Microsoft dropped support for Exchange 5.5 on December 31st, 2004. Exchange 5.5 users can upgrade to Exchange Server 2003, continue to run 5.5 with all accompanied security risks, or switch over to another mail/groupware system.In this article I propose a fourth option that is really options two (run Exchange) and three (run another mail system) combined.
Exchange 5.5 is no longer supported by Microsoft as of December 31, 2004. According to Microsoft, organizations have two options. The first is to upgrade to Microsoft Exchange
Server 2003, this is what Microsoft wants you to do. This means purchasing new hardware, new licenses and learning a totally
different operating system (Active Directory, anyone?) and being tied into Microsoft once again.
The second option is to continue running Microsoft Exchange 5.5 and hope no one finds a new exploit.
Microsoft frowns on option number 2, and I have to agree, Exchange 5.5 is not secure enough to serve Internet mail, especially without
Microsoft patching it.
There
is a third option that isn’t
mentioned by Microsoft. Change over to another mail/groupware system.
This is a valid alternative if you have the time and resources. The
worst part of changing to a new system is getting the email clients
to behave, and getting the users of said email clients up to speed.
In
this article I propose a fourth
option that is really options two (run Exchange) and three (run
another mail system) combined. The downside
of options two and three will be mitigated while the functionality
remains the same. The cost of all this? Depending on the amount of
users, it starts at $200USD, and about a weekend’s worth of time. The
time varies greatly upon the level of expertise and the amount of
users.
What
we will be doing is running
NT4/Exchange inside the Linux OS via a virtual machine, VMWare
is the vm recommend for its ease of use and
stability. We will use a more secure MTA, such as Postfix and we will
receive mail via an Imap server, such as Cyrus. Exchange 5.5 will not
connect to the Internet at all, and all mail will be filtered through
the more secure systems before Exchange has to deal with it. We can
even have Exchange 5.5 forgo all mail handling, and only perform
address book and calendar sharing.
What
you will need:
virtual machine package that can run
Windows NT Server
(VMWare Workstation for Linux is what I
use);
decent server
(A PIII 1Ghz minimum with ample HD storage
and 512~1Gb Ram);
working knowledge (plus packages) of
Linux, Postfix and Cyrus
(I recommend Kolab2 on top
of Debian);
licensed copy of Microsoft NT 4
Server and Exchange 5.5 Server with CALs
(If you don’t have a legal copy, check
the Internet, it is inexpensive now);
working knowledge of NT4/Exchange 5.5
(If you’ve installed and run it before,
then you should have the knowledge).
The information
contained
in this article is rather superficial. This isn’t an in-depth how-to,
but rather a pointer as to how it can be done. A good tech will be
able to take this information and implement it using the knowledge
that he or she already possesses.
Backup
your current NT environment,
including Exchange. I’ve only done smaller networks with less than 40
users, so I relied upon making a pst of everyone’s mailbox and
creating an additional pst for public folders. There are several
methods to backup an Exchange system, do what is most comfortable.
Install
your Linux OS, VMware and your
Open Source mail system. I use and recommend Kolab2, it is a mail and
groupware system that performs the same duties as Exchange, plus the
added benefit of spam and virus filtering. If you choose Kolab2 you
also have a migration path away from Microsoft and Exchange, which
you may or may not choose to implement.
Create
your user accounts in the mail
system. There is no script that will create users for both Exchange
and Unix accounts that I know of, but you can write one utilizing a
macro program, Perl and/or Bash.
Inside
VMware, install NT4 and Exchange
5.5. Import all user accounts, or re-create accounts whichever uses
less time. Block all Internet access from the NT4 virtual machine.
Simple Setup:
Have
Exchange use the Linux mail system
as an upstream server, and have all mail received by Exchange via
Imap or pop.
Upside: Least amount of client
configuration needed. Exchange not interacting with the Internet.
Downside: Exchange 5.5’s MTA is
problematic, but if you lived with it before, it will be no
different. Exchange 5.5 mailboxes will hold all the users mail, same
corruption issues Exchange 5.5 users always had to deal with.
Intermediate
Setup:
Setup
pop mail accounts on all clients
and have Outlook pull all the mail down from the Linux mail server, sending mail will use the Linux SMTP mail server.
