1234 5678,ok,it may belonging to a home user or a small office some where.
    BUT,when you find the Wifi called as the company name or business or place name...that will generate a desire to get inside and see what can of rewards you can get ! I'll stop here but you get the point i hope.

    So,my friendly advise..."don't" listen to other techies long experience' backed advise ! :)

    Have fun...


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    Ughh.

    My concern regarding the NSA is that those backdoors that may exists are backdoors, albeit small ones it is still a concern. If there are back doors in Exchange, there is a possibility of a weakness in the system. Getting it hosted may be a DPA breach as data may be held outside the EU, forget it, it's not an option for me anyway. No email would be of their concern, boring crap, but more of a right to privacy concern

    Could you recommend an anti spam and anti virus solution? My plan was to have a back up mx, and a gateway between the net and the server, running MailScanner (Clamav etc).

    In terms of security, that's a given.

    Thanks


  • Registered Users, Registered Users 2 Posts: 357 ✭✭Ctrl Alt Del


    antispam /antivirus...i guess the companies that creates the antivirus in the front office ,has a "spare" budget to create the virus in the back office too... :)

    I'm using two options here:

    -cloud based in UK by these guys, i'm a partner with them for more than 10 years and i found them very reliable.The way the solution is implemented is doing the AS/AV and MX backup too.

    -local installation here OR here.

    Re back doors...as long as you're aware that they are present in the system,you're OK ! :)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3 crisicon


    Hi Mr G

    It happens that I just had a look at Zimbra offer - installed the open source on a virtual machine to see the set of features. Nice.
    I then looked around for pricing and was shocked. For under 25 users it's not available, so the starting point is quite high in terms of budget.

    Once over that, it is still high because all the budget goes to just the email/collaboration tool, whereas with Windows SBS you get a little bit more, such as monitoring for the entire organization (basic, I know, but still...) and management tools, active directory deployment which integrates seamlessly with the communications and collaboration platform, etc.

    If you think about the fact that you have seamless mobile sync of email, calendar and contacts on all major mobile platforms (native, without the need to install apps) - SBS comes as a very good option.

    More than that, if you want to deploy all sorts of tools easily - from monitoring to security, from backup to remote desktop, I'd say MS is doing quite a good job for the small business market...

    I know MS software can be a pain many times but at the end of day ANY software has glitches and challenges along the way.

    If I would take in consideration performance vs security vs budget vs functionality, I'd say SBS rules so far - at least in the realm of small organizations with up to 20-30 users.

    Not that I love them unconditionally - any time I look for an inexpensive, secure and reliable private cloud solution - I first look on TurnkeyLinux, because that's where I can find most of the solutions in an easy to setup format.

    Security wise (NSA issue is just a popular talk, nothing more IMHO) - just monitor your traffic and look for patterns that are out or the ordinary, it's the ONLY thing you can do. Once your packets are out the gateway they're susceptible to be intercepted, de-crypted and reassembled then read, we should always be aware of that

    Totally agree with Ctrl Alt Del - best way is to keep yourself informed and aware of what's happening... And also on GFI - been using them for more than 8 years and very impressed with the quality and features

    hope I didn't annoy everyone with a too long post :)


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    crisicon wrote: »
    Hi Mr G

    It happens that I just had a look at Zimbra offer - installed the open source on a virtual machine to see the set of features. Nice.
    I then looked around for pricing and was shocked. For under 25 users it's not available, so the starting point is quite high in terms of budget.

    Once over that, it is still high because all the budget goes to just the email/collaboration tool, whereas with Windows SBS you get a little bit more, such as monitoring for the entire organization (basic, I know, but still...) and management tools, active directory deployment which integrates seamlessly with the communications and collaboration platform, etc.

    If you think about the fact that you have seamless mobile sync of email, calendar and contacts on all major mobile platforms (native, without the need to install apps) - SBS comes as a very good option.

    More than that, if you want to deploy all sorts of tools easily - from monitoring to security, from backup to remote desktop, I'd say MS is doing quite a good job for the small business market...

    I know MS software can be a pain many times but at the end of day ANY software has glitches and challenges along the way.

