From owner-freebsd-questions@FreeBSD.ORG Thu Apr 5 18:32:53 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1C7F16A40A for ; Thu, 5 Apr 2007 18:32:53 +0000 (UTC) (envelope-from nathan@vidican.com) Received: from wmptl.net (mail.wmptl.com [216.8.159.133]) by mx1.freebsd.org (Postfix) with ESMTP id 71BDB13C4D5 for ; Thu, 5 Apr 2007 18:32:53 +0000 (UTC) (envelope-from nathan@vidican.com) Received: from [10.0.0.11] ([10.0.0.11]) by wmptl.net (8.13.4/8.13.4) with ESMTP id l35IMV2L035282; Thu, 5 Apr 2007 14:22:31 -0400 (EDT) (envelope-from nathan@vidican.com) Message-ID: <46153E6E.1050903@vidican.com> Date: Thu, 05 Apr 2007 14:22:38 -0400 From: Nathan Vidican User-Agent: Thunderbird 1.5.0.7 (X11/20061027) MIME-Version: 1.0 To: Jonathan Horne References: <56576.192.168.125.142.1175794565.squirrel@webmail.dfwlp.org> In-Reply-To: <56576.192.168.125.142.1175794565.squirrel@webmail.dfwlp.org> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.54 on 10.0.0.80 Cc: questions@freebsd.org Subject: Re: slightly OT - my freebsd email topology X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Apr 2007 18:32:53 -0000 Jonathan Horne wrote: > currently, my email server is just a single box, accepting and sending emails > from and to the internet. spamassassin and sendmail, and so far, it works > satisfactory. > > i would like to change it up, so that i have a pair of servers doing MX from the > internet, which then passes to an internal server for delivery. if i do that, i > could remove spamassassin from the internal server, and run it on just the 2 > external. all those configurations is really not my issue here... what im > really pondering is how would external servers that are seperate from where the > target mailboxes are, know which addressess are acceptable and which to return a > 550? > > does anyone have any setups that are similar to this, and could advise me or > point me in the right direction? > > thanks, > jonathan > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > > There's really too many variables in your question to provide a good answer. ideally, the 'internal' server should be configured as normal, but not exposed on a public interface; sendmail should not be listening for incoming connections from anything other than your two 'outside' boxes if it has a valid public IP address. If the previous sceenario is true, then all you've really gotta do on the 'outside' boxes, is add the domain names for which the 'inside' box is going to relay mail for, and set the two outside boxes as MX hosts in your public DNS records, while they receive internally the hostname/address of the internal MX host. You could go a step further, by using virtusertable within sendmail to redirect incoming mail for a domain to a specific host on the inside instead of just relaying, which could provide a more flexible filtering mechanism; something like: @whatever.com %1@inside-only.server.hostname Essentially instructing sendmail on the external machine to forward along 'fu.bar@whatever.com' to 'fu.bar@inside-only.server.hostname' ... or you could go beyond that to only filter specific addresses and error out everything else. Well, you get the idea - there's more than one way to do this. You need to really specify your goals more clearly: Are you trying to simply offset the load? Are you trying to make a redundant setup for a failover setup? Are you trying to be more secure by filtering before handling email? Are you trying to avoid having all your eggs in one basket? Do you desire a single point of configuration, or are you expecting to configure each new account on all servers? These are all things you have to consider. Bottom line is, you need to really sit down and put to thought exactly what you're trying to accomplish. If the load created by spamassassin is your sole problem - then you can run just spamassassin's filtering daemon on another machine - it is capable of running spamd over a network (see: spamd/spamc: http://spamassassin.apache.org/full/3.0.x/dist/spamd/README for more info). My advice would be to decide exactly what you want to accomplish, then come back and ask for further suggestion from this list. There are many talented, experienced administrators here - who chances are, have come accross an almost exact case that could help you out - they all just need a little more to go on before they can tell you what they'd do in your case. Ultimately, it's up to you and RTFM'ing the heck out of it before you implement it in production is always a good choice. -- Nathan Vidican nvidican@wmptl.com Windsor Match Plate & Tool Ltd. http://www.wmptl.com/