Hi,
I'm in the process of re-configuring our firewall + mail services and
have something like the following in mind:
+-------------+
| ISP |
| mail relay |
+-----+-------+
Internet |
-------+---------+---
|
+---+------+ +----------+
| exterior | | bastion |
| router | | host |
+---+------+ +----------+
| perimeter network |
---+-------------------------+----
| 193.123.253.128-143 (255.255.255.240)
+----+------+
| interior | (address translation)
| router |
+----+------+
| internal network
----+-+----------------------------
| 172.16.x (255.255.240.0)
+-----+------+
| internal |
| mail host | relays all internal mail
+------------+
Incoming mail will be received by the bastion host and forwarded through
the interior router to the internal host using qmqp.
Outgoing mail will either be delivered direct by the internal mail host
or forwarded to our ISP's relay (I've not decided which yet).
I have no problems with things so far. In fact, it worked first time
when I fired it up (well, the mail side of things did - I haven't got the
network topology setup just yet).
My question is regarding mail generated on the bastion host, ie root
mail, messages from the proxy cache (this machine will also be running
squid), and mail from any security measures I may put in place.
Am I right in thinking that I will need a full qmail installation to deal
with this mail or would it be possible to "deliver" mail generated
locally on the bastion host to the internal mail host?
eg:
[EMAIL PROTECTED] --> [EMAIL PROTECTED]
[EMAIL PROTECTED] --> [EMAIL PROTECTED]
etc.
Also, I'm not sure whether I need to setup anything special in our DNS
for this to all work. I am following the recommendations in the O'Reilly
book "Building Internet Firewalls" to hide internal DNS data. The DNS
will be setup as follows:
- a "fake" external DNS with limited information (either hosted by our
ISP or running on the bastion host). Used by external clients, bastion
host, any other machines on the perimeter network. Basically just has MX
data and details of our externally hosted website. Also, receives
forwarded requests from the internal DNS server.
- a "real" DNS on the internal mail host. Used by internal clients.
Contains all internal domain information (eoc.org.uk)
Presumably, since qmqp uses IP addresses in qmqpserver, it doesn't need
to use DNS at all? ie the bastion host doesn't need to know any details
of the internal DNS; it will just relay all incoming mail to the internal
mail host? What about locally generated mail (see previous question)?
Again, presumably that wouldn't need DNS to work correctly?
Thanks for any contributions...
R.
--
Robin Bowes, System Development Manager, Equal Opportunities Commission,
Room 405A, Overseas House, Quay St., Manchester, M3 3HN, UK.
Tel: +44 (0) 161 838 8321 Fax: +44 (0) 161 835 1657
Lord, grant me the serenity to accept the things I cannot change,
the courage to change the things I can, and the wisdom to hide the
bodies of the people I had to kill because they pissed me off - Anon.