    If I would take in consideration performance vs security vs budget vs functionality, I'd say SBS rules so far - at least in the realm of small organizations with up to 20-30 users.

    Not that I love them unconditionally - any time I look for an inexpensive, secure and reliable private cloud solution - I first look on TurnkeyLinux, because that's where I can find most of the solutions in an easy to setup format.

    Security wise (NSA issue is just a popular talk, nothing more IMHO) - just monitor your traffic and look for patterns that are out or the ordinary, it's the ONLY thing you can do. Once your packets are out the gateway they're susceptible to be intercepted, de-crypted and reassembled then read, we should always be aware of that

    Totally agree with Ctrl Alt Del - best way is to keep yourself informed and aware of what's happening... And also on GFI - been using them for more than 8 years and very impressed with the quality and features

    hope I didn't annoy everyone with a too long post :)

    I was referring to the Zimbra Community Edition.

    Exchange would handle Windows Phones and remote data wipes, contact sync, calendars etc.

    So I've made my mind up I think. Set up is as follows:

    All traffic from port 25 to be forwarded to Linux gateway (With MailScanner). Port 443 for OWA forwarded to SBS. Linux gateway forwards clean mail to the SBS 2011 server which only accepts mail from the IP Address of the gateway. SBS server to have NOD32 with exceptions for Exchange to prevent corrupt logs. All clients have anti-virus installed.

    This with a backup mx service, highlighted especially due to what has happened in the past few days with the weather. I was looking at noip.com and dyn.com- what do you make of these mx backup providers?

    I think that should minimise the risk by having mail kept away from Exchange. That's my plan in a nutshell- through experience it is always better to plan out everything then rush into it.

    That's guys for your help. Any other tips appreciated.


  • Registered Users, Registered Users 2 Posts: 3 crisicon


    Mr. G wrote: »
    I was referring to the Zimbra Community Edition.

    Exchange would handle Windows Phones and remote data wipes, contact sync, calendars etc.

    So I've made my mind up I think. Set up is as follows:

    All traffic from port 25 to be forwarded to Linux gateway (With MailScanner). Port 443 for OWA forwarded to SBS. Linux gateway forwards clean mail to the SBS 2011 server which only accepts mail from the IP Address of the gateway. SBS server to have NOD32 with exceptions for Exchange to prevent corrupt logs. All clients have anti-virus installed.

    This with a backup mx service, highlighted especially due to what has happened in the past few days with the weather. I was looking at noip.com and dyn.com- what do you make of these mx backup providers?

    I think that should minimise the risk by having mail kept away from Exchange. That's my plan in a nutshell- through experience it is always better to plan out everything then rush into it.

    That's guys for your help. Any other tips appreciated.

    I was too referring to Zimbra Community Edition - perhaps I should have been more clear :) - Its lack of advanced features for mobility pushes the need to buy the network pro version which is expensive IMHO

    For the email flow I personally use the external (cloud) spam filter from GFI which has built-in redundancy and protection, plus allows me to open a different port for incoming emails - so I don't get hackers to attempt to push email bypassing the spam filter. This way, I get a lot of benefits:
    - spam and antivirus filtering with multiple engines
    - better redundancy (if my servers or internet are down, emails are held and users can check their emails online at the spam filter level)
    - simple, easy to use spam handling for users (they get a daily digest with links)
    and the cost is minimal, believe me :)
    Cheers


  • Banned (with Prison Access) Posts: 1,151 ✭✭✭rovoagho


    You can get a 15 seat licence for Zimbra NE, although that's not relevant to the OP as they need 50 seats. That's two 25 seat licences, so they don't need to worry about paying for more than they're using; at least not at the moment. Also, don't you need an underlying Windows licence for Exchange?

    OP, there are tools out there that'll let you do MAPI and ActiveSync on OSE, but obviously there's a bit of work and maintenance involved, and not everyone has the time for that or users that'll tolerate it. I don't. I've been using NE for several years though and I'm very happy with it, in fact my primary interface with Zimbra is the Web Client, and my phone of course.

