There are many options for companies and agencies to train digital marketing teams and to keep tenured employees up to date including conferences such as: this week’s WebmasterWorld Pubcon, Search Engine Strategies, Search Marketing Expo, numerous regional and niche events and an increasing number of web based offerings including SEMPO Institute and the DMA Search Engine Marketing Certification program. I would be remiss not to mention the upcoming "Social Media Smarts" workshop in NYC covering all aspects of social media marketing including a strategy exercise and tips on building a business case for a social media effort in your organization.

Attending conferences is not cheap when you factor the increasing price of travel and hotels as well as pre/post and conference training fees, meals and taxi. Attendees and their companies are paying $2500 – $5000 per person per conference as well as the cost of time away from the office performing billable work. It’s easy to see why webinars are on the increase and why those who are fortunate to attend these events need to get the most out of them.

The most important thing that conference attendees can do to get the most out of their time at events is to set goals. Managers sending individuals to conferences should be clear about expectations. Company staff should be sure to talk with others within the organization or team that have attended the same or similar events to gain their insight.

Depending on the purpose for attending a conference, goals may vary. Here are some common goals based on the various reasons for attending any kind of marketing conference:

• Knowledge - How many sessions will you attend and how will you capture the information? Notes, photos, video (where allowed) When meeting new people, discuss the sessions with them. Compare notes with other attendees, it’s a great way to network and to get other opinions. Before the conference, make a grid or a plan for which specific sessions you’ll be attending. Often times, there is not much time between sessions and the difference between getting a good seat and standing room only can be a matter of minutes.

• Networking - How many qualified prospects, marketing partners, vendors to outsource to and job candidates will you meeting? Each day, tally them up and plan how you will follow up.

• Content - how will you leverage your conference experience to create new content for your company blog, articles, or process documentation? Set goals for how many you’ll create each day. The content you capture and create can supply a company blog with numerous posts and show clients, staff and prospective clients that you are on top of what’s happening in the industry. At TopRank, our staff are required to publish at least 3 blog posts for each day of conference attended. Set goals for how many blog posts, articles or other types of content will be created each day of the conference. It doesn’t have to be all text, you can take photos of people, and presentation slides. Take videos where allowed.

• Knowledge transfer - How will you pass on the information youâ’ve acquired to the rest of the team? At TopRank Online Marketing, our staff take the highlights and any specific tactics of use and create presentations which they share with the rest of the TopRank team. Knowing you will be required to present the information you are gaining with the team back at the office helps focus on takeaways and practical interpretations of the new information.

• Socialize – Where there’s a conference, there’s a party. After hours events are exceptional opportunities for conference attendees to relax, network and share information. Make no mistake, post session networking can be an art form. Make a point to relax and have fun, but be clear about objectives and make a goal of attending a dinner each night of the event if possible. Some dinners are a tradition amongst long time friends, some are sponsored by vendors and some are at hoc events that occur as a result of like minded individuals wanting to continue the day’s discussion.

As you can see, there are many more opportunities to get value from marketing conference participation than keeping up to date with an industry. Pre conference goal setting and planning, well defined processes as well as follow up and post event knowledge sharing can all multiple the value organizations realize by sending employees to educational events.

Not all organizations are positioned to take full advantage of these insights, but through simple analysis, it can become clear pretty quickly how much is being left on the table or to competitors who are sending the same numbers of people and incurring the same costs.

Understand the conference offerings, set goals and make the time to pre-plan conference involvement. Leverage content creation, networking, recruiting, competitive intelligence as well as prospecting opportunities and industry conferences can move pretty quickly from an expense with an uncertain effect to an investment with multiples of return.

Comments

Authors and advocates (e.g., Schroeder, 2004) dealt with the large enterprises, from both the manufacturing and service sectors; the smaller firms, known as Small Business, Minority Owned Business, SME (Small and Medium-size Enterprise), or SMB (Small and Medium-size Business), have been virtually ignored by them.

Definition and Characteristics

A Small and Medium-size Enterprise is defined differently, according to the purpose of each definition; the “UK Department of Trade & Industry” (2001) suggests that it is mainly because of the wide diversity of businesses. The UK Department provides a basic definition of SME, one that was used by the Bolton Committee in its 1971 Report on Small Firms: “a small firm is an independent business, managed by its owner or part-owners and having a small market share”.

The UK Department also comes with statistics and hard numbers for its definition; however, I’ll use a more updated, and broader definition of SME, which is given by “EU Commission” (2003):

The category of SME is made up of “autonomous enterprises” which employ fewer than 250 person and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. An “autonomous enterprise” is any enterprise that is not classified as a “partner enterprise”… or as a “linked enterprise”.

Partner enterprise is an enterprise (upstream enterprise), that holds, either solely or jointly, 25% or more of the capital or voting rights or another enterprise (downstream enterprise). [In the US it is normally called "small business" and depending on who owns it, perhaps a" minority owned business".

In the US, minority owned businesses often get breaks on public projects and contact awards; for example they can get a 5% higher score because of their minority status when being evaluated for public contracts in some cases.]

Exceptions are public investment corporations and venture capital companies that can hold more than 25%, provided the total investment is less than EUR 1.25 million. A “linked enterprise” is an enterprise that has a majority of shareholders’ or members’ voting rights in another enterprise… or has the right to exercise a dominant influence over another enterprise.

