Topic: Some General Questions from a newb

[John Doe]

Hi,

Just landed on SME, not installed yet , trying to decide on the correct approach on this package.

Some background Info ; We are a small company located in Africa and are setting up an NGO to put distance learning into very remote area schools. We are Australian but been here almost 20 years now and my wife has started from scratch a non profit College 17 years ago which is now a 600 pupil K-12 boarding school. Its the biggest of its type in the country and has a very high standard curriculum. Thats all well and good and the school is doing great. We dont make any money out of it, its a non profit setup - we just spend half our life involved in it, but its very rewarding. We now want to turn our attention to providing more opportunity for disadvantaged students in the very remote areas of the country. This is where we need some help and guidance.

We will be providing the Internet connection via VSAT (Satellite connection). Some complications with this though. We need two connections (have already arranged this and ready to go with it) We will have Internet from UK so that we can get learning materials from various places and testing etc on-line and we have a local connection setup so the College in the capital can communicate with the small community schools in the remote areas. We want to bring the students together on-line. So two connections.

We are most interested in SME as our platform for this work we want to do. We are NOT Linux people at all but understand a little of whats going on (read read and read some more - its amazing what you can pick up ). We have hired a young guy who is Linux mad but he is still learning but he seems to be able to grasp the ideas and concepts surrounding Linux so we want to give it a go.

I understand SME is *NOT* multi WAN. We thought this was a problem so went to look at CLEAR OS and have this setup and running on a test server to see what its all about. CLEAR is multi wan - however i just have a gut feeling SME is better suited to us. We want to run Moddle (new to this package as well but seems ideally suited to what we want to do )and i see DUNGOG have this package ready to load onto SME and i think we are going to need a lot of support , hence trying to contact them to consult with them in depth. However if i can ask some questions here it will help us understand some of the issues better so i can ask more intelligent questions to DUNGOG.

Because we need two connections via satellite for various reasons ( long story but its needed ) we need to direct traffic to two different satellite links. SO we need multi wan. OK so SME does not do it. I read an interesting post here on the forums about using PFSENSE in front of SME to give the multi wan setup. SO i researched PFSENSE and am sold on this approach. If we split the firewall onto a separate server and use SME for email, file serving, print serving and moddle (probably other uses as well we dont understand yet) what do we lose on SME from this approach? Is it better to use Squid and Dans Guardian on the PFSENSE box and take this away from SME? OR do we do the PFSENSE box strictly for firewall and mulit wan and leave Squid proxy and Dans etc on SME ? What is considered best practice on this type of setup?

Next issue we cant really figure a way around. We want to run the email server locally - our first lessons are to teach the kids about email and what it is , how to use it etc etc. SO the server locally is a way to conserve (very expense ) bandwidth over satellite until such time as the lesson comes around where we take them online and email to other schools we are approaching in UK to be partner schools with. Problem is when we do go online to bring in other schools then expand to let them email there own friends relatives in far away places we will have to deal with spam.  We dont want our satellite bandwidth used up downloading 10,000 spam messages a day. We think we should have an email domain hosted in UK to filter spam and Viruses etc then download the messages to the local server - but i read this is fraught with problems and issues and should be considered very carefully before going that route. So what do we do here ? I am open to any suggestions or pointers to places i can read more about this. Is there some way we can direct email to a spam scanning server first before sending onto the SME mail server - does something like this even exist? I doubt this could be done but who knows in the world of IP. How do we stop the downloading of huge amounts of spam to SME?These are kids who have never been exposed to email before - they are going to make every mistake in the book along the way so spam *WILL* be an issue and something we need to teach them about and how to protect themselves from - but until these ideas take hold i imagine spam will be a major headache for us.

So thats where we are at. Muddling along trying to work this all out - but its a bit confusing. Yes we are probably biting off more then we can chew, but if thats the case, we are going to chew like mad to get through it. We hope some of you may be interested enough in our program to offer some advice along the way. Sorry for long post but better to get it out upfront so you understand some of, what will seem to you, silly questions as we learn the ropes on all this.