Upside: All Internet mail handled by
Linux mail system, less mail handling by Exchange. Exchange not
interacting with the Internet.
Downside: Exchange 5.5 mailboxes will
hold all the users mail, same corruption issues Exchange 5.5 users
always had to deal with. Outlook clients will need Internet email
accounts in addition to Exchange.
Expert
Setup:
Setup
Imap accounts on Outlook (version
2002 and above). Sending mail will use the Linux SMTP mail server.
Create a public address book in Exchange of all office users with the
Linux SMTP server account addresses. Make it available as an email
address book on all clients. Set the Imap account as the default,
remove the Global Address Book and the Recipients from the address
books in Outlook. Set the public addressbook that you created earlier
as the default.
Upside: All Internet mail handled by
Linux mail system. Mailboxes all handled by Cyrus. Eases future
migration. Stability of Exchange increases.
Downside: Outlook clients will need
Internet email accounts in addition to Exchange. Configuration of
Outlook clients address books.
I
recommend the
expert option because it relieves Exchange of the stress that user
mailboxes and mail handling impose. Exchange becomes a public address
book
and shared calendar system. This makes Exchange extremely stable. I
have one system that ran 8 months before a reboot, for Exchange 5.5
that is nearly a miracle. Another reason I recommend the following
option is that is eases migration away from Exchange, since Imap
becomes the default mail handling system. Kolab2 with Outlook plugins
can replace Exchange when the time comes.
Microsoft
Exchange 5.5 covers what many
businesses need. Most companies don’t enjoy being forced into an
upgrade, especially when there is no reason other than monetary gain
for the software vendor. The procedure outlined in this article will
allow companies to run NT4/Exchange 5.5 as long as they want. Since
NT4 and Exchange are no longer accessing the Internet, they are
essentially sandboxed. By removing unnecessary
services and
utilizing a properly configured firewall, you can run a secure
NT4/Exchange environment. If Kolab2 is used, then there is a path
away from Exchange, whenever your organization is ready. This
procedure will help free your organization from forced upgrades, and
eventually allow an it to free itself from all controlling software
companies.
I’d
like to thank Erfrakon for
designing the Kolab architecture and Intevation GmbH for their
contributions to the Kolab project. I’d also like to thank everyone
who contributes to Open Source and Free software.
Linux is a registered trademark
of Linus Torvalds.
Microsoft Windows NT, Exchange
5.5, and Outlook are all registered trademarks of Microsoft Corporation.
VMware Workstation is a
registered trademark of VMware, an EMC Company.
About the Author:
My name is Alex Chejlyk. I’ve owned and operated a small business that performs IT tasks for other small businesses in the area, since 1994.
I’ve been computing since the early 80’s, started out with CPM then
to DOS, LANtastic, Windows 2.x, Apple, OS2, Windows 3.x, Be, Windows
NT/9x/2K/Xp, Unix, and Linux.
Yikes! That’s a scary thought. I don’t think this is realistic for anything larger than the small networks you speak of.
But hey, good luck with it. For mission critical e-mail, I prefer to run on something that’s supported and robust. Not that I am referring to MS, necessarily.
when has email ever been mission critical?
honestly, if it goes down, the world doesnt end
your right the world doesnt end, but the pain in the butt does begin. if youve ever had to explain to management jerk a why he cant send pictures of a dog eating poop to his friends then you already know why people like to keep their email servers up and running.
Doh! My bad
I did mean sendmail.
honestly, if it goes down, the world doesnt end
Try telling that to some of my superiors. That’s the same exact quote I say to my coworkers but some how upper management just doesn’t believe it.
You must live in a fantasy world. Email IS mission critical in business. If email goes down in my organzation, heads roll.
i have to agree, running exchange in vmware is not a viable option for a business of any size.
the idea that the author is giving is a good one its just poorly executed. in the time of sub $200 computers it is much easier to buy a cheap computer for the linux end of the operation and just keep your exchange server where it is.
This scenario is too complicated. There are too many variables to have to deal with, and you’re still using Exchange 5.5.
I use Samsung Contact (HP Openmail). It works with MS Outlook (and has a web and mobile (PDA) interface), does shared calendars, contacts, and other groupware functions, and runs on a Linux machine instead of a Windows OS.
