|
Internet Exchange Messaging Server Technical Overview The Internet Exchange Messaging Server (IEMS) is a highly modular and scalable open architecture system. It can be used from small single machine installations to fully distributed systems linking geographically distributed sites into a common set of logical domains. Its various components can be run on a single machine or in a distributed environment. Administrators can install IEMS on Windows 98 and ME (Anti-Virus Detached Machine), NT, 2000, and XP. For Linux administrators, IEMS can be installed on RedHat Linux 6.2 through 9.0; Mandrake 8.2 through 9.1; SCO Linux Server 4.0 (United Linux 1.0); RedFlag, and Cosix (CS&S). IEMS 7 introduces a new integrated Anti-Spam approach to message reception and delivery. The MTA Pass-Through technology employed by IEMS 7 allows end users (message store accounts), individual distribution list maintainers, and connector modules to define their own security profiles independent of the rest of the system. At the same time the messaging system administrator can still define an overall global security policy, where some anti-spam measures will be handled directly by the MTA (such as reliable DNS-BL identified traffic). Other measures which may be desired by part of the user community, such as DNS-BL's with known high false positive rates can then be passed through to the users for consultation on a case by case basis.
SYSTEM OVERVIEW The Internet Exchange Message Transfer Agent (MTA) is high performance messaging switch capable of switching messages between many input and output channels concurrently. Routing decisions are based upon a combination of information obtained from the local configuration and directory services. The overall system IEMS architecture is summarized below:
In addition to providing a very comprehensive and integrated approach to spam prevention, many other essential services are supported. Messages are exchanged with other Internet MTAs using either SMTP or Batch SMTP. The IEMS SMTP subsystem is tuned for high volume applications and supports virtual channel queuing, SMTP Authorization, and SSL. Full connection control is provided further allowing administrators to protect their systems from outside threats. The IEMS MTA works transparently with SpamAssassin content filtering to provide additional spam detection capabilities. Spam non-delivery reports are automatically tagged by the system so that they can be quickly removed by the system should they become blocked due to non-existant return addresses, significantly reducing administration costs. The Anti-Virus module allows for the integration of third party anti-virus engines. Attachments can also be automatically removed during transit based upon attachment type. Disclaimers can be automatically inserted to messages that pass through the MTA depending on source input channels. The Distribution List processor allows for many different types of lists, supporting mail blocking, automatic list subscription / unsubscriptions, and message digest (both MIME and non-MIME). Security policies can be set on a per-list basis. Messages arriving for local users are subject to optional Bayesian Filtering, MTA Pass-through checks, and MailSort filtering. Users connect to the Message Store using any standard POP3 or IMAP mail client (Outlook, Eudora, Evolution, etc), the included web mail client, or easily built custom applications. Online storage is provided with the Web Mail client. Administrators can easily manage user accounts using the Quota Manager, which manages both mail as well as web folder storage tasks. Sites supporting multiple domains can offload administration tasks to domain administrators responsible for their own user communities. Additional output channels supported include connectors for Lotus cc:Mail and Notes. Migration tools are provided for Microsoft Exchange sites wishing to move to IEMS. Developers can make use of the open API's for developing any additional site specific connectors or preprocessor agents necessary. The open Client API provides both C++ as well as PHP4 controls for developers wishing to deploy custom message enabled applications.
SECURITY FRAMEWORK In most conventional messaging systems, security measures are employed on a system wide basis, making the choice of tools, such as DNS-BL's, critical. IEMS MTA Pass-Through technology changes this by allowing the administrator to be able to use many more countermeasures, enabling only those that have been proven to be universally effective at the MTA, or global level, and letting users pick and choose what additional measures they may or may not wish to apply to their individual message traffic. System administrators are often caught in the middle of conflicting sets of requirements. On one hand, it is their responsibility to protect their organization and systems from outside (and sometimes inside) attacks from virus infected messages as well as spam. At the same time, they serve the users of these systems. Traditional spam fighting techniques are performed by the MTA based upon policies set by the administrator. These global policies normally are set to ensure the maximum protection for the organization with minimal impact on the end user. In the case of spam detection and handling, the definition of what constitutes spam can vary widely from community to community, as well as from user to user within a single organization. Sales and marketing related messages may be very welcome in a sales group, while not being tolerated in a nearby engineering group. Advertisements pitching lower mortgage rates may be undesirable by most but a small group of people looking to purchase a new home. Viagra advertisements and other personal enhancement types of advertisements may not be at home for any users, especially if the site caters to the young or corporate users.
To assist the IEMS administrator in providing for both system security as well as keeping the collateral damage associated with improper spam detection and handling to an absolute minimum, several new tools can be applied. These can be applied on a system wide basis (global) and/or on an individual basis. Some tools such as virus scanning, certain SMTP connection controls, site-wide blacklists, and SMTP Authentication affect an entire site and are global in scope. Others such as Bayesian Filtering and mail sorting based upon pattern matching are tools end users can apply. Other tools such as DNS Blacklists (DNS-BL), header analysis, and message content analysis occur within the MTA, however can be acted upon either as directed by a system security policy, or end user security policy. The ability for end users to be able to set security policies on actions normally only associated with system activities is made possible by the IEMS MTA Pass-Through features. These allow for the optional tagging of suspect messages by the MTA. The local mail delivery agent (working on behalf of the user) can then act upon these tagged messages later. This allows for both much more aggressive checking at the MTA level, as well as far more control of what messages are rejected at the user level (see the figure above). System Wide Security Settings
MTA Pass-Through
LOCAL SERVICES Local services make up the modules and services not associated with message transport across the Internet (SMTP) or MTA switching. These include Distribution Lists, Message Storage and retrieval, user directed Anti-Spam measures, Web folders (storage), private address books, and Microsoft Outlook compatible calendaring / scheduling features. Messages are delivered into the local environment through the Distribution List manager and the Local Mail Delivery Agent (LMDA)
The Local Mail Delivery Agent (LMDA) and the Distribution List Engine perform actions on behalf of their respective users (Message Store, and Distribution Lists). Both of these channel processors can be configured on a per DNS-BL basis as to what actions to perform. The LMDA components are shown above in Figure 7. In addition to MTA Pass-Through processing, the LMDA can configured to perform Bayesian messaging filtering on behalf of the user. This filtering technique utilizes per-user message databases made up of user identified spam as the basis for its message blocking. Users, using either the Web Mail Client, or any IMAP client can place received SPAM into a special folder where the system can later process and update the individual Bayesian Filter databases. After an initial learning phase, accuracy rates for Bayesian filters can exceed 98%. The combination of SMTP controls, Content Filters, Bayesian Filters, DNS-BL's, and the extension of these controls to the end users allows for an extremely flexible protection system, designed to block the maximum number of problem messages.
FEATURE SUMMARY A summary of the features provided in the different IEMS 7 Editions can be found in the table below. INTERNET
EXCHANGE MESSAGING SERVER 7 (IEMS) FEATURES
|