Within the SME category, a small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover/ balance sheet total does not exceed EUR 10 million.

Within the SME category, a micro-enterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover/ balance sheet total does not exceed EUR 2 million.

This distinction is strongly correlated with the firms’ organisation. Schlenker and Crocker (2003) suggest that micro-enterprises are more often a mixture of sole traders or sole proprietor organisations, which tend to behave as consultants rather than as corporate bodies. Small enterprises more often than not, begin to behave like corporate bodies, with a corporate culture and a clear division of responsibilities.

Medium sized enterprises often mirror their corporate counterparts with a distinct corporate culture and a dedicated IT function. The primary purpose of these firms, they suggest, is not to maximize revenues, but to generate an income for their owners; “they are more concerned with “quality of life” issues than stock value… only 3 per cent of all SMEs actually wish or are able to grow, in terms of either employment or turnover”.

Another characteristic of this sector, point out the authors, is that most firms do not possess several of the core processes (conception, manufacturing, sales, delivery, after sales service) normally associated with “doing business”.

As a result, SMEs are forced to collaborate with each other and with larger concerns to survive, to compete, and to produce sustainable revenues over time. A research carried out in 1992, found that 41% of UK SMEs competed primary on quality, 37% competed primary on price, 13% on time (lead-time and on-time delivery), and 9% of the SMEs competed primary on flexibility (Neely et al., 1994).

As for the growing importance of SME in the global economy, La-Rovere (1996) suggests that empirical studies show a clear trend towards reduction of size in firms of the manufacturing sector in developed countries.

Possible reasons for this are the diffusion of flexible modes of production and the downsizing of large firms. In addition, since the eighties SMEs have an increasingly important role in GDP in developed countries.

This is a result of the increasing importance of subcontracting and labour flexibility for competitiveness. The author points out that SMEs have grown in number because in many sectors barriers to entry of new firms were reduced and also because a greater motivation of workers. Empirical studies, done on the US and Italy, show that a firm’s size and its growth rate are negatively correlated. Nevertheless, argues La-Rovere, the reason why only 40% of American SMEs have a life-span above 6 years, is mainly because their lack of liquidity.

O’Gorman and Doran (1999) suggest that another factor that affects SMEs, characterised by strong entrepreneurial leadership, is their state of growth and ever-changing, which requires an increasing need for the introduction of formal structures, systems, procedures, and controls. Nevertheless, SMEs can achieve global competitiveness without necessarily increasing their actual size, argue Tetteh and Burn (2001), but rather, by building on their virtual or soft assets in order to expand. “These virtual assets include information skills, digital resources, and competencies for managing inter-firm relations and collaborative engagements with other firms”.

The World Bank Group’s Small and Medium Enterprise Department claims to “combine the market perspective of the International Finance Corporation with the policy expertise of the World Bank to promote local small business growth in developing nations” (last updated February 4th, 2004, website http://www2.ifc.org/sme/html/about_us.html).

SMEs play a key role in the developing countries’ economy, which is far greater than it is in the Western countries. “SME in Bulgaria” (2001) estimates that following the 1990s major privatisation, the number of SMEs accounts for over 98% of all registered economic entities; the vast majority of these are micro-enterprises with less than five employees, and their main activities in the retail. However, 46.5% of Bulgaria’s workers in 1999 were employed by SMEs; a figure that is lower than the EU average.

A study in Brazil shows that small and micro enterprises (up to 100 employees) represent 51% of national production, 42% of wages, 65% of employment and 99% of enterprises registered in the country (“SEBRAE”, 1991). Statistics show that in the developed countries, 50 percent of all innovations and 95 percent of all radical innovations since World War II have come from new or smaller firms (Timmons, 1994). In 1996, SMEs in then fifteen-members-EU made 66% of the employment share, with six persons per enterprise in average (“European Foundation”, 2001).

In Japan of 1996, however, only 33% of the workers were employed by SMEs, with the average of ten persons per enterprise; nevertheless, argues the organisation, in the Japanese economy, SMEs play a way more crucial role than in any Western country. The Japanese “Keiretsu” system of groups-of-businesses, with network of cross-shareholding, makes these SMEs fall out of the definition above, on technical grounds.

The US is rated bellow the EU with regards to the SME employment: only 42% of the workforce is employed in SMEs (relative to EU’s 66%), but when comparing between the micro-enterprises, those with less than ten persons, the difference is wider, with 33% in EU and only 11% in the US.

Some of SME’s labour characteristics, as identified by “European Foundation” for the Japanese society, are extensive use of part-time employees, non unionised and non-regular employees (family aid, seasonal and daily-temporary), lower salaries and benefits and more annual working hours. In the US, on the other hand, the SME labour is characterised as more flexible, even when compared to the EU; this flexibility is a result of informal communication, direct supervision, more broadly defined jobs, and the ability to capitalise on strengths of individual employees to meet customer needs.

Other aspects of the SME sector will be discussed throughout the paper. However, the World Bank Group’s initiative for building better business environments at the developing world, highlights some of the difficulties specific to SMEs in these countries: difficult regulatory, tax and trade climate, barriers to entry, lack of legal infrastructure and corruption.

