Mail and Internet Access

Getting connected to outside mail is becoming a necessity for most companies. Just a few years ago, almost no small company cared about this at all, but that's rapidly changing. While giving browsing capability to desktops is still viewed with some reserve, internet mail is being embraced as entirely necessary. And, at more and more businesses, at least some level of internet access may be necessary too. This article may help clear up some confusion about these things. There's plenty of confusion out there, isn't there?

One of the fine distinctions often glossed over is that mail and browsing are two entirely different functions, and you don't necessarily need one to have the other. Browsing may require high speed connections, proxy servers or NAT routers (see Connecting to the Internet), but unless you have very large volumes of external e-mail, a dialup modem may be all you need for mail. Obviously many of us have need for high speed access for other reasons, and there are people who get mail with large attachments (engineering drawings is one example), but ordinary email by itself does not need anything more than dialup.

A Domain of your own

You probably want your own internet identity. For example, I have the domain "aplawrence.com". I don't maintain that domain myself; it is "hosted" for me by an ISP . Most ISP's will set up a domain for you very inexpensively. Mail directed to "aplawrence.com" actually goes to my hosting ISP. A very important point to understand is that your Email host and your Web site host do not have to be the same.

Email, web, ftp or whatever are all different, and each can be controlled or supplied independently of the other. This means you can hove someone else host your web site, but run your own Email server (there are real advantages to that). It also that Jack in your office can have complete access to browse the web, while Mary gets only email, and poor Bill gets nothing at all.

Why would you want your own email server? Mostly because it's just easier, and often it's cheaper and faster. You get to control who has email, you don't pay for extra mailboxes, you can have aliases ("sales@yourcompany.com") and so on. When someone sends mail to you, it will usually get to your server NOW- you don't have to wait for a big ISP to process it. Finally, sending email within your own company becomes completely instant- no waiting at all.

See Why run your own mail server? for more on that topic.

Your own web server can have advantages too, but often that makes more sense to outsource.

An Address

If you do decide you want to host your own mail or web server, you need it to have "real" IP address. Machines inside your office are often set up to use "fake" IP addresses- addresses that cannot be used on the Internet. But a web or mail server needs a real address. You will either get a static or a dynamic ip address. A static (unchanging) address is better, but you don't necessarily need a static ip address even if you want to provide a web or ftp site.

You don't need (or even want) real ip addresses for each machine in your office. You may be given a small block of say 6 addresses, but you might only need one of them. The machines inside your office can have access to the web (if you want them to) by using something called NAT.

There's more on that below.

Mail and Web Servers

Microsoft makes a Web Server: Internet Information Server, or IIS. They also make a mail server, Exchange. They are fairly expensive, but you don't need to use either of these. Surprised? Email was around long before Microsoft, so for a change they couldn't make it proprietary- they can't lock you in on web or email.

For example, you don't need Microsoft Exchange to use Outlook or Outlook Express. These work quite happily with any POP or IMAP server. For example, I sell a very nice Firewall/Email/Web server that works beautiffully with Outlook: see http://www.aplawrence.com/esmith.html

Connectivity

The first thing is to get connected. Your choices range from dialup PPP to full T1's or even higher (assuming you had the money and the need), but the typical small office probably will be using DSL, Frame Relay or a partial T1. Cable access is also starting to be seen.

At the lower ends of connectivity (DSL and Cable), the provider almost almost always also deals in the home connectivity market and therefore will provide some Windows based software, and that software may also be capable of sharing multiple machines. I'm not going to preach here why you don't want a business network relying on something like that; we're just going to plunge ahead into better options. However, I will note that (as usual) you probably are going to have to deal with Windows-centric support folk.

When dealing with these providers, be sure they understand what you want are what they are providing and not providing. If you want a static IP address, be sure to say so, but also watch out that they don't give you (and charge you for) real IP addresses for every machine you have. If you are going to use a computer as a router, you don't need them to provide a router (though sometimes they will have to anyway just because it is part of their connection). The same is true for firewall, NAT or proxy software.

If you don't understand all of this after reading this and the related articles, you probably should hire someone who does to deal with all of this. You can waste a lot of money- I've seen many $10,000-20,000 installations that could have been done for a tenth of the cost.

Your Internal Network

You want to isolate your internal network from the Internet. The internal machines will have access to the web, to email, to ftp or to whatever you want to give them access to, but the big bad world shouldn't have access to them. Of course, there may be some machines or services that you do want the outside world to have access to, but your starting position should be everything isolated and closed off.

To achieve that isolation, the internal machines will use one of the private, unassigned network ranges (we called them "fake" addresses above). The advantage of this is that such addresses are non-routable on the Internet, so are effectively invisible and unusable- even if you connected a machine with such an address directly to the Internet, it wouldn't work, and that in itself is a large part of the isolation and protection we want. We give these invisible machines access through a gateway machine, a machine or router that has one address that is in our internal, private network, and one address that is real, and that real address is the connection to the internet. If we're using a computer for that function, that computer will have two network cards unless your internet connection is dialup.

Do you need to understand all that? Probably not. Do understand that this isolation also gives us control - for example, we can stop employees from browsing sex or gambling sites if we want to.

