I am in the process of sourcing for a carrier class email security
solution that will replace our current edge spam gateways based on open
source solutions. Some solutions that am currently considering are
Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
wish to know, based on your experiences, what works for you
satisfactorily. Areas that are key for me are centralized management and
reporting, carrier class performance, per mailbox policy and quarantine,
and favourable licensing for an MSSP. I know Ironport is rated highly in
this space but I find its per user licensing is not favourable for a
MSSP.
Regards,
Alex.
You have multiple options
1. Ironport / Fortinet etc gateways. [Not barracuda - hardly carrier
class, enterprise grade more like it]
2. Outsource to a provider like Messagelabs or MXLogic that only
handles the spam filtering, lets you host your own mailboxes
3. Outsource to one or more vendors of hosted email services - Google
Apps, Microsoft BPOS, IBM Lotuslive etc
your choice based on what meets your requirements.
--srs (full disclosure - head, antispam @ ibm lotuslive)
Suresh,
I am more interested in option 1 and would want opinion from those with
experience on that.
Right. Just to add one more choice into your mix .. Bizanga is one
such vendor that I've seen deployed by carriers who want an appliance.
They were recently acquired by Cloudmark.
There are also "rate limiting .. kind of like netflow for email" type
devices - Symantec E160, and Mailchannels (mailchannels.com). These
might be worth considering for systemwide filtering after which you
can apply your own policies per user.
ps: About Barracuda - I am not aware, they may have a carrier grade /
larger scale product too. If you see one of those, or any other
vendor that meets your needs go for it.
-suresh
I am in the process of sourcing for a carrier class email security
solution that will replace our current edge spam gateways based on open
source solutions. Some solutions that am currently considering are
Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
wish to know, based on your experiences, what works for you
satisfactorily.
Areas that are key for me are centralized management and
reporting, carrier class performance, per mailbox policy and quarantine,
and favourable licensing for an MSSP. I know Ironport is rated highly in
this space but I find its per user licensing is not favourable for a
MSSP.
On the other hand installing a FreeBSD system with QMail/Procmail and/or
PostFIX for the other stuff is a no-brainer especially with a Webmin
Management front end.
Regards,
Alex.
Alex there are many email systems out there - but make sure that
whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP
since this is how the GW is going to be able to put time-marks on
receipts which must have legal authority.
So that means any appliance system provider must have at least NTPv4
tested with both Autokey and symmetric-key and the new interface
specific ACL's in the 4.2.6 versions of NTP. Further the issues of the
ECC/Parity memory become important here because time is moved over UDP
and is subject to single-bit errors all over the place.
Todd Glassey
I am in the process of sourcing for a carrier class email security
solution that will replace our current edge spam gateways based on open
source solutions. Some solutions that am currently considering are
Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
wish to know, based on your experiences, what works for you
satisfactorily.
Areas that are key for me are centralized management and
reporting, carrier class performance, per mailbox policy and quarantine,
and favourable licensing for an MSSP. I know Ironport is rated highly in
this space but I find its per user licensing is not favourable for a
MSSP.
On the other hand installing a FreeBSD system with QMail/Procmail and/or
PostFIX for the other stuff is a no-brainer especially with a Webmin
Management front end.
Webmin? Are you serious?
Yes William, but realize that was an "easiest method" solution. There
are any number of others as well.
The point is that integrating an appliance type functionality is pretty
easy if you bother to take the time.
What I really wanted to point out is how many of the devices dont allow
authenticated NTP meaning they are worthless from an evidence
perspective, something that we as network engineers are constrained by
as well.
Todd
The man did say "carrier class" .. not "small webhost for four
families and dog". You're talking multiple mailservers + filtering
gateways / appliances etc, clustered .. rather tough to do that with
one pizzabox 1U running a linux that's not updated in years and
configured with webmin.
And have you used / deployed any of those devices to claim they don't
support NTP? Or whether that's a bigger constraint than an
underpowered linux box? 
The man did say "carrier class" .. not "small webhost for four
families and dog".
yes he did Suresh ... meaning that something larger and more secure than
the off-the-shelf copy of Linux is needed. Funny the NSA and many others
would disagree with you.
You're talking multiple mailservers + filtering
gateways / appliances etc, clustered ..
or layered as stages within a new system design based on GPU's which
allow for the specific assignment of threads of control to specific
processes. Imaging a cloud type environment running in a single GPU with
the abililty to properly map threads to GPU threads.
rather tough to do that with
one pizzabox 1U running a linux that's not updated in years and
configured with webmin.
OK our server is 3U but that was because I wanted bigger fans inside
it... The 1U single TESLA based email GW is exactly what you describe -
a 512 thread CUDA based GPU with serious capabilities therein.
FYI CUDA, and the embedded nVidia GPU's changed that. Do have any idea
how fast the email filters run in a CUDA, I do... and its mindblowing.