You can find and read the full version of the article, a 26-page PDF that includes the following topics:

SME’S OPERATIONS STRATEGY, SME’S QUALITY MANAGEMENT, FLEXIBLE PROCESS DESIGN OWNERSHIP, STEWARDSHIP, AND MANAGEMENT TECHNOLOGY AND FLEXIBILITY INFORMATION TECHNOLOGY FOR SME, SME AND SUPPLY CHAIN REFERENCES.

Add to | DiggThis | Yahoo! My Web

Technorati:

Ezra Bar, MBA, PhD Student, is a Business Consutant and Academic Mentor for MBA and Engineering Students. Visit http://www.Ez-B-Process.Com/Resources.htm and find many other Academic and Business Articles. Visit http://www.Ez-B-Process.Com/PhD.htm for Academic Mentoring. Visit http://www.Ez-B-Process.Com/BPR.htm for Reengineering consulting.

Unfortunately, the grub boot would start to load the SME kernel and then fail with a 0×10 message. This was an “E-Machine”, which was a choice I remember being unhappy about when it was first installed, but this customer is very price conscious and ignored my advice that better hardware would be smarter. Oh well.

As I had nothing better to do (yeah, right), I hopped in my car and drove down to RI to see this first hand. I should have looked up the error before getting in my car, but it was early and I hadn’t had enough coffee yet. If I HAD looked it up, I would have quickly found this (from http://linux.derkeiler.com/Newsgroups/comp.os.linux.setup/2003-08/0074.html):

0x00
"Internal error". This code is generated by the sector read routine of the
LILO boot loader whenever an internal inconsistency is detected. This might
be caused by corrupt files. Reinstall IPCop or recreate the boot media.

0xBB
"BIOS error". This shouldn't happen. Try booting again.

Well, I felt it had to be hardware, so that would have just confirmed it, and I did feel that it was going to be easier to track this down on-site than trying to work with the client over the phone. Providence isn’t very far away, so..

When I arrived on site, I just quickly confirmed that the symptoms were as told to me. Too many times I have have had someone tell me one thing and found something entirely different when on-site, but this time the error was accurately reported. Still lacking sufficient coffee, I sat down at a Windows machine and tried to call up Google.

Well, duh! The SME is the gateway to the internet! No gateway, no Internet, no Google. I shook my head in amazement and called Mitel support. In a very few minutes, I had one of the regular engineers on the phone. I explained that I would have looked this up myself if I had turned on my brain before getting in my car, and he laughed at me and did the search for me. In a few seconds, he told me it was most likely hardware.

I asked the customer for last night’s DVD (we run Microlite Edge for backup here) but it wouldn’t boot. That surprised me at the time, though later I found out why. I then asked for the boot recovery floppy we had created when the system was installed. That wouldn’t boot either, which was upsetting. Finally, I asked if he had a recent Desktop Backup – he said yes, but when we tried to find it on his Windows machines, there was none.

Oh boy. Just the way I wanted things to work out – no backups, hardware boot error. Good thing it’s only a 40 person office. Yes, I’m being sarcastic.

Fearing the worst, I inserted the SME install CD and rebooted. To me surprise, it saw the existing installation and offered to upgrade it. What the heck – I let it try, and it completed successfully. But the same 0×10 boot error came up. So, I booted that CD again, and this time when it got to the point of offering to upgrade, I did an ALT-F2 and had a shell prompt where I did a “cd /mnt/sysimage” and took a look around. All data was apparently intact, which meant that whatever hardware issue we had might be isolated to the boot files. I also now realized why the Edge DVD didn’t boot: this is a software raid system, which Edge can’t handle at the present time. We never told Edge to attempt a bootable backup because it can’t.

But knowing that it was RAID gave me hope. Examining /proc/mdstat showed me:

Personalities : [raid1]
read_ahead 1024 sectors
md2 : active raid1 hda3[1]
262016 blocks [2/1] [_U]

unused devices: <none>

The Mitel engineer explained that it should be showing [UU] for each line, and that the [_U] indicated a raid problem. At that point, I decided we should shut down the machine and open it up.

When we did that, I could immediately feel that the master ide drive was much hotter than the slave. The slave was warm, the master was uncomfortably hot. Touching the top of it with my finger made me feel I could blister my skin if I left it there long – it was that hot. I removed it, changed the jumper on the slave to make it the master, put the cable back, and buttoned the machine up. To my relief, it rebooted.

That’s not a guarantee with RAID. If the hardware problem had caused data corruption prior to failing completely, the corruption would have been mirrored to the slave. Fortunately that was not the case here.

So we were back up – short one hard drive, but up and running. I asked the Mitel engineer if I needed to reinstall blades because of the “upgrade”, but he explained that it wouldn’t overwrite newer files.

I then took a look at the Edge backup files – the backup had been failing for the past 10 days. I chastised the customer for not alerting me to that problem but I realize that he’s a busy guy and probably had other things on his mind. I left the system doing a Desktop Backup and advised the customer that they really should consider better hardware for such a critical system.

