SME Server

Introduction

This page is intended for anyone who does or supports all the IT "stuff" at a small business and it assumes some familiarity with Windows networking concepts. ;-)

SME Server (Small to Medium sized Enterprise) is an Open Source answer to Microsoft's Small Business Server, except that it's free and it actually works.  It runs on any old Pentium computer you have laying around (see Hardware Requirements) or can buy for next to nothing, and is much more stable and secure out-of-the-box that the Microsoft version.

This thing is Really Cool!  See the Mitel web site, especially the design and architectures links on the upper left.

Features/Pros

The list below is based on my own observations, with some content adapted from the Mitel introduction and SME Server v5.5 Release Announcement.

  • It's FREE, and there are no licensing restrictions.  How much time do you waste keeping track of the minor legalities of using Microsoft software?  Well, you're still stuck with it on your desktops if you use Windows and Office, but at least you can get rid of it for your server!  (Get rid of MS Office too, and use OpenOffice, a fully compatible and free office suite.)
  • The security and stability of Linux, tuned to work as a plug and play back-end for Windows desktop clients, and administered via a fast and well designed Web tool (you don't need to know anything about Linux/UNIX to run this!).
  • Based on RedHat 7.2, but with a RedHat 7.0 kernel (see Cons).
  • Installs via a single bootable CD-ROM, though you can create a boot diskette if your server can't boot from a CD.  (Small con within a pro, you need to be able to download a 200+ meg "ISO" image, verify the md5sum, and then "burn" it to a CD.  This is actually a lot easier than it sounds.)
  • Provides Windows 2000 and XP domain logons and file and print-sharing--As far as your Windows desktop PC's are concerned, SME Server looks like an NT or Windows 2000 server (no Active Directory)!  You don't need any Windows servers, but if you have one or more Windows servers, SME Server works with them too.  See The role of the SME Server.
  • Macintosh file and print-sharing--Via AppleTalk over TCP/IP.
  • End Users may change their password using a secure Web-Based form.
  • You can enable User disk space quotas. (It took MS years to finally add this to Windows 2000--NT never had it built-in.  Pet Peeve: how can you claim something as a "Network Operating System" when you can't even provide something as simple as disk-space quotas???)
  • Internal e-mail server and Internet accessible webmail (via IMP) for your users.
    • sendmail - Given the number of security vulnerabilities reported in sendmail over the years, they used qmail and mailfront (was obtuse-smtpd), both of which have been designed from the beginning with security in mind.
    • The e-mail server is configured as a closed relay out-of-the-box.  This means that spammers can't use your system to forward spam and get you into trouble with your ISP and the world in general.
  • Secure remote access via SSH, HTTPS and PPTP (128 Bit only, 40 not allowed).
  • Web Server hosting, with virtual domains if necessary.
    • Apache, with SSL and PHP pre-configured
  • FTP Server hosting
    • wu-ftpd - Like sendmail, wu-ftpd has suffered from security flaws over the past years. They chose proftpd as a replacement because of its focus on security as well as our ability to more easily configure it to limit access.
  • Information bays or i-bays are a "unique feature built into your SME Server V5 with ServiceLink. i-bays are a powerful, simple, flexible mechanism for creating distinct information-sharing sites."  They easily allow different virtual web or FTP sites, file sharing between different groups, etc.  Much easier than trying to tie all this together using either Windows or typical Linux/UNIX servers and services.
  • The Squid caching proxy server (on port 3128) is installed.  Unless you have a large disk, and a number of users who visit the same sites, this won't do you much good, but it's nice to have just in case.
  • Support for an NTP server to automatically keep the date and time correct.  Your Windows clients can then set their own time off of the SME Server.  See my Time Sync page for how to do this.
  • Easy system recovery:
    • Optional software RAID 1 (disk mirroring) using two identical IDE or SCSI hard drives.
    • Emergency boot diskette--Boots the server if the MBR (Master Boot Record) is somehow corrupted.
    • Emergency re-install diskette--Allows you to re-install the system the same way you did originally.
    • Easy backup and restore either via a tape drive or a large compressed file backed up to a workstation with a (very) large hard drive.  Tape is better, because you can keep a copy off-site.
    • To recover or restore, you re-install the system using the CD and the re-install diskette, then restore the backed up tape or file. Note that Linux/UNIX systems are not like Windows.  You should never need to re-install just to fix some stupid, unpredictable software error.  You should never need to reboot to fix same either.
  • The entire system is formatted with the Linux ext2 file system, which never needs to be defragged.
  • The following UNIX services are running on the base system (this is actually a pretty small list for a UNIX server): afpd, atalkd, crond, dhcpd, httpd, klogd, ldap, lpd, mingetty, mysqld, named, nmbd, ntpd, papd, qmail, smbd, smtpfwdd, squid, sshd, syslogd, xinetd.
  • ServiceLink service that provides 24x7 server monitoring, DNS, Anti-Virus, e-mail, IPSec VPN and other services.  This is a really cool business model.  They built SME Server to provide a standardized and remotely supportable customer premises server.  They have to maintain it anyway, so why not give away that software then provides the services on the back-end.  This is a recurring revenue stream that takes great advantage of economies of scale, and allows them to give something back to the community as well.  Really nice work!
  • ServiceLink and the Mitel resellers also provide technical support, network consulting and system integration, should you need any of those things.