    I would add though, that the company has changed hands three times in six years, lastly in September of last year, and their licencing has got more and more disorganised with each sale. Their last owner was VMWare and their licencing was appalling, but this year (under Telligent) I couldn't actually find an active reseller in Ireland or the UK, and ended up having to talk them into selling direct.

    I'm hoping they'll pull themselves into this millennium pretty soon, but six months is a long time in tech. I do love the platform though, and the open source origins. I couldn't recommend it enough. And I've never had a security issue. :)

    Backup is a piece of piss btw, it's backed up daily (full weekly, incremental daily) to /opt/zimbra/backup, so just make that an NFS mount and Bob's your uncle. If you need better than that, everything is stored under /opt/zimbra, so you could just run something near-CDP there.


  • Registered Users, Registered Users 2 Posts: 3 crisicon


    With SBS you don't need any other license (except for cal's) - just the hypervisor or the hardware.
    But interesting that info on 15 licenses for NE, I couldn't find any reseller to have less than 25 listed. Mind you, I haven't looked hard enough :)
    I think I'll put it back in my list of solutions to check more seriously


  • Advertisement
  • Banned (with Prison Access) Posts: 1,151 ✭✭✭rovoagho


    I didn't know SBS was VM-only, not much of a windows guy I'm afraid. (Or a VM guy for that matter, I like good old-fashioned hardware!) And like I said, their licensing is up in a heap. :)

    It's called Starter Edition, and it includes mobile, contrary to info you'll find on the web. It's also said to exclude Archiving & Discovery, but I haven't checked this. If you have trouble ordering it, I can send you a product code.


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    crisicon wrote: »
    I was too referring to Zimbra Community Edition - perhaps I should have been more clear :) - Its lack of advanced features for mobility pushes the need to buy the network pro version which is expensive IMHO

    For the email flow I personally use the external (cloud) spam filter from GFI which has built-in redundancy and protection, plus allows me to open a different port for incoming emails - so I don't get hackers to attempt to push email bypassing the spam filter. This way, I get a lot of benefits:
    - spam and antivirus filtering with multiple engines
    - better redundancy (if my servers or internet are down, emails are held and users can check their emails online at the spam filter level)
    - simple, easy to use spam handling for users (they get a daily digest with links)
    and the cost is minimal, believe me :)
    Cheers

    Don't forget just to forward the ports from the firewall for their IP's. That way you shouldn't get infected emails from outside.
    rovoagho wrote: »
    You can get a 15 seat licence for Zimbra NE, although that's not relevant to the OP as they need 50 seats. That's two 25 seat licences, so they don't need to worry about paying for more than they're using; at least not at the moment. Also, don't you need an underlying Windows licence for Exchange?

    OP, there are tools out there that'll let you do MAPI and ActiveSync on OSE, but obviously there's a bit of work and maintenance involved, and not everyone has the time for that or users that'll tolerate it. I don't. I've been using NE for several years though and I'm very happy with it, in fact my primary interface with Zimbra is the Web Client, and my phone of course.

    I would add though, that the company has changed hands three times in six years, lastly in September of last year, and their licencing has got more and more disorganised with each sale. Their last owner was VMWare and their licencing was appalling, but this year (under Telligent) I couldn't actually find an active reseller in Ireland or the UK, and ended up having to talk them into selling direct.

    I'm hoping they'll pull themselves into this millennium pretty soon, but six months is a long time in tech. I do love the platform though, and the open source origins. I couldn't recommend it enough. And I've never had a security issue. :)

    Backup is a piece of piss btw, it's backed up daily (full weekly, incremental daily) to /opt/zimbra/backup, so just make that an NFS mount and Bob's your uncle. If you need better than that, everything is stored under /opt/zimbra, so you could just run something near-CDP there.

