Anda di halaman 1dari 7

DNS & mail 1997/12/17

Contents
Mail System Design
l Domain master
l NULL client
l PPP client
l Back-up mail server
l Firewall and mail server
l Virtual host

Domain Master Domain Master Configuration


ACCEPT_ADDRS='x.co.jp'
l Accepts user@x.co.jp in addition to
– address part which should be accepted
user@mail.x.co.jp (Important!)
l When sending mail, user@x.co.jp is set as
FROM_ADDRESS='x.co.jp'
the sender address
– domain part of send default
– host name assigned to administrator address
u For mail that should specify computer itself l root, daemon, postmaster, etc.
(i.e. mail from root), user@mail.x.co.jp is l Accept for multiple domains
preferred – ACCEPT_ADDRS='sub1.co.jp sub2.x.co.jp'
3 4

NULL Client MS PPP Client


l No spooling l Dial-up environment, so not always
connected
l All mail goes to mail server NULL NULL

l IP address is assigned upon connection


– only definition of mail server address is needed
l DNS host name not fixed either

CF_TYPE=R8V7 -null l Not good for internal host name to be public


– mail reply will not be returned
SPOOL_HOST=mail.x.co.jp
l List addresses that reach mail server only l Sending address of provider mail server is
– enclose with [] (refer to A RR when there ’s lower MX) used
– list [IP address]
5 l Mail receipt is POP (i.e. popclient) 6

InternetWeek'97 1
DNS & mail 1997/12/17

PPP Client Configuration Advanced PPP Client


When provider mail server can be used for sending
DIRECT_DELIVER_DOMAINS=none l Rewriting of sender address
DEFAULT_RELAY=mail.provider.ne.jp – conversion of local and contract user name
FROM_ADDRESS=po.provider.ne.jp – use of userdb and usertable
CON_EXP=True l Curb sending from non-contracted addresses
tips to not send
SMTP_MAILER_FLAG_ADD=e immediately – use of check_compat rule set
l Accumulate initially at mqueue
l Time out for automatic dial-up
l When connected send altogether with sendmail-q
O DialDelay=15s
l Daemon sendmail launches only with -bd (when
necessary)
7 8

Back-- up Mail Server (cont.)


Back Back-- up Mail Server (cont’
Back (cont’ d)
l Receives on behalf of 1st-MX during failures
l Share aliases
– operates as 2nd-MX
– use sharing system such as NIS
l If possible, send direct independently of 1st-MX
– also possible to do rdist and newaliases
– share alias files with 1st-MX
– local aliases and shared aliases separated
– accept same addresses
l R8 sendmail can handle multiple-file aliases
l all users l OA/etc/aliases, nis: mail.aliases
ACCEPT_ADDRS=
l designated users l Problem of ML delivery back-up
SECONDARY_*= – what to do with archive
– those non-designated wait for recovery of 1st-MX
9 – what to do with sequence number 10

Firewall and Name Server Firewall and Name Server


(cont.) (cont’’ d)
(cont
l Name server for outside organization l Name server for inside an organization
– When defining Wildcard MX – Methods to hide outside organization addresses
internally
$ORIGIN x.co.jp.
* IN MX 10 ext-mail.x.co.jp. l all services are via proxy
l root server is provided within organization
l doesn’t show existence of internal host
to avoid DNS timeout
– Define all existing mail addresses
– Methods to get outside organizations addresses
l method that doesn’t use Wildcard MX with forwarders
l mail that should be an error doesn’t reach gateway
l when direct connection can be established from
inside to outside
11 12
l SOCKS

InternetWeek'97 2
DNS & mail 1997/12/17

Firewall and Mail Server (1) With 1 Mail Server


(To prevent leaking of internal info to outside)
a
External NS split-brain DNS
Structure of name servers and mail servers external search
(has internal-target zone)
Internet
internal delivery
l To cover with 1 mail server external delivery
Mail server
a. Method of referring outside search name server b
with internal-target zone External NS
l split-brain DNS
static delivery rule for internal
b. Method of delivering internal mails according Internet
to set rules internal delivery
external delivery
Mail server
13 14

