On Wed, 30 Jul 2008 21:23:12 -0700, "SteveB" <newsgroup>
wrote:

>I have 3 UT boxes (not VMs) installed at clients. It works very well. You
>can't beat 14 free open source apps including antivirus and antispam.

Does the AV/AS work as a separate SMTP MTA, or does it just inspect
the traffic going over the port 25 to the Exchange box?

We are currently using an ASA and SpamTitan to do the spam fighting,
we want to move the ST box to a Vmware image on a Dell server, but
also would quite like to get proxy logging/per user filtering as well.

Just tried the demo Untangle site and got several Java errors.

Andrew.

It is inline between the internet and your SBS and inspects whatever traffic
you specify with the various modules that are installed. For AV/AS that is
SMTP traffic and can be configured for POP3 traffic as well.

"Andrew Hodgson" <me3> wrote in message
news:fs04
[..]

Andrew Hodgson wrote:
> On Wed, 30 Jul 2008 21:23:12 -0700, "SteveB" <newsgroup>
> wrote:
>> Does the AV/AS work as a separate SMTP MTA, or does it just inspect
> the traffic going over the port 25 to the Exchange box?
>
> We are currently using an ASA and SpamTitan to do the spam fighting,
> we want to move the ST box to a Vmware image on a Dell server, but
> also would quite like to get proxy logging/per user filtering as well.
>
> Just tried the demo Untangle site and got several Java errors.
>

All Linux machines run a full SMTP MTA, Exim in this case, and the
normal configuration of both ClamAV and SpamAssassin is to be called by
the MTA. Untangle is based on Knoppix, which in turn is based on Debian,
which does things the normal way. For Untangle to be organised otherwise
would be odd. Not impossible, just odd.

Exim has considerable flexibility in its behaviour during the SMTP
transaction, and for it not to be involved in email sanitation would be
inconceivable. It deals with well over 99% of my spam/malware without
using SpamAssassin or any other content filtering.

On Fri, 01 Aug 2008 20:51:36 +0100, Joe <joe> wrote:

>Andrew Hodgson wrote:
>
>All Linux machines run a full SMTP MTA, Exim in this case, and the
>normal configuration of both ClamAV and SpamAssassin is to be called by
>the MTA. Untangle is based on Knoppix, which in turn is based on Debian,
>which does things the normal way. For Untangle to be organised otherwise
>would be odd. Not impossible, just odd.

I have seen other UTM devices which inspect the traffic going over the
network to the destination SMTP port, and can dynamically add or take
bits away from the message, before passing it to the Exchange or
whatever server on the inside.

This is different from having the MX records pointing at the Untangle
box, letting Untangle deal with the message and then passing it to the
Exchange server, which is currently how our SpamTitan works.

So are you saying that when for example you view the headers of a
message that went through the Untangle server with AV/AS enabled, you
can see the extra hop of the Untangle server? This is contrary to
what I imagined, and what another poster on the NG said.

Thanks.
Andrew.

Andrew Hodgson wrote:
> On Fri, 01 Aug 2008 20:51:36 +0100, Joe <joe> wrote:
>> I have seen other UTM devices which inspect the traffic going over the
> network to the destination SMTP port, and can dynamically add or take
> bits away from the message, before passing it to the Exchange or
> whatever server on the inside.
>
> This is different from having the MX records pointing at the Untangle
> box, letting Untangle deal with the message and then passing it to the
> Exchange server, which is currently how our SpamTitan works.
>
> So are you saying that when for example you view the headers of a
> message that went through the Untangle server with AV/AS enabled, you
> can see the extra hop of the Untangle server? This is contrary to
> what I imagined, and what another poster on the NG said.
>

Not at all, I've never seen one, and while it looks interesting, I do
not forsee having the time to download and play with it in the near
future. What you describe is a man-in-the-middle attack, and I do know
that a considerable amount of work would need to be done to allow
SpamAssassin and ClamAV to operate reliably in that way, in real time,
if that is actually possible.

Neither virus detection nor serious spam detection can be carried out on
the fly, byte by byte. The complete email, including headers, must be
stored for a period, to allow spam and virus detection to be carried
out, and that might as well be done by tested and reliable mail-server
code as by something specially written for the purpose.

I would certainly not consider the security-in-obscurity gain in keeping
the UTM device invisible to be worth the reduced reliability that the
insertion of new software would inevitably bring to SMTP, but of course
I can't speak for anyone else. I'd suspect that at least some of these
devices don't actually perform MITM procedures but simply don't add
Received: headers to the email. The greater part of spam elimination,
after all, lies in the nuts and bolts of the SMTP transaction, and while
the Exchange code may be capable of much more than it offers via the
dialogue boxes, that's no use if you can't configure it. Exim uses the
usual OS means of configuration, which is as flexible as your imagination.

But all the speculation in the world is worth nothing compared to
someone who knows for sure...