    Thanks. NE does look good. The benefit of Exchange is that there is Autodiscover and integration with Outlook. Zimbra CE looks to have too little features, whereas for Exchange it would be easy to manage.
    crisicon wrote: »
    With SBS you don't need any other license (except for cal's) - just the hypervisor or the hardware.
    But interesting that info on 15 licenses for NE, I couldn't find any reseller to have less than 25 listed. Mind you, I haven't looked hard enough :)
    I think I'll put it back in my list of solutions to check more seriously

    We would have CALs from AD users anyway.
    rovoagho wrote: »
    I didn't know SBS was VM-only, not much of a windows guy I'm afraid. (Or a VM guy for that matter, I like good old-fashioned hardware!) And like I said, their licensing is up in a heap. :)

    It's called Starter Edition, and it includes mobile, contrary to info you'll find on the web. It's also said to exclude Archiving & Discovery, but I haven't checked this. If you have trouble ordering it, I can send you a product code.

    We have an SBS license. SBS does not need to be installed on a VM, you can install it as a VM if you wish though. Running MailScanner on a VM using something like VMWare Workstation may be a smart option to save on power. A backup mx would help here if the server blows.

    To hell with Zimbra, I'll just go with Exchange. Easier to admin, already have SBS and can remote wipe devices :D


  • Banned (with Prison Access) Posts: 1,151 ✭✭✭rovoagho


    You can remote wipe with Zimbra. ;)


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    rovoagho wrote: »
    You can remote wipe with Zimbra. ;)

    Obviously not with the CE.


  • Registered Users, Registered Users 2 Posts: 133 ✭✭PlanIT Computing


    If sbs 2011 is setup correctly from the start you shouldn't have any issues.

    Make sure to use the wizards for everything - it likes them :)


  • Banned (with Prison Access) Posts: 1,151 ✭✭✭rovoagho


    Mr. G wrote: »
    Obviously not with the CE.

    Obviously, but you're not comparing like with like then. Zimbra open source isn't an exchange competitor, it's a groupware app.


  • Registered Users, Registered Users 2 Posts: 2,370 ✭✭✭micosoft


    I used Zimbra a couple of years ago with about 400 accounts in a mixed environment (Windows/Linux). My thoughts were there was a lack of investment/development on it at the time and the ownership kept changing (Private, then Yahoo!, then VMWare, then Telligent Systems) over a short few years. Couple of odd issues (Java version running a specific hypervisor caused trouble with calendaring), technical support was poor (paid version), Outlook connector does not work reliably (just use their own client), client not that light, overselling collaboration capability, no staff familiar with it.

    TBH I'd only recommend if for some reason you had an IT section with strong Linux skills, and users who are happy with not using Outlook or something familiar (seriously - the number one consideration should be how quickly the userbase becomes familiar with the product).

    TBH I can't understand why anyone would bother waste time and effort setting up their own mail system in 2014. Take Google Apps or Office365. It's the ecosystem that's more important and you should be focused on integration with other services and reducing TCO.


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    micosoft wrote: »
    I used Zimbra a couple of years ago with about 400 accounts in a mixed environment (Windows/Linux). My thoughts were there was a lack of investment/development on it at the time and the ownership kept changing (Private, then Yahoo!, then VMWare, then Telligent Systems) over a short few years. Couple of odd issues (Java version running a specific hypervisor caused trouble with calendaring), technical support was poor (paid version), Outlook connector does not work reliably (just use their own client), client not that light, overselling collaboration capability, no staff familiar with it.

    TBH I'd only recommend if for some reason you had an IT section with strong Linux skills, and users who are happy with not using Outlook or something familiar (seriously - the number one consideration should be how quickly the userbase becomes familiar with the product).

    TBH I can't understand why anyone would bother waste time and effort setting up their own mail system in 2014. Take Google Apps or Office365. It's the ecosystem that's more important and you should be focused on integration with other services and reducing TCO.

    Because the emails are transferred outside the EU it would be a breach of the Data Protection Act. Other than that, having our own server has a benefit in that email accounts can be closed (but emails are still kept), whereas with Google Apps you must pay per account and then it gets deleted. Using aliases is becoming increasing difficult with the new Google Apps portal. There are other reasons but I have come to the conclusion that hosting ourselves is the only way.

    Exchange seems like the beat solution. I will let you guys know how I get on in due course.


