Architecting a 2-level mail system

Corey Edwards tensai at zmonkey.org
Wed Aug 17 13:04:44 MDT 2005


On Sat, 2005-08-13 at 09:13 -0600, Michael Torrie wrote:
> Here is my situation.  I currently have a large mail server sitting in
> the DMZ.  We would like to have the option of delivering mail (and
> storing IMAP folders) in users' home directories in their main file
> space.  Mounting the file server through the firewall into the DMZ is
> not acceptable.  
> 
> So to accomplish this same effect, I was thinking about having two mail
> servers, one in the DMZ and one in the trusted zone that has the file
> server mounted.  Mail will be filtered, anti-spammed, and virus scanned
> in the DMZ, and then passed via LMTP or even normal SMTP to the inside
> mail server where individual procmail recipes will be run and mail
> delivered to home directories in Maildir format.

I have a system very similar to this. We use LDAP for our user accounts
so that both machines can see all the valid user accounts. Ours is a
little more complicated because we have 2 back-end servers upon which we
distribute our accounts. So the front-end looks up the final destination
and routes it accordingly. The routing information is stored in LDAP.

> The outside mail server must allow smtp auth so that people outside the
> department can still relay mail through our servers.  Also mail sent
> from the inside must, due to external security reasons, go through our
> outside mail server.
> 
> IMAP and POP will simply be proxied through to the inside.

We have a whole slew of domains which we proxy and use Perdition for
that. It also looks in LDAP to find the user's destination server. For
your needs though that's probably overkill.

> Has anyone set up something like this before?  Is my idea sound at all?
> 
> <flame retardant suit on/>Our inside mail server will be sendmail, and
> because of its milter capabilities which make filtering so much nicer
> than any other MTA, I'm thinking about running Sendmail on the outside
> server too.  qmail is not an acceptable option, so don't mention
> it.<flame retardant suit off/>  The only thing I don't know how to do
> currently is tell sendmail to accept mail for local delivery, but then
> forward it on to the trusted mail server rather than deliver it.

Devil's in the details, eh? We use Exim so I can't give you any specific
help. I think it should be possible though.

Corey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20050817/c7de0cd5/attachment.bin 


More information about the PLUG mailing list