He's More Machine Now Than Man

Or, combining Exchange and PostFix to form a hideous cyborg being.

This useful article popped up on OSNews about avoiding the need to pay mucho dinero to upgrade ageing Exchange 5 setups by using PostFix (or some other secure MTA) to insulate Exchange from the wild and woolly Internet.

At our main office we have an old NT server (SBS to be exact) running Exchange 5.5.  It came as part of an original IT installation I inherited when I joined, together with a web-proxy-only Net connection over ISDN for which the installers charged an extortionate fee per month (as well as ISDN dialup charges).  One day I'll have a little rant about how unsurprising it is that many small businesses don't trust IT companies when ripoffs like that are so common... but not today.  Anyway, the problem I had was that the users were throroughly wedded to Outlook, when we switched to a sensible Net connection I had no intention of having the NT server and Exchange directly connected.  My previous job had included a huge mix of NT and Unix servers and I'd had the unpleasant experience of watching the Microsoft kit fall before the onslaught of vulnerabilities like sandcastles under an incoming tide.  I wanted something reliable and robust between the Net and NT.

The first job was to liberate an old machine and put RedHat on it (this was so long ago that RedHat 6.1 was current).  Next, Squid proxying to make the most of the (initially limited) bandwidth.  Then PostFix to deal with all incoming and outgoing email.  I used the redirect facility in ipchains to force all outgoing SMTP connections to port 25 to be rerouted through PostFix (thus giving me a way to at least track any trojans with built-in MTAs).  The NT server was moved behind this firewall system onto the LAN and Exchange was set to use Postfix for all outgoing mail.  All incoming mail was also routed to Exchange (after spam and virus filtering).  The users all keep their Outlook mailboxes and shared calendars.  All is well.  I'd migrate everyone to IMAP or even POP mail access, but frankly there's no benefit to them and a lot of work for me.  So Exchange can stay, at version 5.5.

One of the many criticisms of MS operating systems is how often they need to be rebooted, but after this migration the NT server has actually been extremely stable.  It's been rebooted after the odd IE update[0], but otherwise it's run alongside a brace of Linux machines quite happily.  If only I could manage it by command line instead of VNC-over-VPN, I'd be even happier.

[0] Worth pointing out that it's never used for web browsing, except to download the occasional update from Microsoft.  That in itself reduces the risk of exposure considerably.