Static or Dynamic IP

Your internet address (the external, real address) can be constant, or it can be assigned by DHCP. The advantage to a static, unchanging ip address is just that: it doesn't change. If you are providing access from the outside world to your network, that's very helpful. However, it's not absolutely necessary.

Most access to you isn't done by ip numbers anyway, it's done by name. Somebody points their web browser at www.yourcompany.com, not at 64.109.x.x or whatever. The actual ip address is looked up by DNS (Domain Name Service). When you registered yourcompany.com, somebody (probably your ISP) became responsible for providing that address to machines that need it.

If the address is static, the ISP just typed in that number once and then leaves it at that- your address never changes. However, if you have a dynamic address, it can and will change every now and then. Normally, you might keep the same address for days or even longer- the DHCP software generally is designed and configured to do that, but potentially you have the possibility of having your address change at any time. If you have a dynamic IP address and you want "mycompany.com" to point to whatever address you have today, you need a Dynamic DNS Service to be the ones responsible for your address lookup, and you need to notify them (automatically, of course, through software) that your address has changed so that they can update their tables. There are all sorts of such services available, from free to not free; just search the Web for Dynamic DNS Service and you'll find plenty to choose from.

Either way, you now have the ability to offer services (web, ftp, etc.) from your computers. The service could be on a computer that has a real ip address, or it could actually be inside your network on one of the machines with those invisible, private addresses. How is that possible? Special software sitting on the machine that does have the real address redirects packets inward to the private address. This is an inward or reverse proxy function- most routers have this capability also.

Is that confusing? Don't panic- that's the sort of thing that I take care of for you.

Firewall/Gateway/Router

This is what will provide the access and the NAT (Network Address Translation) that will let the internal machines work behind it. NAT is the software that translates an unroutable internal address into a real, usable external address.

If you want to be very compulsive and technical, most of us really use PAT (Port Address Translation) which is an overloaded NAT. Folks who worry about such distinctions think of NAT as providing a specific external address for each outgoing internal address. That wouldn't necessarily mean that you would have just as many external addresses as internal, but it would mean that the number of concurrent uses would be limited by the number of external addresses. With PAT, one external address is used for all internal machinres- the software keeps track of what belongs to what by using different port numbers in the packets. Do you care? Probably not.

A firewall also limits what can come in to your machine from outside. The difficulty here is that you may actually want to provide some services: you may want to run a web site, or allow telnet or ftp access to your machine. That makes the firewall's job more difficult: it's fairly easy to just lock everything up so there is no access at all, but it's much more difficult to let the good guys in while keeping the bad guys out.

As mentioned above, the services you provide could be located on the firewall machine, or on a machine inside your network. They could also be hosted on a machine outside the firewall- this is often called a DMZ (Demilitarized Zone). Basically you have an external network with real IP addresses and one of these is a gateway/firewall to your internal network. More complicated installations have multiple layers of firewalls.

You'll also hear the term "proxy server". Actually, NAT provides a proxy service; proxy just means that somebody else is representing you, and that's just what NAT does. However, when people say "proxy server", they usually mean something different, and they usually specifically mean a web browsing proxy server. The difference is this: with NAT, you don't do anything special to browse the web- just use your browser with your default gateway pointing at the NAT machine and it works. However, if you have a web proxy server, you need to tell your browser that you are using it- that's a setting you make that points your browser to the proxy (that may be done automatically ). Often, the proxy server is also a cache server- it will cache frequently accessed pages to improve performance. It may also offer filtering capabilities- the ability to restrict access to certain pages or perhaps to grant or deny access to certain users. That is also where we get the ability to control what people access.

POP, IMAP, SMTP

You don't need to understand this, but you might want to.

SMTP means Simple Mail Transport Protocol- it's how email moves across the Internet. Once email gets to your mail server, you'll use POP or IMAP to get it to your Windows machine. Neither POP nor IMAP deliver mail or are used to send mail- they are only what moves the mail from the server to your machine. When you send mail from a Windows machine, you aren't using POP or IMAP- you are talking to an SMTP server. That may, of course, be running on the same machine, but it could be different.

The major difference between POP and IMAP is that IMAP downloads only header information until you actually want to read the message. This is good for slow links: you don't waste time downloading the body of a message you aren't going to read.

Sendmail is what sends mail OUT. If you have a domain name, and have a SMTP server, you can have your MX (mail exchange) record pointed to your server. In that case, sendmail (or something like it) would handle incoming mail also.

If you don't (or even if you do), you might have a multidrop POP mailbox somewhere. That's a mailbox where all your mail gets collected. It's called multidrop because you can have any number of names going to one place. In this case, you'd use something like "fetchmail" on your server to bring the mail down and distribute it.

See E-Smith Server and Gateway as an example of a mail server that can do these things.

What now?

You can build your own gateway and firewall using Microsoft or Linux. You can also buy packaged solutions like the E-Smith server also referenced above. For small offices, you can use products like Multitech's Routefinder or ProxyServer.

Or, you can go out and spend a ton of money on a high priced Cisco router, an NT server with Exchange, and a Pix firewall. After all, it's your money, and if you want to waste it, that's certainly your choice.

Publish your articles, comments, book reviews or opinions here!

Macworld Mobile Mac Superguide $9.99

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.