Simple—Alternative Architecture
The preceding configuration or architecture is very simple. One of the most common additions to the simple configuration is virus scanning in some manner. There are various methods of adding virus scanning to the messaging architecture including:
Adding a virus appliance such as Borderware or Symantec
Adding a virus firewall such as Trend Micro's VirusWall
Adding virus scanning software on the messaging server itself. Each of these approaches has pros and cons.
As many organizations are well aware, relying only on desktop virus-scanning software does not eliminate all viruses for many reasons. Since viruses spread through email in addition to other methods, adding virus scanning to the messaging environment is a natural choice.
By combining a simple messaging install with an SMTP firewall product (FIGURE 3-2) offering antivirus (and potentially antispam) protection, the system accomplishes several things:
Off-loads antivirus scanning from the messaging system— Often scanning takes significant processing power due to the requirement to examine all attachments as well as uncompressed attachments that are stored in compressed formats, such as zip files. It is not uncommon to have compressed files within compressed files. The level to which you scan is configurable, but each level takes more power.
Isolates the Sun ONE Messaging Server from direct Internet access— Many hackers are well aware of exploits via SMTP and use the SMTP protocol to hack into people's networks or systems. By placing a firewall between the Internet and the mail server, a level of security is added. However, firewalls that offer SMTP relaying function are often not nearly as secure as the Sun ONE Messaging Server relay—careful consideration is required.
Reduces the messaging workload— In addition to off-loading the antivirus and antispam workload, it also off-loads the rejection of email not destined for your messaging server.
Maintains overall simplicity— Still maintains most of the benefits of simplicity while adding additional security.
Figure 3-2. Alternate Configuration With SMTP Firewall
Typically the main drawbacks of this configuration are:
Added server requirement— The need to now manage two physical servers adds slightly more workload for the system administrator.
Messaging headers— To scan all messages, sometimes messaging headers must be rewritten and forwarded to the scanning virus wall from the messaging server.
Lack of flexibility— There are not a whole lot of optional configurations with a firewall and virus scanner in place; sometimes, this is the only such option available.
Little, if any, redundancy— Since there is only one messaging system, there is no redundancy, or little beyond that which the single system provides (that is, RAID storage or redundant power supplies). Messages may or may not queue up on the virus wall server, depending upon its capabilities.
Although many sites use a virus firewall in front of the messaging server, there are disadvantages when putting another SMTP server in front of the Sun ONE Messaging Server's MTA as the outer most SMTP server in your organization. Here is a partial list of the major reasons:
First and foremost, the vendors specialize in virus filtering. They are not experts in MTA technology, so their SMTP server is basic and not as full featured as the Sun ONE Messaging Server
Limited if any SMTP extensions support. Which means:
No SMTP AUTH
No NOTARY (for example, delivery receipt requests)
Deliver By (certain date)
Size-based extensions
Pipelining
SSL/TLS
MIME support is minimal, no support for other messaging formats (for example, RFC1154, which is what Microsoft used before Exchange, NeXT Mail, BINHEX or UUENCODE)
Limited if any realtime blackhole list (RBL) support
Handling of very long header lines (a common technique to exploit buffer overflow errors in various mail clients)
Tools for blocking mail based on various pieces of originator information
No MMP
Limited mail routing capabilities
However, for simplicity sake, many organizations still elect to use this alternative architecture.