Thanks

JD

[cactus]

Next issue we cant really figure a way around. We want to run the email server locally - our first lessons are to teach the kids about email and what it is , how to use it etc etc. SO the server locally is a way to conserve (very expense ) bandwidth over satellite until such time as the lesson comes around where we take them online and email to other schools we are approaching in UK to be partner schools with. Problem is when we do go online to bring in other schools then expand to let them email there own friends relatives in far away places we will have to deal with spam.  We dont want our satellite bandwidth used up downloading 10,000 spam messages a day. We think we should have an email domain hosted in UK to filter spam and Viruses etc then download the messages to the local server - but i read this is fraught with problems and issues and should be considered very carefully before going that route. So what do we do here ? I am open to any suggestions or pointers to places i can read more about this. Is there some way we can direct email to a spam scanning server first before sending onto the SME mail server - does something like this even exist? I doubt this could be done but who knows in the world of IP. How do we stop the downloading of huge amounts of spam to SME?These are kids who have never been exposed to email before - they are going to make every mistake in the book along the way so spam *WILL* be an issue and something we need to teach them about and how to protect themselves from - but until these ideas take hold i imagine spam will be a major headache for us.

If you are concerned about spam eating your costly satellite bandwidth, you will have to fight SPAM before you download the mail over your connection. You are mentioning that you are going to use a UK based provider, which means they will have to do the SPAM fighting before you download the mail (for instance using multidrop/fetchmail).

A benefit from this is that your mailserver will have a far bette ruptime than when you use SME Server as your main e-mail server, I am unfamiliar with sat connections but I doubt you will have the sat online 24/7.

The remote e-mail server does not prevent you from having the pupils try and send e-mails to their peers as when they are registered on the SME Server their mail can be handled and delivered locally which means that the satellite connection is not used for that.

what will seem to you, silly questions as we learn the ropes on all this.

There are no silly questions... just silly answers

A friendly piece of advice though if you like your questions read and answered I suggest you try and be a little more digest and to the point and make your questions stand out clearly.

I understand you want to explain the situation you are in and welcome that as context is often very handy when trying to grasp the situation, but I am not sure if we need to know about the outstanding performance of you and your wife and the excellent curriculum to answer your questions.

I will gladly answer questions but I find it a burden to read such a large amount of text, find the real question within and then cut and paste to have my replies in between.

[John Doe]

Hi Cactus,

Point taken.

 Long story yes, i just wanted to get it across that we are not dreamers with pie in the sky ambitions - we have the track record here - its not easy to get a 600 pupil school up and running in a third world country. So not trying to brag etc etc (what would be the point of that in a forum like this ??).

Just want you guys to understand we are serious, determined, and prepared to do what it takes. The project sounds ambitious so there is always the danger we may be brushed off - we dont want that - we really need your help. We are SME newbs and when it comes to Linux....well...But what choice do we have? really? MS - no no no

As i said it is just context so you can better understand why we are going in this direction. Saves lots of explaining later on why we want to do it this way or that. I do hear you though about too much reading. My mistake. Succinct next time.

Thanks for your input so far.

Sat connection is up 24/7 - wont be used 24/7 but it does run that way. The UK based provider is for the sat link. We are trying to understand how we should setup email so spam is handled before going over the satellite. An email domain in UK on a server there and then download to SME from there? Ideal but from what i read through this site, this has problems attached?

Thanks for the reply.

JD

[John Doe]

Hi Cactus,

Yes this is what we want to setup.

"The remote e-mail server does not prevent you from having the pupils try and send e-mails to their peers as when they are registered on the SME Server their mail can be handled and delivered locally which means that the satellite connection is not used for that."

The kids will use the local mail server to email each other and not use Satellite BW for that part of it all.  Mail directed to them from outside schools (ie UK based schools)will go via INTERNET and hit UK email server for AV and spam control then be delivered via Satlink to SME school server locally. If they do email outside of the local school back to UK the email will go over INTERNET Sat Link and hit UK mail server and do the usual email thing from there. Thats exactly what we want. Will that work without all sorts of workarounds and/or issues? Which packages should we look at? Anything to look out for that may cause a snag?

Thanks

JD

[hawk]

Hi JD

Where in Africa are you?
I support many schools & ngo's in SA,

If you are interested i can help, send a contact address.

Thanks Hawk

[janet]

John Doe

You may be overstating the "spam load" issue.
You are creating the problem before it necessarily exists.

Read the Email FAQ and see the section on RBLs DNSBL etc.
The majority of spam can be rejected at the smtp transaction level by RBL lookups. Only a small amount of data is sent per message transaction, rather than the whole message needing to be sent. If the sender is listed on an RBL then the message is rejected by sme server (and the message is never sent to sme).

Note there are other spam filtering techniques in use on sme server, eg spamassasin, which also can reject messages at the smtp level (low data overhead), but further spamassassin filtering to the junkmail folder does require the full message to be downloaded (AFAIK).

