Opening Internal GroupWise Systems Securely



A Forum reader recently asked:

"I'd like to "open" my internal system (Groupwise7) for Internet in secure way. I wonder if this idea is good:

Internet -- firewall -- LAN (I have GroupWise here now)
(DMZ) Linux as an SMTP gateway

I want access from the Internet on port 25 only to Linux, and all emails will be filtered on Linux and than forwarded to Groupwise. Can you tell me something about my idea?"

And here's the response from Ryan Kather ...


If done properly, it's totally doable. We tested this along with other commercial solutions simultaneously with identical mail data. The systems we tested were; Barracuda, Symantec Mail Security for SMTP, BrightMail, Postini, WatchGuard, and DSPAM. The home built solution was the most accurate and cheapest (which actually suprised me).

SpamAssassin is really excellent when properly configured. I found it interesting how much more accurate it was then Barracuda considering Barracuda uses SpamAssassin.

I used a Gentoo Linux server (Gentoo because it's a metadistribution, so it can be incrementally updated to keep up with advancements in spam filtering) with Postfix, Amavisd-new, Clam Antivirus, Sophos Antivirus, and SpamAssassin.

To reduce your backscatter, configure Postfix to perform recipient address verification. It will do an SMTP-to-GroupWise validation that each mail is addressed to a valid account before accepting it in the initial SMTP conversation. It does open you up to discovery from spammers, but they brute-force this anyway, and the alternative is the creation of thousands of bounced messages.

If you care about spam you should be running the latest SpamAssassin with the SARE ninja rulesets and the FuzzyOCR Plugin. You definitely want the latest Clam antivirus. It's lightweight on your resources and very effective. We handled 9 million messages/month in this setup, and there wasn't a single virus that got past Clam and was caught by Sophos. Speaking of Sophos, you will want at least 2 virus scanners, though. Clam is free, and you could probably bundle that with something proprietary. I've heard good things about McAfee's Linux client.

If I understand you correctly, you have internal systems that are not part of GroupWise that you want to be able to send mail to GroupWise, and possibly receive mail from GroupWise ...

I would recommend the following:

1. Configure your GWIA(s) to relay all outbound mail to your new Linux DMZ Gateway.

2. Configure an MX DNS alias telling all hosts to relay all SMTP to any destination to your Linux DMZ Gateway.

3. Configure transport maps in Postfix to the specified internal workgroup systems.

4. Inform Postfix of your internal networks and allow them to relay (possibly only allow them to relay to Internet if they have originated from GWIA (to prevent virus infected hosts from sending spam outward).

This way, all mail for all systems passes through the gateway and is sanitized before re-entering your internal network. You could/should firewall off all SMTP messages from internal to internal, or internal to INET, that are not destined to or originating from the Linux DMZ system. It's your call on whether you just filter outbound viruses or if you also look for outbound spam. I do recommend looking for both spam and viruses but also providing bounce notifications to internal hosts.


How To-Best Practice
Comment List