*Originally published at APLawrence.com

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

However, sometimes you have subnets or vpn’s that you do want to allow access to. SME Server allows that: you simply use the Administrative browser and add the appropriate network ip’s to the Local Networks section. For a vpn connection, that would usually be the private ip address range used such as 10.x.x.x or 192.168.x.x

But VPN’s create another problem if they are running over the public internet. The people at the other end will have a routing table that might look something like this:

Destination &nbsp&nbsp Gateway
default &nbsp&nbsp&nbsp &nbsp&nbsp 10.0.0.2
192.168.3.0 &nbsp&nbsp 192.168.2.1 &nbsp&nbsp (your internal network is 192.168.3.0)

If their Outlook is set to access “mail.xyz.com”, that’s going to route through the internet. The access won’t be from the 192.168.2.0 network that you said was OK, it will be from the public internet.

The solution is simple: have their Outlook use your internal address. If your server is at 192.168.3.1, that’s what they’d put in Outlook. That access will route through the VPN, and all will be well.

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

Before we get into the details, let me say that I was very impressed. This is well done, and they have paid attention to important details. I have a few minor nit-picks here and there, but over all I can highly recommend it.

As some of the people reading this will be aware that I also sell the SME Mail Server, I’ll also offer some comparisons between these very different approaches at the end of my review.

Installation

This was actually the most annoying part of the entire process. I say that not because it was horribly difficult, but only because it could have been much easier. Neither the enclosed manual nor the CD were particularly helpful. The manual tells you that you install Linux RPMS, but doesn’t tell you where they are on the CD. Of course, they aren’t very hard to find, but the CD directories are Windows/Mac GUI style: imbedded spaces in directory names, making it annoying to navigate from the command line. I’ve said this more than once: just because you CAN use spaces in a directory or file name doesn’t mean that you SHOULD. But as all the regular readers know, I’m a grumpy old curmudgeon and you should ignore me when I start muttering about these things.

(Kerio tech support read this and noted that most people just download the software rather than getting the CD, but did agree that the spaces should be changed to underscores and promised to do that).

I found the kerio-mailserver-5.62-rh7.rpm and the kerio-mailserver-admin-5.62-rh7.rpm and installed both.

The manual tells you to run /opt/kerio/mailserver/wizard for initial configuration, but it is actually “cfgwizard”, not “wizard” (Kerio says they’ll fix that next release of the manual). There is very small notice of things you will have to do to an existing Linux server, such as disabling sendmail and other mail related things you may have running (POP3), changing firewall rules, etc. You probably shouldn’t be installing this if you aren’t comfartable with Linux. Yes, they do have a Windows version, but you can probably well imagine my horror at running a mail server on Windows!

Kerio tech support noted that I missed this:

When you install the RPM, it gives you a note to read /opt/kerio/mailserver/doc/REDHAT-README, which actually contains instructions on how to stop and disable both sendmail and, and how to tell (netstat -tlp) what network servers are running.

Admin Console

The Admin package can administer servers on any platform, so I installed the Mac OS X version of that. That had a few resolution or screen placement problems; some controls were slightly distorted or out of place, but it worked fine. Here’s a screenshot:

Kerio Admin Mac OS X administering Linux Server

Notice the “Edit” button is slightly skewed. No big deal, of course. The Linux admin console had no such glitches administering its own server. This screen also shows the definition of IP Address Groups, which will be mentioned later.

The main Administration Console offers four major groups: Configuration, Domain Settings, Status, and Logs. There is some overlap here and there; for example you can configure basic SMTP access under Configuration->Services, but relaying is configured under Configuration->SMTP Server. That actually makes sense: if, for example, you configure SMTP Services to accept connections only from the local lan, any attempt to access port 25 from outside the lan will be rejected. Within SMTP Server, you can control relaying (even down to individual hosts). This is very welcome.

Services
Every service (SMTP,POP3, Secure POP3, Imap, Secure Imap, Webmail, Secure Webmail, Ldap, Secure Ldap) can be turned on and off, set to start automatically or manually, can be set to run on a non-standard port, and access can be set down to the host level.

Access to services means that your connection attempt will be refused if you aren’t allowed access. By default, all services are running, started automatically, and not blocked at all. To add access control, simply edit the service you wish to control, and check “Allow access only from selected ip address group”. You’ll see this same control in other places, and it is quite well done. Basically you create “groups”. A group can contain specific hosts, ip ranges (by beginning to end or by netmask) and other groups. This lets you be very specific about access control, although there’s no exclusion here, only inclusion (you can blacklist specific hosts/groups at the SMTP server level though). I’d like to see exclusionary capability here, too (of course you could always do this at the Linux firewall level).

Domains
Domains can be independent or aliased. For example, I can have “apl.org”, add users to it, and if I add an alias “aplawrence.org”, mail to a user in either domain will go to the same account. However, if I create a separate domain, “foo.org”, a user added there is entirely different from those in “apl.org” and “aplawrence.org”.

Within Domains, you can specify a footer to be added to each email sent from that domain, forwarding to another SMTP server/port for unknown users, and even specify active directory or kerberos servers. A domain can be bound to a specific IP address. Forwarding can be immediate, scheduled or triggered by ETRN from the other server.

Delivery Queue

Here you have the choice of using direct MX record message delivery, or a relay server. This section also lets you specify how often to retry delivery, when to warn the sender of delivery problems, and how many days to wait before giving up entirely. It is very nice to have such full control.