I saved $3000 in intial costs from upgrading to Exchange 2003 and it has worked out great for me.
I read somewhere that Samsung Contact does not sell to the SMB market. They don’t even take on new resellers. No idea how you want to deploy SC if you are a small business. Suggestions?
You can either contact a reseller and see if they’ll still sell you a license, or you can use Scalix, which caters to a smaller market now than Samsung does.
Why does the article only point out flaws with Exchange 5.5? For example “continue to run 5.5 with all accompanied security risks” and “The second option is to continue running Microsoft Exchange 5.5 and hope no one finds a new exploit.”
These are generalized statements intending that you are not secure if you run Exchange 5.5. These statements could be applied to almost any MTA. Anytime you run a server you are taking security risks and hoping no one finds a new exploit. I’ll just pick on Sendmain for an example, its record isn’t exactly what I would call clean.
“These are generalized statements intending that you are not secure if you run Exchange 5.5. These statements could be applied to almost any MTA. ”
The problem is MS is stopping support. Meaning if an exploit is found, they won’t bother to fix it. Other MTAs will have patches available.
I and I think you mean Sendmail, not “Sendmain”
It seems that, by the time you get this going, you would have been better off to have just implemented one of the many Exchange drop-in replacements that run on Linux and that way you would be totally free from Exchange – especially an old and unsupported version.
The problem with this solution is that it really limits that length of time you can run this configuration without ditching Exchange completely. It also severely limits the scalability of the system (although, if the company isn’t growing, then that’s not too much of a problem).
However, it’s probably a good start to moving away from Exchange if you are the type that doesn’t like really large cutovers and prefers a step by step approach to migrations.
The Exchange drop in replacements are not really drop in replacements. I’ve been trying for years to wean companies off of Exchange, but Outlook doesn’t really work properly except when teamed with Exchange. Case in point, SuSE Open Exchange. SLOX is touted as a drop in replacement, it is most definitely not, it doesn’t import addressbooks or calendar data, so there is no real migration. The Outlook client plugin is problematic (there are two, one that does a scheduled sync, another that works with MAPI). Outlook clients experienced so many inconsistent problems, with SLOX. Everything from losing the public addressbook to not seeing calender entries that they just made.
Kolab2 is great and once the plugin for Outlook is ready (and working seamlessly), Exchange can be ditched.
Cheers,
Alex
As in a previous post…
I use Samsung Contact (HP Openmail). It works with MS Outlook (and has a web and mobile (PDA) interface), does shared calendars, contacts, and other groupware functions, and runs on a Linux machine instead of a Windows OS.
I saved $3000 in intial costs from upgrading to Exchange 2003 and it has worked out great for me.
Another option
Setup SME Server behind a firewall
port forward port 25 only to the SME Server
SME Server is also a firewall, put it in front of your network and your Exchange server
Delegate the Exchange server in SME Server
Install ClamAV and Spam Assasin (or ASSP) in the SME Server to cover the virus/spam issue.
Don’t bother updating Exchange ever again
“honestly, if it goes down, the world doesnt end”
No, but your ability to put food on the table for your family might.
When you work for a company with 600+ users spread out all over the country, all connected to the same Exchange server, and it goes down, that’s going to have a couple people breathing down your neck, and possibly causing career altering conversations.
And by career altering conversations, I mean getting your butt fired.
I think many IT people here will agree with me when I say trying some “neato” Linux workaround isn’t worth jeopardizing productivity, or your job.
Granted 600+ is more than the 50 or so users the author refers to in his experiment, but it’s still an SMB, and this is still, IMO, an unacceptable workaround.
I don’t like MS’s business strategy either, but there are better alternatives than this.
“When you work for a company with 600+ users spread out all over the country, all connected to the same Exchange server, and it goes down, that’s going to have a couple people breathing down your neck, and possibly causing career altering conversations.”
Whose idea was it to use Exchange in your scenario in the first place?
What a nightmare you must have to deal with!
Since you are running VMware Workstation, can you log out of Linux? Or do you have to remain logged in at all times to keep the virtual machine running?
Do you run the virtual machine on a TightVNC display?
AFAIK VMware has a version that runs in the background but with workstation you have to stay logged in. That doesn’t mean you have to run something as heavy as KDE however. You can use a simple window manager like TWM or run an X session with no window manager at all.