  • Banned (with Prison Access) Posts: 1,151 ✭✭✭rovoagho


    Personally, given the ongoing revelations via Snowden, I wouldn't put have my data outside of Cork, never mind outside of Ireland. My hardware, my OS, my network, my certs, etc, etc.

    While the web client is my primary interface with Zimbra, I still use Outlook for things like tedious calendar work, and I've never had a problem bar issues with the interface between the computer and the seat. The only difficulty I had with the pseudo-Exchange stuff was ActiveSync calendaring on Android, which were ultimately caused by a WONTFIX mentality in Google, because of Google Apps. Fixed now though, finally.


  • Registered Users, Registered Users 2 Posts: 2,370 ✭✭✭micosoft


    Mr. G wrote: »
    Because the emails are transferred outside the EU it would be a breach of the Data Protection Act. Other than that, having our own server has a benefit in that email accounts can be closed (but emails are still kept), whereas with Google Apps you must pay per account and then it gets deleted. Using aliases is becoming increasing difficult with the new Google Apps portal. There are other reasons but I have come to the conclusion that hosting ourselves is the only way.

    Exchange seems like the beat solution. I will let you guys know how I get on in due course.

    Do you have a link for that? It absolutely is not a breach of the DP act to host mail outside EFTA. As a many times DP officer it infuriates me the way the act is abused by so many agendas.

    There are a couple of different options for archiving old accounts but TBH they all just introduce discipline rather then leaving old mailboxes on your server. If you care for Data Protection you'll have a retention policy that will set out when mail is deleted in any case.


  • Advertisement
  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    micosoft wrote: »
    Do you have a link for that? It absolutely is not a breach of the DP act to host mail outside EFTA. As a many times DP officer it infuriates me the way the act is abused by so many agendas.

    There are a couple of different options for archiving old accounts but TBH they all just introduce discipline rather then leaving old mailboxes on your server. If you care for Data Protection you'll have a retention policy that will set out when mail is deleted in any case.

    That's what I thought but was told it was a breach. You know what, you're correct.

    http://www.google.com/apps/intl/en-GB/trust/data_protection.html
    Where personal data is to be transferred to a country outside of the EEA, one of the following additional conditions must apply:
    Transfer is to one of the following countries/territories: Andora, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay.
    Transfer is to a company in the USA covered by the EU-US "Safe Harbor" agreement

    Transfer is of advance airline passenger(PNR) data in accordance with the EU-approved arrangements for such transfer to the border authorities in the USA, Canada and Australia
    Transfer is within a group of companies covered by EU-approved Binding Corporate Rules
    Transfer is made using one of three EU-approved Model Contracts
    Transfer has the clear and unambiguous consent of the individual data subject(s)
    Transfer is either : authorised by law or by the Data Protection Commissioner; from a public register; necessary for reasons of substantial public interest; necessary in relation to certain contractual and legal proceedings; necessary to protect the vital interests of the individual.

    https://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/responsibilities/3ma.htm
    The US 'Safe Harbour' arrangement has also been approved, for US companies which agree to be bound by its data protection rules

    Google Apps are a member according to this:

    http://www.google.com/apps/intl/en-GB/trust/data_protection.html

    If they were not we may have an issue as asking permission isn't practical.

    Thanks for that. Though getting it hosted is not an option anyway. Just no.


  • Registered Users, Registered Users 2 Posts: 2,370 ✭✭✭micosoft


    Sure but it's a real stretch to regard a mail system as a records system for personal information, so I don't think safe harbour is needed for the mail component. I suspect with Google Apps it's for the docs bit where you could conceivably construct a database of personal information. Given most mail transits the internet unencrypted the hosting of it would be bottom of my list re security of information. Put it another way, most enterprises use Salesforce for their CRM, a far likelier location for personal data.

    If you don't like hosted that's OK too, though my happiest day was ridding myself of managing and looking after 2000 mailboxes, spam, filtering, storage, performance, licensing, updates, upgrades, patches for what I deem a paltry sum by a cloud provider. My Op's team can now focus on value add stuff like enterprise mobility, mobile device management and BYOD.