SMTP Server

By default, the server won’t relay (deliver messages to users outside of its own domains) for anyone, not even a user logged on to this machine. You do have the option of setting it to be an open relay, but it’s not likely you’d want to do that. You have the ability to use the access groups as mentioned under Services above, or you can require SMTP authentication, or allow relay if the user has authenticated by POP3 within some period of time you specify.

You can also specify Blacklists. There are built in selections (www.mail-abuse.org and www,ordb.org), and you can specify your own, again using the Access List method. The combination of IP address groups and blacklists gives you very precise control over who can use your server and who can send you mail.

There are more Security options here: you can specify a maximum number of messages per hour from one ip address, a maximum number of concurrent SMTP connections from one address, and also a maximum number of unknown recipients (that could be an indication of spamming). You can specify an access group that these limits do not apply to, which might allow more freedom to local users etc. These types of controls have become much more important in recent years.

You can block if the sender’s address doesn’t resolve with DNS (another anti-spam control) and specify the maximum number of recipients you will accept in one message. Other useful anti-abuse controls include limiting the number of failed SMTP commands (for example attempts to relay or send to unknown users) and can reject messages that have gone through too many relays prior to getting here. Finally, you can specify a maximum size for messages. That’s a global limit that is above the user quotas that can be applied individually.

Spam Filter

The Kerio Mail Server uses SpamAssassin, and gives you full control over its configuration, including the ability to add rules to accept or reject messages regardless of SpamAssassins scoring, or increase/decrease the score. You also get full control over the disposition of messages: add a Spam header, discard it, return to sender, or forward to some other address. I really like that level of control, especially being able to “whitelist” senders.

Virus Scanning

Kerio offers McAfee as an option, but the server can use other vendors too. In this tab is Attachment handling also: you can separately specify what to do about .exe, .doc files, etc. Messages tagged by the virus scanner or because of attachments can be blocked, have the attachment removed, or forwarded to an administrative address. The sender can be notified or that can only be done if the origination was local. That’s useful – many external virus messages are spam that shouldn’t be replied to, but you’d probably still want to let local users know about viri in their outgoing messages.

Backup

No, this isn’t system backup. This rather lets you store automatic copies of messages: Kerio Mail Server Backup Screenshot This is a very important feature for some industries, and could be handy for just about anyone. Notice the options available in the screenshot allow viruses to be stored intact if desired.

Scheduling

The Kerio Mail Server can schedule sending mail, downloading from another POP server, or sending an ETRN to another server. If your server is on dialup, you can allow it to establish a connection if needed. POP and ETRN downloads have their own configuration tabs also, where you can specify multiple servers, sorting rules etc. There’s a lit of flexibility here. You can download from multiple POP servers (while still receiving SMTP mail, of course).

SSL Certificates
You can generate a self-signed cerificate or import a “real” certificate. Certificates are necessary if you want to use any of the secure protocols.

Other Options

There are other security related options under Advanced Options. These include requiring specific authentication methods, doing reverse DNS lookups and other more advanced settings. It is really good to see these capabilities made easily available for configuration.

Users

Users are added on a per-domain basis, or can be imported from a Windows NT domain or Active Directory server. It’s too bad that you cannot import from Linux passwd or a Linux LDAP server too, or at the very least from a csv file. (Kerio tech support says):

It is theoretically possible to import from Linux LDAP, if you want to write your own MAP file. Look at the files in /opt/kerio/mailserver/ldapmap/ for examples

The user information is quite complete, including quotas, webmail preferences, how to authenticate each user, forwarding and more. One noticeable lack is any provision for putting a user on vacation. Of course that can easily be done at the Linux level with procmail etc., but I think that function should be part of mail server administration.

Naturally you can also assign groups and aliases. I was pleasantly surprised to see that this handles mailing lists also.

POP, IMAP,Webmail

There’s nothing much to configure here. Webmail includes some nice features like shared folders, more message filtering, and cellular phone notification. There’s Wapmail (access by cellphone) also, which could be very handy now and then.

Overall Impressions and comparison to SME Server

This is a very good mail server. As mentioned above, I also sell the Mitel SME Server, so it is interesting to compare these. The most important difference is that this is a package you install on an existing Linux system, while the SME server is a complete Linux distribution which includes many other features not necessarily related to mail (VPN access, firewall, file and print services, etc.). There are advantages and disadvantages to both approaches:

• Security:

  With an all inclusive package like SME, all aspects of the system are under the control of one vendor. You don’t need to worry about general security issues that aren’t related to mail. On the other hand, you are also forced to wait for that vendor to provide security fixes, whereas with a stock Linux install, you can get security updates yourself the moment they are available. Of course you’d need to wait for Kerio to provide any mail related security fixes too.

• Customization:

  The SME server, being mostly Open Source, encourages and allows customization. On the other hand, the Kerio Mail Server often offers more configuration capability with its admin tool than the SME server does. You’d need to drop to the Linux command line level to do some of the tasks that the Kerio Admin Console allows. However, if the Kerio console does not offer the function, you may have no way to do it at all, as this is mostly proprietary code.

• Independent Domains:

  The Kerio Mail server allows the definition of independent mail domains as noted above. SME server only supports alias domains.

