Where possible, we use open source technology. Not only is much open source technology of high quality, but the ability to modify, add to and change the source allows us to integrate changes that best suit our requirements and customers. Where possible, we always try and contribute changes that we feel are generally useful back to the appropriate communities.
Our main servers are located at NYI in New York City, USA. Their facility is a high security, video monitored location; with backup power, airconditioning, and fire systems and 24x7x365 monitoring and onsite technical support
-
Linux (custom patched kernel)
-
Kernel-level firewalling
-
SSH security for all communications
-
Debian based distribution for timely security updates
-
MySQL database server
-
InnoDB tables for ACID compliance
-
Nightly hot backups of the database to external site
-
Continuously monitored replication to a secondary database server and an offsite serve
We were early adopters of the InnoDB table engine and have found it one of the best storage engines available. Good recoverability means that even after hard crashes, the database is in a sane state. Hot backups allow nightly snapshots of the database to be made and taken offsite. Clustered indexing allows us to organise our data in exactly the way we want to ensure user data is accessed quickly.
-
nginx frontend proxy, including SSL support and automatic compression
-
Apache backend servers with mod_perl
The main application is written in Perl using a custom web framework. To ensure as secure an application as possible, we run with taint mode enabled and also ensure all database queries use placeholder variables to avoid SQL injection attacks.
To reduce XSS style attacks, we use web sessions that require both a URL parameter and a cookie. Once you login, all URLs contain a "session salt" parameter. This parameter is required to determine which cookie is currently valid and in use. Either part alone is not enough, both are required to access a particular web session.
We have contributed a number of Perl modules we created back to CPAN for the Perl community to use. See ROBM, HOWARD and BRONG.
-
Postfix secure mailer
-
SpamAssassin for spam scanning
-
Additional SARE spam rules to improve spam scoring
-
Additional custom rules to improve spam scoring
-
Custom "backscatter" detector to catch unwanted backscatter
-
ClamAV for virus scanning
-
Custom perl lmtp proxy to deliver messages from Postfix to backend IMAP/POP servers
We maintain a small set of patches against Postfix that some people might find useful.
-
Cyrus IMAP/POP server
-
Realtime replication for redundancy
-
Secure MD5 hashes to ensure safe replication
-
Regular monitors to check replication on both sides and that all data is consistent
We maintain a quite large set of patches against the cyrus IMAP/POP server. Over time these patches are being accepted into the main cyrus code base as most of them are related to reliabilty, consistency and performance improvements.
-
Nightly incremental backups of all email in all accounts
-
All backup data stored on a separate server to the IMAP/POP server, a Sun x4500 with ZFS filesystem
-
IBM servers (mostly x345/x346 and x3550) for database, imap/pop, file, load balancing, spam scanning and web servers. All servers have 24x7 support contracts with 4 hour response time
-
SATA-to-SCSI RAID storage units (based on high performance ARECA controllers with battery backup RAM) for email storage. Spare units and drives on hand in case of failures.
-
Polywell whitebox servers for low priority redundant services
-
Sun x4500 for storing backups
All IBM, Sun and SATA-to-SCSI units are dual power supply and connected to separate power circuits. All circuits are monitored to ensure there's no over use that might trip a circuit breaker.
You can see a layout of our cabinets and some photos if you're really interested.