Price: Starts at $4,600
The Tumbleweed MailGate 5500 appliance is a solid e-mail security solution and a hardened Linux platform designed for easy integration into large infrastructures. For the most part, it works as advertised, but there are some unresolved issues and trade-offs in control that enterprises will have to accept.
Enterprise IT departments will find that MailGate is a good value proposition for the price. The appliance includes a comprehensive package of e-mail security tools: antispam, antivirus, attack defenses and server-to-server encryption.
The antispam capability is serviceable, but is something of a black box; there is virtually no information on its operation, no way to tune the filters or even see the purported 500 filter updates per hour provided by the Tumbleweed Message Protection Lab program. Several competing appliances offer finer user controls, but Tumbleweed chooses to offload the antispam fine-tuning, leaving users to rely on Tumbleweed's internal filtering, which, the company says, scans more than 400 million messages daily.
MailGate's antivirus engine is supplied by either McAfee or Kaspersky Labs; users can choose which they'd prefer before purchase.
The embedded Edge Defense module protects against directory harvest and DoS attacks, and provides traffic-shaping capabilities and recipient verification.
Encryption may be configured as a push for outbound e-mail or a pull to encrypt stored inbound mail until it is retrieved. Tumbleweed has recently added OpenPGP support to its standard SSL, S/MIME and TLS encryption mechanisms, giving enterprises a wider range of choices. (For granular content filtering and control over policy-based encryption, MailGate can route messages through another Tumbleweed product, MailGate Secure Messenger.) Other e-mail security vendors, such as IronPort and CipherTrust, provide policy-based encryption capabilities in a single high-end appliance.
MailGate also has a number of minor security concerns. Individually, they are not really a problem, but they give the overall impression of sloppiness. There were several minor Web server-based holes that Tumbleweed said would be fixed by time this article is published. The largest of these was in its image-rendering engine, while the more minor ones were contained in default configuration errors.
When you consider that both http and https access to the appliance is permitted, you get the feeling that security was an afterthought. We see no good reason to allow unprotected http access.
Installation and initial configuration was more of a chore than we would have liked. The initial network addressing is performed by the front LCD and arrow buttons instead of the DOS-like screen employed by most vendors, making initial IP configuration a little tedious.
There is no console installation process. The bright point was the great Quick Start Guide, which is well laid out and easy to read.
Moreover, the administrative interface starts with one of the best executive dashboards we've seen--very clean and informative. It's easy to navigate and has a solid help system. And MailGate has one of the nicest diagnostics systems we've seen in a long time. It checks the health of all major subsystems in a well-designed interface and gives a concise report of conditions, which makes ongoing maintenance a lot easier.
Despite its issues, if you're prepared--or prefer--to trade antispam policy control for ease of management, MailGate is, on balance, a capable e-mail security appliance at a good price.
This product review first appeared in the April 2006 edition of Information Security magazine.