• Other software:

  While other software can be installed on an SME server, this can cause conflicts and problems in some cases. This is, of course, because the SME is an integrated OS with a number of very customized sub-systems. As the Kerio Mail Server is only a mail server, other Linux software is not as likely to affect its operation.

• Administration:

  The SME server is administered with any web browser, Kerio uses a proprietary tool. The advantage of the web browser approach is that you can immediately administer from anywhere; there’s nothing to install. The Open Source and well documented interface allows third party modules to be easily added. However, this approach also limits what can be easily done: the web interface is sometimes a little clumsy and often is much slower than a dedicated interface like Kerio Mail Server uses.

• OS Knowledge:

  The SME server requires almost no OS knowledge for installation or use. The Kerio Mail Server itself requires no OS knowledge, but you will need some for installation.

• Cost:

  The SME server comes both in a free (unsupported) version, and a paid, fully supported subscription mode. Kerio Mail Server has a free 30 day demo, but otherwise is subscription only.

• Support:

  The SME server, because it is an entire integrated server, is supported by Mitel and your dealer at all levels: from booting on up. As the Kerio Mail Server is simply an application on your server, they of course only support this part.

Which of these would be better for you? Well, that’s something only you’d know, but it’s easy enough to try either one out to get a hand’s on look. Download the Kerio Mail Server here: http://www.kerio.com/kms_download.html and see http://www.e-smith.org/downloads/ for SME.

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

Every user account created can be forwarded to another account (you also have the choice of forwarding a copy to another account). You normally would do this using the administrative web panel, but behind the scenes, this is accomplished with the .qmail file in the user’s directory. Here’s what a user’s .qmail file looks like without forwarding:

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999-2001 e-smith, inc.
#------------------------------------------------------------
./Maildir/

#------------------------------------------------------------
# TEMPLATE END

That just tells Qmail to deliver this user’s mail into the Maildir hierarchy (which
contains new, cur, and tmp subdirectories). If a forwarding address is added
through the SME Server web panels, the file might look like this:

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999-2001 e-smith, inc.
#------------------------------------------------------------
&tony@aplawrence.com
./Maildir/

#------------------------------------------------------------
# TEMPLATE END

A forwarding address has been added. If we had told it not to deliver locally, then the “./Maildir/” line would have been removed.

What if you wanted to forward to two or more addresses? Typically that would be a mail list, althought there might be situations where an individual would want multiple forwarding. You could manually add multiple lines to .qmail, but although that would work, the SME Server web panels would overwrite your changes. It is possible to add Perl code to /etc/e-smith/events/user-modify or /etc/e-smith/templates-user-custom/.qmail to control the contents of .qmail. For example, the “vacation” add-on does exactly that. That would be a possible way to handle a mail list, though it could be a little clumsy.

If the list is small, you can do this entirely through the SME Web Manager. Simply create a locked account for each user you wish to be on the list, and forward that account to the actual email address of each person. I suggest creating the names with a common component to make it easier. For example, if I were on your mail list, you’d create an account for me such as “listtonyl” and would forward that to “tony@aplawrence.com”. Another accoount might be “listjimb” and would be forwarded to whatever jimb’s real email address is. You’d then create a group with the actual mail list name and put “listtonyl”, “listjimb” and everyone else you want in that group. Mail to that group would end up going to each of those addresses.

Qmail has another feature that can make such lists a little easier. Every user can create “dash” files in their home directory. The file name is “.qmail-something”. Put the email addresses you want in this file, one per line. You don’t need the leading “& for this. For example, I might create “.qmail-mylist”. Mail sent to “tony-mylist@aplawrence.com” would then go to whoever was listed in that file. The format is a little clumsy, but nothing stops you from creating another system level account caled “tonylist” and having that forward (using the web manager) to “tony-mylist”. That lets me send mail to “tonylist” instead.

You could also just create ~alias/.qmail-tonylist but the problem with that is that use of the web manager for aliases will update this area itself and wipe out your list. You could, with effort, modify the related code to prevent this, but it doesn’t seem to be wortn the effort to me.

Finally, you can install a real mailing list manager. Ezmlm is a popular choice, and there is a contributed RPM at http://www.e-smith.org/contrib/rpm-index/. Using a real list manager lets you do such things as restricting who can send mail to the list, makes it easy to add and subtract members, etc. I’d really recommend this if your list needs are at all complex.

Please read this disclaimer
Copyright and reprint info

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

Virtual Domains

The server can handle multiple domain names. For example, I own two domains: aplawrence.com and aplawrence.com. Although in my case both domains serve the same content, I could have them be different if I wished. Understand that you must register a domain for this to work. All of your domains will use the exact same IP address ( the address of your SME server), so the only way the server can tell which pages you want is by the domain name you used in your browser.

For the purpose of this example, I’m going to pretend that you own the domain jimbobob.com and that it properly points to your SME server. Your brother-in-law owns the domain bestcartooning.com and you have kindly offered to host his web site for him.

The very first thing you need to do is create a user account for your brother-in-law. We’ll call it “cartoon”. Add the user “cartoon” under “Collaboration->User Accounts” in the SME Server Web Manager. Don’t forget to set a password after you create the account.

