|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Split MTA Configuration with Solaris Zones
From: Martin McGreal (postfix
mcgreal.org)
Date: Wed Mar 01 2006 - 12:23:16 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I don't know if "Split MTA" is really the right technical description for
what I want to do, but here goes...
I am creating an email gateway using Postfix and Solaris 10. The system
will be in a DMZ, with network connections to an Internet-facing network,
and other connections to an internal DMZ network. I want to split my
system into 3 zones, the global zone and two local zones. One of my local
zones will be facing the Internet, and have no view of the internal DMZ
network. The other local zone will have a view of the internal DMZ
network, but not the Internet. I want a chrooted Postfix to listen for
inbound messages in the Internet-facing zone, and simply place them in the
inbound queue. The inbound queue will be on a file sytem that is shared
with the other local zone via the global zone, so a Postfix instance in
the DMZ-facing local zone will be able to then pick up the messages, and
pass them on into the internal network.
This configuration ensures that even in the event of a compromise of the
Internet-facing Postfix, and an escape from the chroot environment, there
will still be no access to the internal network.
Is it possible to split up Postfix like this? The cleanup process will not
actually be able to notify the qmgr process in the DMZ-facing zone, so the
qmgr will have to rely only on timing to sweep the inbound queue, right?
How badly would this configuration affect performance? Will the cleanup
process be ok with not being able to see a qmgr process?
If performance will be an issue, I was thinking of maybe creating a small
daemon for the DMZ-facing local zone that would detect when new files were
created and alert the qmgr. But then again that could take a lot of time
to do *correctly*, so I would probobly first just drop back to a single
local zone configuration.
Thanks for any help!
Martin
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]