Re: Relaying and forwarding between multiple servers

2020-05-26 Thread Craig Skinner 

Hi Chris,

On 24/05/2020 21:46, Christian Baer wrote:

I want to move the full fledged server


That server is known as the 'primary mail exchanger' (primary MX).



to the machine in my basement


You'll need a static IP address from your home ISP, and be able to set 
the reverse DNS to match the forward DNS hostname. Can your home ISP 
provide static IP addresses and reverse DNS hostname management? If not, 
don't proceed with this project.



and want to use mx1, mx2 and mx3 as smart hosts that accept mail for my 
domains and forward it to the server in my basement.


Mail smart hosts are sending hosts on a LAN that are smart enough to 
know which hosts on the LAN to relay outbound mail for.


I think you mean you want your remote rented servers to all be backup MX 
machines, as mx2 & mx3 are now. Simple:- configure mx1 as another backup 
and have your home machine as mx0 (i.e;- the primary MX server).



They also should relay mail sent from this server. Perfect would be a setup where they'll be used round robin. 


DNS is your friend: configure relay.mail.your.domain with the IP address 
of all 3 remote mail servers. Use this DNS hostname as your outbound 
relay. Set your authoritative DNS daemon (NSD, BIND, etc.) to serve 
records in round-robin fashion. Done!


But if you have a static IP address & rDNS at home, you don't need to 
relay via your remote servers. Your primary MX can send to the world.


Cheers,
Craig.

Relaying and forwarding between multiple servers

2020-05-24 Thread Christian Baer 

Hi,

at the moment I have 4 servers. 3 of them are rented VPSes and 1 is in 
my basement.


On the rented ones I run opensmtpd. 1 of them (mx1) is a full fledged 
setuo with opensmtpd, rspamd and dovecot. The other ones (mx2 and mx3) 
act as backup MXes.


I want to move the full fledged server to the machine in my basement and 
want to use mx1, mx2 and mx3 as smart hosts that accept mail for my 
domains and forward it to the server in my basement. They also should 
relay mail sent from this server. Perfect would be a setup where they'll 
be used round robin.


At the moment my config looks like this


On mx1:

   ext_if=vtnet0

   pki mail.dblx.io cert "/usr/local/etc/ssl/mail.dblx.io/fullchain.pem"
   pki mail.dblx.io key "/usr/local/etc/ssl/mail.dblx.io/privkey.pem"

   pki mx1.dblx.io cert "/usr/local/etc/ssl/mx1.dblx.io/fullchain.pem"
   pki mx1.dblx.io key "/usr/local/etc/ssl/mx1.dblx.io/privkey.pem"

   smtp ciphers
   
"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"

   srs key ""
   # srs key backup ""

   filter "rdns" phase connect match !rdns junk
   filter "fcrdns" phase connect match !fcrdns junk
   filter "rspamd" proc-exec
   "/usr/local/libexec/opensmtpd/opensmtpd-filter-rspamd"

   table aliases file:/usr/local/mail/aliases
   table domains file:/usr/local/mail/domains
   table passwd passwd:/usr/local/mail/passwd
   table virtuals file:/usr/local/mail/virtuals

   # Inbound
   listen on $ext_if port 25 tls pki "mx1.dblx.io" hostname mx1.dblx.io
   filter { "rdns", "fcrdns", "rspamd" }

   action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
   #action "RECV" lmtp "10.0.0.20:24" rcpt-to virtual 
   match from any for domain  action "RECV"

   # Outbound
   listen on $ext_if port 465 smtps pki "mail.dblx.io" auth 
   hostname mx1.dblx.io filter "rspamd"
   listen on $ext_if port 587 tls-require pki "mail.dblx.io" auth
hostname mx1.dblx.io filter "rspamd"
   action "SEND" relay srs
   match from any auth for any action "SEND"


On mx2:

   ext_if=vtnet0

   pki mx2.dblx.io cert "/usr/local/etc/ssl/mx2.dblx.io/fullchain.pem"
   pki mx2.dblx.io key "/usr/local/etc/ssl/mx2.dblx.io/privkey.pem"

   smtp ciphers
   
"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SS
   
Lv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-S
   HA"

   srs key ""
   # srs key backup ""

   table domains file:/usr/local/mail/domains

   filter "rdns" phase connect match !rdns junk
   filter "fcrdns" phase connect match !fcrdns junk

   listen on $ext_if port 25 tls pki "mx2.dblx.io" hostname mx2.dblx.io
   filter { "rdns", "fcrdns" }

   action "forward" relay backup ttl 4d
   match from any for domain  action "forward"


The config for mx3 is the same as for mx2.


What are the nessessary bits to get my plan working? Must I run DKIM 
signing at the sending host at home or at the mx that is used for sending?



Best regards

Chris

--
Christian Baer

E-Mail: ch...@debilux.org
Mobil: +49 160 969 769 37

Naheweinstr. 44, D-55450 Langenlonsheim