Cons

  • No DDNS (Dynamic DNS) between the internal DNS and DHCP servers.  This requires ISC DHCP v3 or better, which RedHat inexplicably doesn't even have in v7.3, let alone 7.1 or 7.0 (it IS finally in RH8).  This is the one thing I can think of that the MS product can probably do that SME Server can't.  When your internal clients get DHCP addresses, they are not added to DNS, so they can't talk to each other.  However, in Microsoft Networking (i.e. SMB, AKA CIFS) WINS also performs name resolution functions, so the lack of DDNS may not be that big a deal.  It still bugs me.
  • No support for ISA network cards.  (No big deal, use $20 PCI cards instead.  See the Hardware Requirements, especially Supported Ethernet Adapters.)
  • For various pretty good reasons, they are still using the Linux 2.2 series kernel.  The biggest impact this has is that they have to use IPChains, which is not stateful, instead of kernel 2.4 and IPTables, which is stateful.
  • No man (manual) pages.  In the rare event that you would need to log in to a command line on the machine, there are no man pages.  In normal use you will probably never need to do this, but is you are intending to learn how to use Linux/UNIX, then this is probably not a good solution for you.  (Pro within a Con: if you don't care to learn Linux/UNIX, then this is a good solution for you!)

Security

My one major concern about the security of SME Server v5 is that it claims to be a firewall.  Technically it is, sort-of.  But if you use SME Server as both your firewall and your main production server on the same box, you are violating the first and second rules of firewall design:

  1. Never, ever, ever, ever, ever, run a web server on the same box as a firewall server!!!!  I can't stress this enough.  Web servers are designed from the ground up to give people things.  They suck at not giving people things, which is what a firewall is supposed to do.  Now repeat after me, "I promise never to run a web server on my firewall!"
  2. A firewall server is a firewall server--nothing that isn't part of the firewall should run on it.  This includes split-zone DNS servers, web servers (gasp), etc. but may not include web, FTP and other proxies if they are part of the firewall itself..

My other security concerns are that the firewall is not stateful, the firewall rules are not configurable, and I don't see an easy way to turn off services (like AppleTalk) that you are not using.  Why stateful firewalls are more secure than non-stateful ones is out of the scope of this paper--just trust me; they are.  Go Google it if you don't believe me.  The inability to configure firewall rules may not be that big a deal for your environment, but I don't like not at least having the option.  As far as services (UNIX calls them daemons) are concerned Mitel has done a great job turning off most services that are not needed, and they also made sure the Evil Services like NFS and the "r" services are not even installed.

One possible solution is to run 2 copies of SME Server (after all, it's free and you already have it, so why not?), one as your "server" and the other as your "firewall."  The problem with that on the firewall side is above--it's not stateful, you can't turn off most of the "built-in" services, and you can't configure the firewall rules.  Instead, I recommend using some other free firewall (see my GNATBox Firewall Installation Quick Reference and SOHO Security pages) and use the SME Server on the inside of your network, where is it just totally awesome!

One other security concept is that of a "DMZ" or demilitarized zone.  You run Internal accessible services such as Web servers on that network, with is different from your LAN and protected by the firewall.  If your web server is on your LAN and is compromised, you're toast.  If it's on a DMZ, the DMZ is toast, but your LAN is not!  Unfortunately, the free version of GNATBox does not support a DMZ, but you can see my SOHO Security page for other firewalls that do.  Also unfortunately, proper configuration of a DMZ is a little more complicated than just throwing the server on the LAN and calling it a day.

However, you should be able to implement a pretty decent DMZ using a GNATBox and SME Server in parallel--a kind of "firewall sandwich."  I have not actually tested this, but there is no reason which it wouldn't work.  The caveats were already stated above--you can't configure the firewall rules, and getting everything to work might be a little tricky.  You need an external firewall and at least 2 SME Servers.  On acts as the web server and sits between the external firewall and the internal firewall/SME Server.  Note, if you put the web server on the internal SME server, you might as well not have bothered with the "DMZ."  A more detailed discussion is currently out of the scope of this document.  You should contact a qualified Network Security firm to help you implement such a solution if you want to.

SME Server makes it really easy to implement a firewall/web server/everything server all in one, so I suspect a lot of people will.  It's a bad idea, but it's a lot less bad to do this with SME Server than it would be to do it with Windows/IIS.  You have been warned.

Other Security Points

  • SME Server uses "Blades" as a really easy way to keep up-to-date with the latest patches.
  • Named runs as user "dns" and in a chroot jail.  In English, that means that if someone is able to compromise the DNS server (running named), they are not automatically root (i.e. Administrator) but just some lowly user with no privileges.  Also, they are locked in a small section of the file system where there is essentially nothing.  This is not useful to a hacker.
  • See above notes on the use of more secure replacements for WuFTPd and Sendmail.

Verdict

Read the above security section if you haven't already.  I recommend you use SME Server in "Server-only mode."  But for that, it's really awesome.

If you support a small (or home) network and are looking for what I call a "services server" look no farther.  All of the basic network infrastructure services are covered (see features), it runs on cheap hardware and the software is free with no licensing restrictions.  It's much more stable and secure out-of-the-box than the comparable Microsoft solution, and it's easier to administer too.

The few minor disadvantages are far outweighed by the benefits.  Give it a try!

Links