The Exchange Server runs via VNC (runs the ICE desktop), thus far it has been very stable.
Cheers,
Alex
Of course you can. Every version of VMWare has a toggle that says “Start computer when my host computer starts” (OSLT). Exchange doesn’t require a user to be logged in for the service to start.
> Every version of VMWare has a toggle that says “Start
> computer when my host computer starts” (OSLT).
VMware sell several different products. “VMware Workstation” is the least expensive one–the one that I have. AFAICT, the only way I can start it running and then log out is if I start it in a TightVNC (or other VNC) session.
If VMware Workstation has the “Start computer…” option, how do I access it?
“Whose idea was it to use Exchange in your scenario in the first place?
What a nightmare you must have to deal with!”
No, not really. Exchange 2003 is quite stable and reliable.
Look, I like Linux. We use Linux in some spots. But this particular solution in which we are discussing here is not viable, IMO.
Hey how about a real user name and an e-mail address attached to your posts? They sure would be taken more seriously!
I am a dufus. The above post is me. I really should start logging in before critcizing others about not having an account.
I belive MS is supporting Exchange 5.5 though Dec. 31, 2005. At least that is what they have published and are telling thier govermental clients.
What you speak sounds like a viable alternative. That’s what I am talking about!
I am not trumpeting MS as the only solution…..I am just saying the article solution isn’t either.
We are using Exchange with more than 5000+ users across Canada and we have no problem. You just need to know what you’re doing and doing it well. And when you’re that big, Microsoft is allways glad to help. $$
Remember that most big company have good rebate from Microsoft for using their software.
And no, it’s not a nightmare.
Though I agree completely, we never really have to contact MS, the stuff just works.
Groupwise is also a good alternative, and the last I checked into it (admittedly about 9 months ago) it was more reasonably priced than Exchange.
Novell also has a Linux solution for collaboration called Openexchange Server, though I haven’t really researched it at all.
I dunno if it’s a commercialized version of the software reviewed here last week, or something different. I am sure someone can step in and say so, though.
If your CEO or other PHB values his/her corporate email and wants to keep using the groupware features that users of the Outlook/Exchange combo have grown accustomed too, I suggest spending some time reviewing solutions from Scalix and Samsung Contact. Both will allow you to replace Exchange while maintaining and possibly even enhancing the functionality. Not to mention the added security… Samsung Contact is the former HP OpenMail and an extremely scalable large Enterprise email system with full Groupware (Exchange) functionality. This system is used by companies that need e.g. 350,000+ mailboxes. Afaik you need to be a serious company to get Samsung to return your phone call (please correct me if I’m wrong). Scalix is a smaller company focused on the SMB as well as the Enterprise market. They also offer full Exchange functionality. Check out either company if you need an “Open” replacement for Microsoft Exchange. Off course there are tons of other solutions out there. I pointed out specifically these two given their focus, maturity and service and support offerings. Something that the CEO/CTO/CFO appreciates/requires. Note: I don’t work for either. I just think pointing them out serves people’s interest in alternatives.
Maybe I always missing something here … exchange is potentially more vunerable do to its largely installed user base, ok. Its expensive to install, fair enough …
But, I can hire an MCSE or MCSA for buttons, any day of the week, stick him on site and have him maintain them. No special experience , no special skills. He leaves , get another.
So the implementation savings described have to cover the cost of supporting the system when operating it.
Just my narrow view , but one that always seems to be
missed …
“But, I can hire an MCSE or MCSA for buttons, any day of the week, stick him on site and have him maintain them. No special experience , no special skills. He leaves , get another.”
And this is exactly why many Microsoft products are potential security risks because people like you think almost everyone can maintain such installations.
Many Windows Admins have no clue what they are doing, just clicking a few buttons all day….
>>Many Windows Admins have no clue what they are doing, just clicking a few buttons all day….
People who make statements like this have never worked a day in their life in IT.
>>Many Windows Admins have no clue what they are doing, just clicking a few buttons all day….
