In <[log in to unmask]> [log in to unmask] writes:

<WARNING: LONG DETAILED RESPONSE>

> Sorry for (what seems to me to be) an off topic thread, but I suspect
> one or two of you out there might have a thought or two. (It's also
> time for me to show my ignorance too!)

Hey, I live for this stuff! ;-)

(No, it's not quite THAT bad! ;-) )

> As a company, we do not have internet email or a Web presence for
> that matter.  (A couple of us do have email as individuals.)  I have
> finally convinced the powers that be that we should have both.
>
> Besides PCs, the only other box we have is our hard-working HP 3000.
> From what I understand, it is not advisable to connect that directly
> to the 'net - something about security.  :-)  We don't have much
> "left over" horsepower/disk space on the HP 3000, either. Also, I
> doubt that I can convince them to buy a new box to serve as a
> Web/email server at this point in time.

First off, a 3000 can be connected to the net very easily - and can be much
more secure than most other platforms. The key is the box that sits between
the 3000 and the "rest of the world". This is either a router or a firewall
(or both).

Every Internet "protocol" (i.e. mail/www/ftp/telnet/etc) has an assigned
"port" number; an integer number, registered and standardized. Some examples:

service        port
telnet         23/TCP
smtp(mail)     25/TCP
dns            53/TCP and UDP
http(www)      80/TCP
NSVT           1537 and 1570 /TCP

[TCP is a connection-based protocol; UDP is connectionless. Both function
similarly, and routers/firewalls can filter on either/both]

[While you *can* sometimes run these services on other ports, YOU'd have to
make special arrangements to do so; unless YOU make special changes, they run
on the standard ports]

Now about every router in the world (and most firewalls) let you define what
you want to let "pass through" from inside your network to the outside world
(and vice versa). In fact it's usually very easy to configure a router to not
let *any* traffic flow between a certain box (the 3000 say) and the outside
world. In that case, even though you're *connected* you're secured; no one
from the outside can make any sort of connection to your machine.

[Of course, if there are other machines that you DO allow through your fire-
wall/router, then you also need to be sure that they're not running a service
that would let someone log into them -like say a unix box running telnet-
which would then let logged-in users establish a connection to your secured
system.]

Keeping it simple though; set your router up, disallow all traffic by default,
then selectively allow a couple services you want to use. Now, it's important
to know WHICH services do what, and what kind of security risks they are. For
example;

NSVT/telnet -allow users to log into your machine. The most dangerous access
             type from a security standpoint
FTP         -allows remote users to access (some) files on your system; also
             needs special security attention
DNS         -allows your system to resolve host names to IP addresses; doesn't
             grant any file access. dns access out to the net has no notable
             security issues; dns access inbound (if you're running a DNS
             server) about the worst that can happen is someone issuing alot
             of DNS requests and putting a load on your system
SMTP        -email transfer. No file access allowed; the worst that can occur
             is system load issues if you were "attacked" by email bombers, or
             being used as a spam relay (easily preventable though)
POP2/POP3   -email retrieval protocol; no access granted. Worst case someone
             could retrieve someones e-mail (if they had names and passwords)
HTTP        -web access; web server can grant access to certain files(read
             only) and scripts you've placed on your server (scripts can be
             written to do about anything the web server login can do; so its
             up to you to secure scripts you write)
ICMP        -this is a low-level protocol, used by Ping and traceroute. It's
             not assigned a "port" number, since it's a lower level in the
             protocol stack, but it can be filtered on most routers and
             firewalls. I note it here because you CAN still crash some
             HP3000s with the "ping of death" hack, so unless you have the
             proper patches from HP, best to filter these too

For an e-mail system on your 3000, you'd need to allow port 25 incoming and
outgoing(tcp), and port 53 (dns,both tcp and udp).

For a web server, enable port 80 (tcp) incoming and outgoing. Pick up Mark
Bixby's Apache port if you're on 5.5. (there are other options if you're not
on 5.5 yet, but you'd be alot better off with Apache on 5.5.)

For remote access to e-mail (using NetScape/Eudora/Pegasus(P Mail)/Exchange/
other POP clients) you'll need to allow connections to come in on port 110.

If you wanna manage the DNS for your own organization, pick up the BIND
package (also ported by Mark Bixby). If your organization is small though,
you might be better off leaving the DNS management to your ISP, who usually
will do that for no extra charge.

> Most of the employees (~60%) that will get email access are located
> here in the Muncie area.  The remaining employees (I guess that
> would be ~40%) are scattered around the country (primarily in the
> Eastern half).

POP accessible mailboxes can let your users retrieve/send mail from anywhere
in the world (via their local Internet access) by pointing their mail clients
to your POP server.

> So, my question is "What do I need to do/Who do I need to talk to to
> get a Web presence and email capability for the company using our
> own domain name, and permiting employees to have access to their
> email w/o placing a long distance call?"

Call us. :-)

<PLUG> We can help you get a domain name registered (or do it for you); Our
NetMail/3000 mail package that runs on the 3000 gives your interactive users
e-mail access from terminals or emulators, and it includes a built-in POP
server so you can let your remote users access their e-mail over the 'net.
You users get a local Internet dialup account (or a 'roaming' account if they
travel alot) and connect to the 'net via the local ISP, but point to your
server as their mail (and smtp) server.

> I have registered a domain name for us (although not yet received
> confirmation of it).  I know I can go to my "local ISP" and they can
> host a Web site/provide email for us.  Unless I simply don't
> understand however, that would not provide "free" e-mail access to
> the out-of-the-local-area employees.

True. (at least usually)

> I assume that one of you has/had a similar situation.  How did you
> address the problem?

We do the same here -some of our employees have ISP dialin accounts to get
to the net, but point to our (3000 based) mail server for e-mail. Several
of our customers do the same.

          Long live the 3000!

              Chris Bartram
              3k Associates, Inc.


______________________/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
  Chris Bartram        Sales (US):   800 Net-Mail    Fax:+1 703 451-3720
   ______                         +1 703 569-9189    mailto:[log in to unmask]
  /__ |  \__________   Sales (Europe):+44(1480)414131 Fax:+44(1480)414134
 /  / | / ________     Sales (Pacific):+61 3 9489 8216 Fax:+61 3 9482 5124
|  /_ |<  ______       Tech Support:+1 703 569-9189  Fax:+1 703 451-3720
 \ __)| \ ___          mailto:support at 3k.com       Me: rcb at 3k.com
  \______/Associates,  6901 Old Keene Mill Rd Suite 500 Springfield VA 22150
_________________Inc._/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Gopher: gopher.3k.com   Anon-FTP: ftp.3k.com  WWW: http://www.3k.com/