[HLUG] Content filtering server, email server, domain controller

Andrew Hodgson andrew at hodgsonfamily.org
Mon Feb 9 22:16:35 UTC 2009


Paul Stenning wrote:

>Hi all,

>I am looking into what is needed for a new server requirement at work
>later this year.  If possible I would like to do as much as possible
>with Linux and open source, and just use virtualised Windows for the
>areas where Linux can't be used.  Some of the requirements are:

Do you want free solutions or are you happy to pay?

>Domain controller:  The clients are all Windows (will be XP Pro or Vista
>Business) and we want to have a proper login system whereby people can
>use their username and password on any PC and get their own desktop,
>files and settings etc.  This is the sort of thing that Windows domains
>do well.  Can it be done in Linux or would we need a Windows server for
>the domain controller?

I have had moderate success using Samba and OpenLDAP in a mixed 2000/XP network at home, however, it did need a lot of nursing, and some of the XP service packs broke it - mainly due to signed communications requirements between the domain controller and the clients.  I never managed to get ActiveDirectory domain services up and running soley on Samba, but that may have been my incompetence.  Roaming profiles wouldn't work correctly, or if it did, the clients tended to spend most of their time logging in or out, though they did that on this new Windows 2008 based SBS network :).  Unless you need to use roaming profiles, I would avoid them now.

>Email:  Currently the clients use Thunderbird to access email directly
>from the web server using IMAP and send using SMTP.  We would like to
>have our own email server which fetches email from the web server
>(probably using POP3) every few minutes and which the users connect to
>using Thunderbird and IMAP as now.  We would like to be able to retain
>messages that the users delete for a period of time and to be able to
>back up all email reliably.  We really do not want to head down the
>Exchange/Outlook route.  What are our options with Linux?  Ease of
>configuration would help of course!

You are in a good position here because you are already using open standards for your email.  Had you been using Outlook already, or were sucked into an Exchange user base, I don't believe there would be much option.  A couple of years ago at work we developed a Linux based email system running on Scalix.  This for the majority of users works well, however, for mobile users who want Blackberry or ActiveSync support this is a nightmare, plus some of the Outlook hacks that were done to make Scalix work are causing some other applications to fail viz Outlook integration.  We are now having to back out of this and get an Exchange solution :(.

The easiest mail system to back up uses either mbox or maildir formats.  There are howto guides for Ubuntu in fixing together a mail server (usually based on Postfix/Dovecot).  I am also fond of the Qmail Toaster <http://www.qmailtoaster.org>, though this is for Centos/Suse only currently.

Don't use POP3 for mail retrieval to the mail server, arrange for a direct SMTP feed instead.  It will look daunting at first, but is actually easier than doing Fetchmail from several POP boxes and hoping they reach the right place on the server.

>Web content filtering:  We want to limit the websites users can access.
>  Some sites (adult, illegal content etc) would always be blocked, most
>others would be allowed for a certain amount of time each day (say one
>hour to allow people to use Facebook, BBC News, Amazon etc during lunch)
>and a selected few would be accessible all the time (the ones needed for
>work).  We would need to be able to override the 1 hour restriction on
>an ad-hoc basis easily if someone needs more access on a particular day.

There are several solutions for this, Squid and DansGuardian work very well if you want to play with the system and tweak it.  The commercial version of that is found over at www.smoothwall.net as part of their product line.  If you just want the content filter it is called Smooth Guardian, and it is very feature rich and gives you a lot of control over what happens, as well as good reporting (including graphical reports/charts etc).  Another product that does this is Untangle http://www.untangle.com, I have read good things about this, but couldn't get on with its interface.

>File sharing:  That's easy enough - Samba.  It needs to link into the
>domain controller stuff though so it follows password changes.

I use a server running Samba here and it integrates well with my 2008 ActiveDirectory domain.

[...]

>Eset anti-virus management:  That will have to be done with Windows in
>vmware (or virtualbox if I can get it to work).

Also take a look at VirtualIron, a cheaper version of Vmware (though ESXI is now free on specific hardware), but has the support that VirtualBox lacks.

>Backup:  On my home server I am using Simple Backup to backup to a
>removable USB drive every day.  It works reasonably well except it has
>no way of notifying if the backup disk is full.  Backing up to tape
>would be useful but there seems to be a shortage of easy-to-configure
>tape backup applications.  It obviously needs to back up the email,
>documents and all user desktop settings etc.

Look into disk backups, or offsite backups as an alternative to tapes.  I currently do a Windows based backup, then using the Samba server as a storage server for the backup Rsync the contents to a server I have off-sight overnight using an SSH connection.  Not sure whether this would be sufficient for a small business, but I am also looking into using Amanda http://www.zamanda.com to do backups from the Windows server, and using the central Samba server store the backups offsite using Amazon S3 or similar.

I know someone who has a similar setup, but he got a Windows Home Server, which does a very good job of making incremental backup images of all his kit (including the Windows based servers as well).

>If I can do most of this with Linux I will probably go for Ubuntu Server
>8.04 LTS as that's what I'm familiar with.  CentOS is another possibility.

That will cover most requirements.

There are products out there that try to do the small business server thing - http://www.contribs.org and http://www.clarkconnect.com for example, but I wish that some of these could be made into smaller projects, that wouldn't for example try and take over the whole network.

Hope this helps,
Andrew.



More information about the Herefordshire mailing list