|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Architecture Criticisms?
From: Ari Gordon-Schlosberg (regs
nebcorp.com)Date: Thu Dec 21 2000 - 23:14:36 CST
- Next message: vasudeva: "receiving allmy.domain.com"
- Previous message: Ari Gordon-Schlosberg: "Re: Passing mail to pop3d??"
- Next in thread: Ari Gordon-Schlosberg: "Re: Architecture Criticisms?"
- Reply: Ari Gordon-Schlosberg: "Re: Architecture Criticisms?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Folks, I'm in the process of implementing a mail system for medium-sized
company using postfix. You can look at this as a case study, or what have
you. What I'm looking to get out of this is a critique of the design (so
we can fix it). I think I have it pretty much right, but I'm curious what
other people's opinions are.
All machines are high-end PCs running NetBSD 1.5.
So the basic set up looks like this:
Internet (Link #1) Internet (Link #2)
| |
| |
______|______ ______|______
| MX 1 | | MX 2 |
|___________| |___________|
| |
|________________________________|
|
|
______|______ _______
VPN ___________| MX-ROUTER |__________| NMS |
|___________| |_____|
|
|
|
Other Machines
Both MX1 and MX2 are running postfix, as is MX-ROUTER. NMS is beng used as
end-user interface (POP/IMAP server). So mail flow is envisioned thusly:
INCOMING MAIL:
1) Mail is received by either MX1 and MX2.
2) Using a transport map, they push all mail for our domain to MX-ROUTER.
3) MX-ROUTER does an ldap lookup on the user and routes mail accordingly.
4a) Mail is routed via VPN to (a currently non-existent) other office.
4b) Mail is routed to NMS for Windows users.
4d) Mail is routed to workstations/departmental servers that are running an
MTA.
OUTGOING MAIL:
1) Mail is recieved via SMTP by MX-ROUTER
2a) (Local User) jump to step 3 in INCOMING MAIL
2b) Mail is passed to MX2 for outgoing transport
3) MX2 masquerades the local domain and delivers the mail
QUESTIONS:
So I have a few questions that relate to this setup to figure the best way
to set this up.
1) using fallback_relay on MX2 should get it to send mail via MX1 if the
network is down for MX2. However, if we do the same thing on MX1
(fallback_relay=MX1), will it cause a mail loop if both links are down?
2) At what the point should we enable the LDAP lookup? virtual or alias?
After poring through the postfix docs, the only thing that I can come up with
that makes a difference at all is that virtual rewriting would skip the
local delivery step (where alias tranformations). Is this conclusion
correct, and thusly would create (however *totally* marginal when compared
with an LDAP lookup) performance wins?
3) As I understand it, if we want to use LDAP lookups, I'll need to do it
for all mail, internal and external (assuming that MX-ROUTER is being used
to route smtp out of the net as well as in). Given that a simple regexp
would let me short-circuit away from the ldap lookup, is there some way I
can leverage something like: /.*/!/[^]+domain\.com/ ?
Or perhaps if I set a transport line for local mail of local: and then used
the LDAP lookup in the aliaes step to expand it back out to non-local
address?
4) What are good settings for reliable mail transport on NetBSD for the
file systems?
5) Configuration checks:
For MX1:
alias_database = hash:/etc/mail/aliases
allow_untrusted_routing = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
inet_interfaces = all
local_destination_concurrency_limit = 2
luser_relay = $userdomain.com
mail_owner = postfix
mydestination = $myhostname
mydomain = domain.com
myhostname = mx1.domain.com
mynetworks = 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, XXXXPUBNETXXXX,
XXXXPUBNETXXXX, 192.168.0.0/16
myorigin = $mydomain
queue_directory = /var/spool/postfix
relay_domains = $mydomain,domain.net
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
transport_maps = hash:/etc/postfix/transport
And transport:
domain.com smtp:mx-router.internal.domain.com
domain.net smtp:mx-router.internal.domain.com
For MX2:
(sames as MX1 with one added parameter)
fallback_relay = mx1.domain.com
For MX-ROUTER:
alias_database = hash:/etc/mail/aliases
allow_untrusted_routing = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 10
inet_interfaces = all
local_destination_concurrency_limit = 2
luser_relay = $userdomain.com
mail_owner = postfix
mydestination = $myhostname
mydomain = domain.com
myhostname = mx-router.internal.domain.com
mynetworks = 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, XXXXPUBNETXXXX,
XXXXPUBNETXXXX, 192.168.0.0/16
myorigin = $mydomain
queue_directory = /var/spool/postfix
relay_domains = $mydomain,domain.net
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
relayhost = mx2.domain.com
fallback_relay = mx1.domain.com
virtual_maps = hash:/etc/postfix/virtual, ldap:ldapdefault
(where ldapdefault is defined to the proper ldap lookup to resolve to a
list of maildrops for the user)
-- Ari there is no spoon ------------------------------------------------------------------------- http://www.nebcorp.com/~regs/pgp for PGP public key
- Next message: vasudeva: "receiving allmy.domain.com"
- Previous message: Ari Gordon-Schlosberg: "Re: Passing mail to pop3d??"
- Next in thread: Ari Gordon-Schlosberg: "Re: Architecture Criticisms?"
- Reply: Ari Gordon-Schlosberg: "Re: Architecture Criticisms?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]