>People who make statements like this have never worked a day in their life in IT.
i’ve worked in IT for years and its absolutely true – usually someone who is bored with their real job prefers to play around with their PC all day – next thing is that they’ve been upgraded to the office computer boffin and get asked to help with any PC problems. within a year or two they become an offical admin.
same thing happened to me in an office – because i ‘fixed’ the printer once i got the nickname ‘inspector gadget’ and was asked to try and fix any computer problems which came up.
really embarassing thinking back on it – trying for hours to copy a 10MB file onto a floppy and other such stuff.
but as i was at college at the time studying programming i was happy to fiddle around with computers rather than do the job i was there for (which was boring).
luckily – after 2 years of college my first job was a really varied support/programming job and i gained real experience as well as developing my programming.
Well all I got to say is I love exchange 5.5 running on an NT box any day and a Windows 2003 member server running Exchnage 2003, cos It makes my job of supporting them much easier and I can never compromise on quality and ease of installation or the kind of security win 2k3 offers me…
VMware does make a product that meant specifically for this application. ESX server will run on any windows of linux machine and will have virtual machines running on top of it. VMWare Workstation is meant for just that… workstation.
There is also the GSX server which is a specific platform and customized linux kernel to run it. Although if you are getting ESX just to avoid upgrading Exchange 5.5 (and your domain) you may want to rethink it a bit.
Regarding ESX: I’ve run an Exchange 5.5 server under ESX server in production for several years. Similar to the setup above, all mail is proxied by a linux firewall (which also performs virus checking and spam filtering) before reaching the exchange server. This IS a workable solution, even if it isn’t optimal.
The real problem for Exchange replacements is authentication: none (as far as I know) integrate seamlessly into an NT domain for user authentication. Many users still on exchange 5.5 have also eschewed AD.
“I belive MS is supporting Exchange 5.5 though Dec. 31, 2005. At least that is what they have published and are telling thier govermental clients.”
thats accurate. http://support.microsoft.com/gp/lifesrvr
even exchange 5.0 goes til 12-31-05
Exchange Server 5.0 Enterprise Edition 23-May-1997 31-Dec-2003
See Note 31 31-Dec-2005
See Note 31
Microsoft Exchange Server 5.0 Standard Edition 23-May-1997 31-Dec-2003
See Note 31 31-Dec-2005
See Note 31
Exchange Server 5.5 Enterprise Edition 3-Feb-1998 31-Dec-2003 31-Dec-2005
See Note 4
Microsoft Exchange Server 5.5 Standard Edition 3-Feb-1998 31-Dec-2003 31-Dec-2005
See Note 4
first date is date of release, second is mainstream support cut off, and third date is the final date for extended support (paid).
i think 7 to 8 yrs of support is pretty good, don’t you? does anyone else provide that many years of support on their email system?
Take big truck.
Take out motor.
Put big hamster wheel like device in truck bed.
Put old worn out VW Beetle in wheel.
Enjoy!
Only Rube Goldberg would think about running this guy’s solution in a production environment.
Looking forward to next article – “enterprise accounting on WFWG”
What exactly is so great about Exchange 5.5 that upgrading to Exchange 2003 isn’t an option?
nuff said.
It is funny how so many people got their knickers in a bunch over this piece.
Sure, this solution is a hack, but it works and can support a small organization without compromising stability. If you are a large organization, you have moved to Exchange 2000/2003 already or better yet Postfix/Cyrus/LDAP/iCal.
I really think it is strange that people are mentioning other solutions that cost as much as a full upgrade to Exchange ’03. This solution costs a small company very little, yet there is no compromise on stablility, the only hit has been performance which is mitigated by offloading mail handling to the true mail server (postfix/cyrus).
Remember this solution is aimed at small companies trying to extend the life of a product that they are locked into. MS no longer supports Exchange 5.5, they do offer special paid support until Dec. 2005, but if you are willing to pay those prices, you would lay out the cash for a new server (with a gigs of ram and tons of drive capacity), purchase Windows Server 2003 and Exchange Server 2003, and of course buy the CAL’s.
The reality is many small companies (with less than 40 users) use Exchange 5.5, but think it sucks that they must spend close to $10,000 USD to run the new Exchange, when the old Exchange is doing what they want. Don’t even try to mention SBS, because all in one servers from MS are a load of crap and about as stable as J Dahmer.