Hell the TESLA family of card's 90 to 128 parallel threads of control
per GPU Core can be assigned through CUDA to specific processes and
whamo - more OS horse power than you know what to do with.
The high end cards generally have 2 or 4 GPU's making the total thread
count from 180 to 512 based on the model. The Pentium 4 sports a
whopping four (4) threads of control... 1 per core. We use 8800's for
end-node systems and the larger TESLA based service modules in scaleable
production systems.
The cool part is running NTP in the embedded CUDA card with permanently
assigned TOC's (*threads of control) so that the process never blocks.
That and the 1PPS disciplining makes time available to everything in the
system.
As to who's appliances do and dont' -
Alex there are many email systems out there - but make sure that
whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP
since this is how the GW is going to be able to put time-marks on
receipts which must have legal authority.
Hi Todd,
I think this is the first I've heard that only authenticated NTP (and
maybe even NTPv4?) is sufficient for legal authority. Can you say a
bit more about this? Perhaps, what sorts of issues you've run into or
seen when this is not implemented?
So that means any appliance system provider must have at least NTPv4
tested with both Autokey and symmetric-key and the new interface
specific ACL's in the 4.2.6 versions of NTP. Further the issues of the
ECC/Parity memory become important here because time is moved over UDP
and is subject to single-bit errors all over the place.
Authentication support for SNTP does exist in the protocol and I've
seen documentation where some gear supports it, though I suspect its
very rarely used in practice.
And 4.2.6p1 was released 3 days ago and 4.2.6 in December. Might be
a tall order if you want it now. 
I haven't work out the math, but I would have thought the UDP checksum,
coupled with a rigorous implementation (e.g. validates the originate and
transmit timestamps) and the various robustness mechanisms built into
the protocol should limit the effect of single-bit errors significantly.
I'd be interested in hearing or reading about experience that says
otherwise.
Nevertheless there are no doubt incorrect clocks all over the place.
As a simple example, for the open NTP servers we know about, here is
the top five most popular stratums by percent:
stratum %
3 43
4 18
2 16
16 14
5 5
The overall accuracy of all those stratum 16 clocks is likely going
to be poor.
John
The man did say "carrier class" .. not "small webhost for four
families and dog".
yes he did Suresh ... meaning that something larger and more secure than
the off-the-shelf copy of Linux is needed. Funny the NSA and many others
would disagree with you.
I know of (and have been the postmaster for) multiple million user
installations that run happily on linux + postfix (and sendmail,
qmail..).
None that run on one server running webmin, even a 3U server.
or layered as stages within a new system design based on GPU's which
allow for the specific assignment of threads of control to specific
processes. Imaging a cloud type environment running in a single GPU with
the abililty to properly map threads to GPU threads.
You don't have "single" of anything at all for large and well scaled
environments.
OK our server is 3U but that was because I wanted bigger fans inside
it... The 1U single TESLA based email GW is exactly what you describe -
a 512 thread CUDA based GPU with serious capabilities therein.
So how many users do you run on that one 3U box? 100K? 300K? A
couple of million?
The man said carrier class. And when you talk that you dont just talk
features, you talk operations on a rather larger scale than what
you're describing.
--srs
I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe
I missed this question?
Zaid
Its nanog and not an RFQ process or I'd have asked him that too
I think it is a perfectly reasonable question to ask in NANOG. If someone
asks how much memory do I need on my router to do BGP, you have to ask the
fundamental question of how big your routing table will be. I don't see this
as any different. Its helpful to provide opinions when you are guided by
some data
Zaid
The man did say "carrier class" .. not "small webhost for four
families and dog". You're talking multiple mailservers + filtering
gateways / appliances etc, clustered .. rather tough to do that with
one pizzabox 1U running a linux that's not updated in years and
configured with webmin.
I build basically the same mail-system where is collapsed into a single box or spread out across a cluster.
sendmail + clamav milter + milter graylist -> procmail -> spamd -> maildir delivery -> dovecot imap.
When you need to scale the front end you deploy a load balancer and fire up more smtp boxes...
When you need to scale the filestore you move it to nfs and divide and conquer.
When you need to scale imap you shift it in front of the load balancer and deploy more boxes.
For load balancer we used LVS back in the day.
can replace sendmail with postfix or exim, it's mostly a place to hang the various on-connect filter regimes.
I did ask him how many users he was looking to size email for. But a
lot of questions like, and beyond, that - you may or may not want to
answer on nanog.
The man said carrier class .. and you have a set of assumptions. If
you say enterprise you're assuming like 300K..400K mailboxes for the
very largest enterprises. Tops.
That'd be a small to mid sized carrier to spec carrier class for.
I'll end this thread here.
Scale it all. Then manage it centrally. Provision users. Manage
security. etc etc.
You use much the same IOS whether you run a router for a T1 or run
networks for a tier 1