Now add a new group. We’ll call it “cartoongroup”. Add the group “cartoongroup” under “Collaboration->Groups”. Make “cartoon” a member of the group. You can add as many other users as you need to be members of this group. The purpose of this is that only people who are in “cartoongroup” will be able to use ftp to write files into this domain- they will be the only people who can update “bestcartooning.com”‘s web pages.

Now create an I-Bay. We’ll call it “cartoonbay”. Give the “cartoongroup” read and write access to this, and set the public access to “Entire Internet, no password”. The purpose of this is that virtual domains use I-Bays to store their html files. Until you have an I-Bay, there’s no place to point a Virtual domain other than your primary web site.

Create the Virtual Domain “bestcartooning.com” and point it at the I-Bay “cartoonbay”. If you had already created this before making the I-Bay, you can go back and modify the Virtual domain to point it at “cartoonbay”. We’re almost done.

All the above is done from the web interface, but one final touch from the command line will make this easier for your brother-in-law. Log in as root on the SME Server console. Hold ALT and press F2 if you don’t already have a login prompt. The root password is the same as the “admin” password. After logging in as root, do:

cd ~cartoon
ln -s ../../ibays/cartoonbay bestcartooning.com

The “cd ~cartoon” takes you to “cartoons” home directory. The “ln” command creates a symbolic link that points to the I-Bay.
You can see how this works by ftp’ing to the server and logging in as “cartoon”:

220 e-smith.pcunixx.com FTP server ready.
Name (10.1.36.248:apl): cartoon
331 Password required for cartoon.
Password:
230 User cartoon logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
227 Entering Passive Mode (10,1,36,248,4,8).
150 Opening ASCII mode data connection for file list
drwxr-xr-x   5 cartoon     cartoon         4096 May 13 19:21 Maildir
drwxr-xr-x   2 cartoon     cartoon         4096 May 13 19:42 home
lrwxrwxrwx   1 root     root           16 May 15 22:15 bestcartooning.com -> ../../ibays/cartoonbay
226-Transfer complete.
226 Quotas off
ftp> cd bestcartooning.com
250 CWD command successful.
ftp> dir
227 Entering Passive Mode (10,1,36,248,4,9).
150 Opening ASCII mode data connection for file list
drwxrwx---   2 root     cartoongroup          4096 Jul 16  1999 cgi-bin
drwxrwx---   2 root     cartoongroup          4096 Jul 16  1999 files
drwxrwx---   2 root     cartoongroup          4096 May 15 22:20 html
226-Transfer complete.
226 Quotas off
ftp> quit
221 Goodbye.

He simply cd’d to “bestcartooning.com”. If he wanted to put html pages, he’d then “cd html” or “cd cgi-bin”.

IMPORTANT: If you haven’t allowed ftp access in the SME Server Remote Access panel, none of this will work. The Remote Access panel controls overall use of ftp to the SME Server.

The final thing to be done is that your brother-in-law needs to have his DNS for “bestcartooning.com” changed to point at your server.

Please read this disclaimer
Copyright and reprint info

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

Packet filtering is something I’ve always hard a hard time getting my head around. Not the basics; that’s easy
enough. It’s just the incredible level of detail, the difficulty of keeping it all in your head at once.

And then, of course, there are all the different flavors: ipfw, ipfilters, ipchains, and now iptables. It gets more
than a little confusing, and I’ve never taken the time for more than a cursory look at any of them.

Well, time to change that. I needed to learn more about iptables because the SME Server firewall/mail server I sell now uses this. So..

Basics

The basic idea of any packet filtering is to look at a network packet and decide what to do with it: accept it as is and let it go on its way, stop it dead, or change it in some way (which usually
involves sending it somewhere other than where it was originally headed).

Chains and Tables

Iptables starts with three built in chains. You can add more chains, (generally for convenience). Let’s understand what it comes with first.

• FORWARD
• INPUT
• OUTPUT

It is important to first understand what packets these chains see.

If a packet comes from this machine (is generated by an application running on this machine), it will go to the OUTPUT chain only.

A packet coming TO this machine traverses the INPUT chain only.

A packet going somewhere else uses FORWARD only.

THAT’S NOT HOW IPCHAINS WORKS. A packet going somewhere else never sees INPUT with iptables. Similarly, a forwarded packet
never sees the OUTPUT chain with iptables. In some ways this makes iptables easier to understand, but if you have the ipchains flow
stuck in your head, it makes it confusing.

Another major difference is that iptables is stateful; that is, it keeps track of each connection. You can look at connections by
examining /proc/net/ip_connact. Here’s a little bit from a machine:

tcp      6 426345 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1031 dport=1030 src=127.0.0.1 dst=127.0.0.1 sport=1030 dport=1031 [ASSURED] use=1
tcp      6 426345 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1025 dport=1024 src=127.0.0.1 dst=127.0.0.1 sport=1024 dport=1025 [ASSURED] use=1
tcp      6 426345 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1033 dport=1032 src=127.0.0.1 dst=127.0.0.1 sport=1032 dport=1033 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=10.1.36.3 dst=10.1.36.248 sport=33019 dport=22 src=10.1.36.248 dst=10.1.36.3 sport=22 dport=33019 [ASSURED] use=1
tcp      6 431944 ESTABLISHED src=10.1.36.3 dst=10.1.36.248 sport=33022 dport=21 src=10.1.36.248 dst=10.1.36.3 sport=21 dport=33022 [ASSURED] use=1
tcp      6 426345 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1027 dport=1026 src=127.0.0.1 dst=127.0.0.1 sport=1026 dport=1027 [ASSURED] use=1
tcp      6 426345 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1029 dport=1028 src=127.0.0.1 dst=127.0.0.1 sport=1028 dport=1029 [ASSURED] use=1

Note that you can see an ssh and an ftp connection there.