There is also executable content rejection, to stop your server accepting messages with various exe type content or attachments. Not sure of the overhead requirements there per transaction, but as the function just looks at the first identifying part of the message content, then I think the data overhead will also be minimal. You can specify which files types to reject.

A well configured sme server will reject potentially 90% or more of spam that is sent to it (at the smtp transaction level).

You can setup a LAN based sme server email system immediately, students can start using local email for learning. You can learn about configuring sme etc.
Later on when you connect the satellite interface or "plug the cable in", you will then instantly have external web and email access.

[mercyh]

I agree with Mary, grab the ISO and an old pc and go for it. Put it on your network and let it run. Moodle is an open source contrib. I would recommend using DUNGOG or some other consultant once you get in the real world but there is no reason you (or your employee that is interested in linux) shouldn't go ahead and see what the system looks like in real life. You will then at least know what your real life questions are.

get the iso here http://wiki.contribs.org/SME_Server:Download

You can get moodle with these instructions http://wiki.contribs.org/Moodle

[CharlieBrady]

One small comment from me. If you want to be taken seriously, don't call yourself John Doe. Be fair dinkum. It's the aussie way.

[phredd]

But what if his name really is John Doe? 

[mmccarn]

John Doe -

Do you know about "The Tactical Technology Collective"? 

They provide pre-packaged tech for NGOs (and their "NGO-in-a-Box" is based on SME server): http://www.tacticaltech.org/ngo-in-a-box-base

A lot of what you're talking about sounds so useful that I'm sure they'd be interested in any products, howtos, or documentation you end up with -- and they might be willing to help, too!


Now for some comments on your configuration options:


Sat Link + College Link
You'll have to have two routers in order to have two separate connections.  These don't have to be WAN connections - you could set up the local/College connection on the LAN, then simply configure a new "Local Network" in SME server.  Internet? -> Sat Link.  College? -> College.  You'd have to be sure to design your local network so that it didn't conflict with any of the College's local network schemes.

I have nothing against pfSense, or against any of the various multi-WAN routers now available such as those made by Xincom or Netgear, I just wanted to mention that you may not need a dual-WAN configuration.

Pre-filtered Email
You could setup a SME server in the UK to accept email for your school, then setup the server at the school as an internal mail server.  In this config, the spam filtering is done in the UK but the email is delivered to the school.

To minimize traffic, and to ensure email flow when (or if) the satellite link isn't working, you would want to monitor (and possibly customize) the behavior of the check_smtp_forward plugin (http://wiki.contribs.org/Email#Default_Plugin_Configuration).  By default, check_smtp_forward connects to the SME server one extra time for each email to verify that the recipient address is valid.

You could try to talk Google into giving you a free or cheap Postini account...


Minimizing Internet Traffic
(It's unclear to me whether you have traffic quotas on your satellite link, or whether you simply expect it to be slow.  These recommendations mostly assume that you have a usage quota)

You may want to block all outbound traffic that doesn't go through the SME server proxies:
http://wiki.contribs.org/Firewall#Block_outgoing_ports

You may want to include the traffic control capabilities included in DansGuardian (from Dungog):
http://wiki.contribs.org/Dansguardian

You may want to customize squid to cache local copies of updates for any software you're using:
http://wiki.contribs.org/Squid#Caching_WindowsUpdate_download_.28and_others_too.29

If you have a near-duplicate server in the UK, you may be able to let your students create wikis, blogs, etc. on the local SME server, then sync those automagically with another server in the UK that serves the pages to the Internet at large.

Backup
If you have the resources, I'd recommend having two nearly-identical SME servers at the school, with one configured as an Affa backup server.

Wireless
You may also want to include CoovaChilli to support and isolate wireless connections.

Asterisk
If you setup two SME servers, maybe you want to use one to run Asterisk... -- then set up Affa so that each server is a backup of the other...

Monitoring Tools
It needs work, but Ntop is supposed to give you network usage stats that may be useful.

[John Doe]

mmccarn - sorry for delayed response been away for a while at one of the locations we'll be working at.

Thanks for heads up on Tactical Technology - will check it out. Thanks for other pointers as well. Will read through and study points then come back if we need some further help understanding the issues.

We have SME installed and running - struggling with email setup , though i am not up to speed on what the issue actually is. Loving SME in general though.

Charlie Brady - dont understand your swipe at us - what does it matter what name we use here? We think that its pretty fair dinkum and in the true aussie way to be out here lending a helping hand to those who need it.

Thanks

J.D