1

Topic: iRedAdmin-Pro offered as a SaaS solution

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====Hi all,

Due to the coming changes in license for iRedAdmin-Pro I was thinking of an offer for iRedAdmin-Pro as a SaaS solution.

It would require a new installer which didn't install iRedAdmin and instead enabled remote access for the hosted iRedAdmin-Pro. For security reason I would suggest some kind of proxy running locally on the users installation using strong encryption (OpenVPN, certificate based login via SSH, or IPSec) to communicate back to the hosted iRedAdmin-Pro. Hosting  iRedAdmin-Pro should not be resource hungry so a proper dedicated server would easily run 1000 of hosted  iRedAdmin-Pro for users. This gives several benefits:
1) User need not bother with any configuration
2) User always runs newest  iRedAdmin-Pro
3) Help is easier to provide since a dedicate connection exists between iredmail.org an user
4) If awstats could be served from same interface no need for local web server on mail server (more secure)
5) The business deal between iredmail.org and customer is more straight forward
6) The cut between open source and closed source is more obvious
7) Separation between  iRedAdmin-OSE and  iRedAdmin-Pro could be skipped since the  iRedAdmin available will be the one available from bitbucket and the supported one is the version available at iRedAdmin-hosted-solution
8) Users wanting to create their own extensions using an open API can upload to the server after proper inspection to there own instance

Above means iRedAdmin can continue to be developed as free software since the closed source part will be run in the cloud and users will be able to switch easily between the open and the closed offer simply by shifting interface from local to remote in the iRedAdmin proxy. This will also make it a lot easier for customers to develop there own extensions since a local installed iRedAdmin will act exactly as the hosted version.

The iRedAdmin proxy will use a JSON interface to communicate between iRedMail and iRedAdmin.

What do you all think of this?
Will there be a demand for iRedAdmin provided as a SaaS solution?

Happy new year to all

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedAdmin-Pro offered as a SaaS solution

I implemented a draft edition of SAAS iRedAdmin-Pro before (not perfectly implemented, it just works as a prototype). It requires customer to:

1) provide SQL/LDAP credential (but iRedAdmin-Pro doesn't store them anywhere, of course). iRedAdmin-Pro (SAAS) must access customer's SQL/LDAP servers through secure connection (e.g. LDAPS or LDAP over TLS). And since iRedAdmin-Pro doesn't store credentials, customer is asked to provide them again next time.

2) open network ports of SQL/LDAP services on customer's server. If customer doesn't want to allow iRedAdmin-Pro to manage accounts, it's ok to close these network ports anytime.

The biggest concern is privacy. As you can see, iRedAdmin-Pro (SAAS) can access all your account data. Buying one license of iRedAdmin-Pro and deploy on your own server is much easier and you don't need to worry about privacy.

Let's see how others think about this idea.

3

Re: iRedAdmin-Pro offered as a SaaS solution

The solution I have in mind does not require to open any network ports since all communication goes through a proxy which is activated on demand through an encrypted tunnel.

4

Re: iRedAdmin-Pro offered as a SaaS solution

A encrypted tunnel is a good idea, but it requires too much modification in iRedAdmin-Pro part. Since no obvious demand, it won't be possible to implement iRedAdmin-Pro this way.

5

Re: iRedAdmin-Pro offered as a SaaS solution

ZhangHuangbin wrote:

A encrypted tunnel is a good idea, but it requires too much modification in iRedAdmin-Pro part. Since no obvious demand, it won't be possible to implement iRedAdmin-Pro this way.

Not necessarily. A proxy on the iRedAdmin-Pro listening to the used ports:
1) accepting requests from iRedAdmin-Pro
2) encode the request to JSON
3) invoke the remote proxy sending the encoded request
4) receive response and decode from JSON
5) reply to iRedAdmin-Pro in the appropriate way

Above means no change in iRedAdmin-Pro.

What is needed is:
1) local proxy
2) remote proxy
3) tunnel broker in each proxy

6

Re: iRedAdmin-Pro offered as a SaaS solution

It will be a big project... Not a good idea.

Why not use LDAP over TLS (port 389) or LDAPS (port 636), MySQL/PostgreSQL secure connection instead?

7

Re: iRedAdmin-Pro offered as a SaaS solution

ZhangHuangbin wrote:

It will be a big project... Not a good idea.

Why not use LDAP over TLS (port 389) or LDAPS (port 636), MySQL/PostgreSQL secure connection instead?

If using direct connections maybe it would be an idea to change to not so well known ports. Eg. 30389/30636, 33306, 35432 to remove noise from the logs.

I don't consider this a big project since all services are text based protocols so making a proxy is not rocket science but merely a matter of implementing a state machine.