I think Exchange is a hack, each new version is better than the last, but a server should not need to be rebooted monthly, and Windows Server needs reboots. I also think Outlook sucks, it’s support of LDAP is a joke and for some reason (vendor lock-in?) IMAP support still is funky.
The most progressive companies I deal with have migrated away from Outlook and Exchange, but baby steps saved alot of headaches. This is a baby step that is easy to implement. I can setup the whole system with 20 users in about 4 hours. The maintenance is no worse than running Exchange by itself.
I’ve run this solution at over a dozen companies. Exchange only works as shared addressbook and calendar server, since its mail handling capabilites have always been sub-par. I’ll bet that my uptimes are equal or better than pure Exchange 2000/2003 shops. I’ll also bet that this solution costs less in TCO than a 2003 Exchange setup. Learning Active Directory isn’t free and Exchange 2003 is as different to Exchange 5.5 as Kolab2 is.
Everybody should calm down and look at it for what it is, a baby step hack that eases the transition from proprietary non-standard(s) based mail to OSS, standards based mail.
Cheers,
Alex
Why can one run Limux MTA/MTU and Exchange Calendering? Sure you get borked with the CAL prices but dosent that come with Oulook?
-nX
must agree with some previous comments.
we had a client with infected windows exchange server.
we put a via mini-itx based debian stable machine on the network to receive the email and forward it on initially.
but now – replaced the windows server with debian, samba, postix, courier-imap.
for the users that’s all they need – hot-desking/roaming profiles all works – all shared folders are as normal – pick up email from any PC etc.
and that’s with a mixture of windows 98 and XP PC’s as clients – i don’t think windows own server stuff will do that!
it was a couple of weeks before the office manager asked if the new server ran windows – apparently he’d gone to the server but was confronted with the console based login prompt – which meant that he left well alone – another bonus!
also, we have almost finshed setting up a second machine to act a hot swap backup – all data and emails will be synchronised every night.
of course – if this was MS then the client would not have stumped up the license fees just for a backup machine – i mean spending $4000 on the primary server licenses would be bad enough – but spending the same again for a backup would not have happened.
instead they spent to money with us and we put in a FLOSS replacement AND got the hardware for them!
but a server should not need to be rebooted monthly, and Windows Server needs reboots.”
Where the heck do you get this? We never have to reboot the server.
wow I cant believe this…
i like real discussions baised on real solutions…
I have not even got round to reading the article yet.. but there is one thing that the VMWARE machine which in the future will be very very useful…
instant backup of the machine while its running… clone the machine as many times as you want during the day…
Id like to say samsung contact was good but I did research it (about two years ago) spoke to them at linuxexpo in london… got the software on free cd etc..
I cant for the life of me think why but there was some features that were missing… that as in V7 dont know how much this has been changed since..
“But, I can hire an MCSE or MCSA for buttons, any day of the week, stick him on site and have him maintain them”
this is an advantage..
but then again… theres also the downside that you could of upgraded to 2000 and then to 2003…
and if your paying per licence your shelling out a fortune to MS…
yes ur staffing costs are low but your liecencing cost are (or should be) shy high….
every inbox needs a cal, every OWA user needs another cal.. conection needs a cal every admin needs a cal…
now can you see where your losing money….
moving from 5.5 and nt4 to windows 2003 and exchange 2003 for small businesses is you also have to have Active Directory…
another mind field just to have a working MTA…
>And this is exactly why many Microsoft products are potential security risks because people like you think almost everyone can maintain such installations.
Many Windows Admins have no clue what they are doing, just clicking a few buttons all day….
This is patently untrue. There is absolutely nothing inherently insecure about Either Exchange or Windows2000 and above. Patches come regularly and are easy to install.
>> Many Windows Admins have no clue what they are doing, just clicking a few buttons all
>> day….
> People who make statements like this have never worked a day in their life in IT.
Why not?
Hey,
I discussed this at a local VMware seminar recently and they said the license for VMware Workstation doesn’t allow one to run a server in it. So you’d have to upgrade to GSX and that’s noticibly more money.
Running another machine, even a lower end one, would probably be a better choice, or switching more of your systems to VMware and loading it in with it even better.
For the worries about Exchange 5.5, I’d probably just upgrade to something newer then try to hack things together like this, IMHO.
-m
VMware Workstation will happily run NT4 server, we’ve used it for app development.
X