I am evaluating Scalix as a secure Exchange replacement, but I have a few concerns. First, is it possible to use the distribution daemon rpms instead of the rpms included with the installer? From the wiki I see that it is possible with the "CE Raw" and "CE Preview" editions, but we need to use the commercial addition. I assume attempting this would invalidate any attempts at getting support. Is this a correct assumption?
If we assume that the included rpms are used:
1) How often are the packages updated? How are patches handled? How quickly can we update a system that has a daemon with 0day exploit. Do we have to wait for the next release from Scalix? Can we get source rpms that we can patch if needed?
2) Do the included rpms have selinux labeling enabled so that we can take advantage of the target mode selinux infrastructure?
Thanks!
Ryan
Scalix Security
Moderators: ScalixSupport, admin
-
chris
- Scalix Star
- Posts: 321
- Joined: Mon May 09, 2005 2:56 pm
- Location: Freiburg, Germany
Hi Ryan,
this answer will be somewhat incomplete, so I hope somebody else will chime in.
Let's look at what packages we distribute and break it down. (I've snipped away the packages for other architecture for brevity - just one of each package)
(cmeid@localhost)(158/ttyp1)(11:29P:11/02/06)-
(%:~)- find software/scalix/scalix-core-11.0.0/ -name \*rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-mobile-11.0.0.458-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-platform-11.0.0.438-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-postgres-11.0.0.437-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-res-11.0.0.457-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-sac-11.0.0.457-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-server-11.0.0.196-beta.rhel4.i386.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-sis-11.0.0.436-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-swa-11.0.0.434-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-tomcat-5.5.16-43.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-tomcat-connector-11.0.0.36-1.rhel4.i386.rpm
software/scalix/scalix-core-11.0.0//third_party/jre/i386/jre-1_5_0_06-linux-i586.rpm
software/scalix/scalix-core-11.0.0//third_party/libical/i386/libical-0.24.RC4.20050413-1.i386.rpm
software/scalix/scalix-core-11.0.0//third_party/lynx/i386/lynx-2.8.5-27.1.i586.rpm
The scalix-postgres package is not a postgres server, just the specific configuration for Scalix. You still use the normal postgres-server package from your distro.
The only package in there likely to be in your distribution is tomcat. Looking at Mitre, http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tomcat, there have not been a huge number of tomcat vulnerabilities. Several require direct access to non-standard ports like 8009 which should be firewalled at the perimeter anyway. We use the apache connector to access tomcat, so the regular apache daemon from your distribution is listening on the net, connecting to tomcat in the background. If there were some 0day format string or something on tomcat, you should be able to replace it with a security fixed release of the same major version as we distribute. In the unlikely event the fix would break SWA or SAC, I can certainly say that I'd prefer to work with tomcat in that arena than IIS from a security perspective.
That's the only non-standard package facing the net, and it dosn't open any sockets directly to the outside.
As far as our smtpd, in a large enterprise deployment it is never good security practice to have your enterprise email system facing the net directly, so you should have a postfix (or whatever flavor MTA tastes good to you) relay sitting in a DMZ relaying mail in and out. In the event an exploit on the Scalix smtpd mail processing engine would become public you can bet your tail that we'd be getting fixes out posthaste.
As to your second question, SELinux is not currently supported.
If you have any more questions, feel free to post. I did enterprise security in a previous life and am always happy to discuss.
Hope this helps,
Chris
this answer will be somewhat incomplete, so I hope somebody else will chime in.
Let's look at what packages we distribute and break it down. (I've snipped away the packages for other architecture for brevity - just one of each package)
(cmeid@localhost)(158/ttyp1)(11:29P:11/02/06)-
(%:~)- find software/scalix/scalix-core-11.0.0/ -name \*rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-mobile-11.0.0.458-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-platform-11.0.0.438-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-postgres-11.0.0.437-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-res-11.0.0.457-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-sac-11.0.0.457-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-server-11.0.0.196-beta.rhel4.i386.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-sis-11.0.0.436-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-swa-11.0.0.434-1.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-tomcat-5.5.16-43.noarch.rpm
software/scalix/scalix-core-11.0.0//software/scalix_server/scalix-tomcat-connector-11.0.0.36-1.rhel4.i386.rpm
software/scalix/scalix-core-11.0.0//third_party/jre/i386/jre-1_5_0_06-linux-i586.rpm
software/scalix/scalix-core-11.0.0//third_party/libical/i386/libical-0.24.RC4.20050413-1.i386.rpm
software/scalix/scalix-core-11.0.0//third_party/lynx/i386/lynx-2.8.5-27.1.i586.rpm
The scalix-postgres package is not a postgres server, just the specific configuration for Scalix. You still use the normal postgres-server package from your distro.
The only package in there likely to be in your distribution is tomcat. Looking at Mitre, http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tomcat, there have not been a huge number of tomcat vulnerabilities. Several require direct access to non-standard ports like 8009 which should be firewalled at the perimeter anyway. We use the apache connector to access tomcat, so the regular apache daemon from your distribution is listening on the net, connecting to tomcat in the background. If there were some 0day format string or something on tomcat, you should be able to replace it with a security fixed release of the same major version as we distribute. In the unlikely event the fix would break SWA or SAC, I can certainly say that I'd prefer to work with tomcat in that arena than IIS from a security perspective.
That's the only non-standard package facing the net, and it dosn't open any sockets directly to the outside.
As far as our smtpd, in a large enterprise deployment it is never good security practice to have your enterprise email system facing the net directly, so you should have a postfix (or whatever flavor MTA tastes good to you) relay sitting in a DMZ relaying mail in and out. In the event an exploit on the Scalix smtpd mail processing engine would become public you can bet your tail that we'd be getting fixes out posthaste.
As to your second question, SELinux is not currently supported.
If you have any more questions, feel free to post. I did enterprise security in a previous life and am always happy to discuss.
Hope this helps,
Chris
Who is online
Users browsing this forum: No registered users and 3 guests