You need the ip_connact module to have iptables understand the relationship between the control and data sides of an ftp
connection. If that makes no sense right now, you might want to read the ftp section in /Security/dslsecure.html.
This module is also used by the nat translation module.

There are other differences. The http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-10.html lists most of them (there’s a lot of other good iptables help at http://www.netfilter.org/documentation/ too).

But back to chains: why would you want to add your own chains – it looks like the standard three pretty well cover everything? True,
but you’d usually do that so that you can apply the rules you make for the new chain to other chains. A quick example:

You create a chain called “mychain” and add a bunch of rules to it. You want both the INPUT and the FORWARD chains to use those rules.

	iptables -N mychain
	iptables -A mychain -m state --state ESTABLISHED,RELATED -j ACCEPT
        # .. more rules ..
	iptables -A mychain -j DROP
	iptables -A INPUT -j mychain
	iptables -A FORWARD -j mychain

That saves the effort of writing out the same rules for both INPUT and FORWARD chains. It’s also, unfortunately, why professionally
written iptables firewalls are so hard to comprehend: you have to follow them back through chain after chain to figure out what’s
really going on. One chain will list several other chains as targets for itsvarious rules, and those in turn may list others – it can be hard to follow.

Now for some more confusion. You can have more than one network card on the machine. That’s the whole idea of a firewall: one
interface to the internet, one or more to the internal lan. A packet coming in on the external interface may be a FORWARD to it, and
an INPUT to the lan side. Therefore, you may have to write more than one rule to control the packet.

Tables make this even more confusing. This is straight from the manual page:

TABLES
       There are current three independent tables  (which  tables
       are  present  at any time depends on the kernel configura
       tion options and which modules are present).

       -t, --table
              This option specifies  the  packet  matching  table
              which the command should operate on.  If the kernel
              is configured with  automatic  module  loading,  an
              attempt will be made to load the appropriate module
              for that table if it is not already there.

              The tables are as follows:

       filter This is the default table.  It contains the  built-
              in  chains  INPUT  (for packets coming into the box
              itself), FORWARD (for packets being routed  through
              the  box),  and OUTPUT (for locally-generated pack
              ets).

       nat    This table is consulted when a packet that  creates
              a  new  connection  is encountered.  It consists of
              three built-ins: PREROUTING (for  altering  packets
              as  soon  as  they  come  in), OUTPUT (for altering
              locally-generated  packets  before  routing),   and
              POSTROUTING (for altering packets as they are about
              to go out).

       mangle This table is used for  specialized  packet  alter
              ation.  It has two built-in chains: PREROUTING (for
              altering incoming packets before routing) and  OUT
              PUT  (for altering locally-generated packets before
              routing).

Does you head hurt yet? Mine sure did. It gets worse: while those three are probably all you have at most, you could
have more. You can find out by “cat /proc/net/ip_tables_names”.

This also introduces another complication: if you want to list the rules for the chains, you also need to specify the table.
If you just do “iptables -L -n” (don’t forget the -n to avoid wasting time asking DNS to resolve your internal addresses), you
only get the filter table. To get them all, do something like:

for i in `cat /proc/net/ip_tables_names`
do
echo "Table $i:"
echo "============"
iptables -L -n -t $i
done

Got that all digested? Good, because now we have to learn about extensions. Look in /lib/iptables or /usr/lib/iptables.

You should find a bunch of libraries, here are just a few:

libipt_ah.so
libipt_DNAT.so
libipt_DSCP.so
...
libipt_state.so
libipt_tcp.so
libipt_tos.so
...

Each of these are things you can use in iptables rules. We used the “state” module in the user defined chains example above. That’s great, but how do you use these things? Well,
some of them are documented in the “man iptables” page, but they are also self documenting. Try these:

iptables -p tcp --help
iptables -m state --help
iptables -j LOG --help

How do you know whether to use -p, -j or -m? Honestly, it can be a little confusing, but if one doesn’t work, try another- you’ll find it by trial and error if no other way. When you
are reading someone else’s rules, you may need at least this to understand what their rule is trying to do. You may also find http://www.netfilter.org/documentation/netfilter-extensions-HOWTO.html helpful.

Writing iptables rules

There is no way that I’m even going to attempt to write firewall rules. I will, when necessary, add to or modify someone else’s rules to do something needful that they
didn’t include. The level of knowledge necessary for that is substantially less than that required for actual authoring. Even that can be daunting, however: these things
can be very complicated.

There are iptables firewall generators available on the net. Use Google and search for “iptables firewall”. Some of these are pretty
well documented, so you can learn quite a bit more about iptables by studying them.

Copyright and Reprint Info

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com