M-Switch provides boundary services to interconnect organizations and networks at the messaging (application) level. There are a number of reasons why interconnection at the application level, typically using the SMTP protocol for message transfer, is desirable, as opposed to network level connectivity:
- Separation. A desire to clearly separate internal and external systems, to avoid contamination or confusion.
- Audit and Tracking. To ensure that all communications across the boundary are clearly recorded and managed.
- Conversion. To deal with different syntax, functionality and protocol requirements on either side of the boundary.
- Authorization and Checking, to validate and control messages going across a boundary, often in conjunction with network firewall protection.
Key features of the Isode solution, described in more detail below, are:
- Audit & Tracking. M-Switch archives messages and stores message and acknowledgement information in an audit database, providing sophisticated tracking and monitoring.
- S/MIME Signing & Encryption, to support differing local, boundary and remote security requirements.
- Security Label support for access control and mapping between different security label formats and policies.
- Authorization based on message, user and destination to control what is sent across the boundary.
- Anti-Virus and Content Checking to prevent malware and other threats.
- Monitoring and Management to support a resilient managed and controlled boundary service.
Audit & Tracking
Messages are archived as they are transferred by M-Switch. This enables:
- Operator inspection of messages that have been transferred.
- Operator forwarding of messages (e.g., where re-send is required).
Message and acknowledgement details are recorded in an audit database, shared between multiple M-Switch instances. This allows sophisticated message tracking across the boundary. The data also supports correlation of delivery reports and read receipts, so that unacknowledged messages can be viewed by the operator, as shown above or automated alerts sent. Further information is given in [Using Message Acknowledgements for Tracking, Correlation and Fire & Forget].
S/MIME Signing & Encryption
S/MIME provides PKI based digital signatures and encryption for SMTP based messages. M-Switch can verify, strip, and add S/MIME signatures, which is important where checks need to be made across boundaries and where PKI and signature requirements vary.
M-Switch may also be extended by the M-Switch Encryption option, shown above which provides S/MIME message encryption and decryption options.
M-Switch provides flexible support for security labels. It supports a variety of security label encodings and standardized security policies. This includes ESS Security Labels carried in S/MIME, security labels in message headers (e.g., SIO-Label:) and First Line of Text (FLOT) security labels.
M-Switch provides access control, so that the security label of message can be checked against the security clearance of a recipient or message transfer path.
M-Switch provides flexible security label conversion between supported formats and policies, to enable mapping between systems with different security label requirements. Further details are provided in the [Security Label Capabilities in M-Switch] whitepaper.
Authorization and Message Checking
M-Switch provides a range of rule based controls based on the message parameters, to control whether or not a message is routed. This includes:
- Control by message parameters, such as size, S/MIME signature, and priority.
- Control by originator and recipient.
- Reputation controls, including DKIM and SPF.
- Anti-Spam mechanisms, including RBL checks.
Anti-Virus, Content Checking and Conversion
M-Switch provides checks on Message Content, to control which messages are allowed through, including:
- Anti-Virus checking to prevent viruses and Malware, using third party AV packages. Options are CLAM AV (free), Sophos and Norman (commercial).
- Word checking, to provide dirty word blocking capabilities.
M-Switch also provides message conversion capabilities:
- Stripping of selected body part types and file types, to meet destination requirements.
- Mapping of message headers and addresses, to support address space transformation.
Monitoring and Management
Isode's MConsole management tool, shiped with our messaging server products, provides client/server GUI management and monitoring, which enables multiple M-Switch servers to be configured and monitored from multiple remote locations.