  • Moderators, Technology & Internet Moderators Posts: 4,621 Mod ✭✭✭✭Mr. G


    I thought I would post back to help other users who are in a similar position as I was.

    In the end I went with Server 2012 and Exchange 2013. I know it's not advised to have everything on the same server but for a small business with approx 15 users at the moment altogether I decided against it.

    Overall, it is working well.

    A few tips:
    1) Get an external hard drive and regularly backup the server. Ideally plug it out afterwards in case the server gets a virus and gets encrypted.

    2) Disable Offline mode by default for OWA. It seems to take much longer to load when outside the network when Offline mode is enabled.

    3) Use an external antispam solution. I'm using Comodo to scan through email before it even hits to server and I have so far only had no false positives. I have mail allowed only from the IP's Comodo gave me. The antispam solution in Exchange is crap. I also got virus emails (until I blocked certain attachments).

    4) Set up a rule to delete any message that contains the following file extensions: .scp, .exe etc. You can also block executable files.

    5) The EMC is web based which makes it easier to manage remotely. Just keep in mind that it can be accessed remotely so set up a very secure password and change it frequently. Ideally set up an additional administrator account in case you forget the other password.

    6) Install a ssl cert. It adds to security and keeps users from complaining. To make it easier for them redirect http to https and / to /owa. Get a UC cert to include autodiscover.domain.com to prevent certificate errors showing up in Outlook.

    7) Make sure you don't forget to configure the hub transport roles correctly. In particular for the default hub transport role, manually select the NIC adapter and don't select automatic. I found when I had automatic set the mail server had a tendency to bounce back some inbound emails saying that the domain could not be found. It's some DNS thing but make sure you configure them right.

    8) I'm using the ISP's mail server as a smarthost as I haven't the time at the minute to worry about the server sending it's own email. Because the fixed IP was a dynamic IP at one stage it was on a few blacklists so I aim to get these removed before setting this up. When I tested it the only server that marked it as spam was Outlook.com/Hotmail. I have reverse dns set up however I have a feeling that it may not have propagated fully by the time I sent to email. Using a smarthost lifts a lot of weight off my shoulders.

    9) You can setup "policy tips" such a preventing credit card information being sent which is handy if some of your users are not the "careful" types.

    10) In the ECP, under Servers, set up it so users login with just their Username and Password. It makes it easier than having to explain what the domain is to users.

    There are other security things I did, such as preventing "backscatter" but I won't got into them now.

    I will say that there are positives and negatives to the new OWA. Previously in 2010 it took a more traditional approach and is much warmer. In 2013 it matches Outlook.com and Outlook 2013 which makes the learning curve easier for users. You can restrict certain areas in OWA. You can set up themes etc to make it more appealing.

    Another feature is the mobile section. You can configure Windows phones with Exchange to meet certain security policies. You can even wipe the device remotely either by connecting it as a company app or by adding an Exchange email account (like in Exchange 2010).

    It took an hour to install and then a few hours to import users from another server.

    I hope to pull away from Comodo and onto an Irish cloud email scanner, in particular to Top Sec Technology, but I haven't time right now. Comodo was free (up to 5 users) but I have no users enabled yet. From what I can see, it is based on the amount of users that have access to the control panel rather than mailboxes.

    The main reason I went with Exchange was I didn't want to hassle of maintaining and being responsible for a Linux server. If it was my own business I would have used a Linux server and it would run perfectly but because of it's limited integration for calendaring, contacts etc at the moment it wasn't practical. I would have loved to ditch Microsoft but hopefully if Zentyal and other exchange alternatives, such as SOGo, develop further there will be more of a choice.

    I did try Zentyal (which is run by a Spanish company) but found that SOGo had a number of bugs. Notably when going to the webmail interface remotely, it would redirect from .com to .lan. You must set up the domain as .com however you might have a problem using it asa domain controller. Another issue was it threw up a lot of errors and felt it still was in beta. I felt it wasn't ready for production. It is something I will look into again and has great potential. If I had the time I would definitely take a look at Zentyal again.

    Hope this helps.


Advertisement