With 2 Mail Servers


Firewall and Mail Server (2) NS for externalStatic sending rule
a
NS for internal
l With 2 mail servers
– mail server for referring to external DNS Internet
Mail server
– mail server for referring to internal DNS Mail server
for external
l Formula a for internal
– static route configuration in between b NS for external
NS for internal
l Formula b
– dedicated receiving mail server Send to internal
Mail server for receiving
– dedicated sending mail server Internet

Send to external
Mail server for sending
15 16

Configuration of Mail Server Configuration of Mail Server


for Internal for External
lStatic rule for external delivery l Static rule for internal delivery
DIRECT_DELIVER_DOMAINS=x.co.jp STATIC_ROUTE_FILE=x.static
DEFAULT_RELAY=external.x.co.jp x.static content:
– mail server for external GW [12.34.56.78]
# (internal.x.co.jp)
DOM x.co.jp

– able to accept mail addressed to mail server


17 18

InternetWeek'97 3
DNS & mail 1997/12/17

With 1 Name Server (1) With 1 Name Server (2)


l To make do with 1 NS and MS each... c. Map internal to separate branch
a. Place first MX facing internal by setting NS l inner.domain.jp → inner.domain.jp.local
– convert address with sendmail.cf
inner-host IN MX 10 inner-host
• MAP line in STATIC_ROUTE_FILE (CF)
IN MX 20 gw
l direct communication is not possible from outside
d. Multiple daemon launched on 1 server
with 1st-MX; time-out occurs
– stressful for sender, so not recommended l bind external and internal IP address
– External named and internal named
• listen-on, query -source, transfer-source (bind8.1.2)
b. At GW, A RR referred to deliver mails to internal – External sendmail and internal sendmail
inner-host IN A 12.34.56.78 • O DaemonPortOptions=Address=12.34.56.78
IN MX 10 gw l configuration of so-called virtual host
19 20

With 1 Name Server (3) With 1 Name Server (4)


l Problems with a, b method l Method b specific configuration
– although direct communication between – sending from gateway to internal
internal and external is impossible,
l static route definition
– internal host information can be seen from l look at A RR
outside – if 1st-MX is itself, adjust behavior
l bind8 allow-query alone is insufficient TRY_NULL_MX_LIST=True (CF)
O TryNullMXList=True (sendmail.cf)
– if configuration is incorrect
local configuration error will be returned

21 22

Hosts within Gateway Virtual Host (cont.)


l Multiple addresses used on one host
l Everything goes to gateway
DIRECT_DELIVER_DOMAINS=none a) Sharing of user space
DEFAULT_RELAY=internal.x.co.jp USERTABLE_MAPS='domain1=hash:/etc/map1 ¥
l Direct delivery internally domain2=hash:/etc/map2'

DIRECT_DELIVER_DOMAINS=x.co.jp b) Separation of user space (1)


DEFAULT_RELAY=internal.x.co.jp – Multiple IP addresses for one host
u For qmail, defined at control/smtproutes – Bind sendmail for each address
O DaemonPortOptions=Address=1.2.3.4
23
– Good to separate environment also with chroot24

InternetWeek'97 4
DNS & mail 1997/12/17

Virtual Host (cont’


(cont’ d) System Design Wrap-
Wrap- up
c) Separation of user space (2) l What addresses would be accepted
– Work with sendmail.cf
l Switch local mailer with each address
l Choosing sending method by address
– Use separate database from /etc/passwd
– Delivery destination statically defined
– Dedicated service such as POP
– Refer to name server (MX)
l Authenticate user with identifier including domain
name
Clarify these conditions
25 26

Supplement:useful sendmail
Supplement: To gather mail waiting to send
techniques at one host
l Gather mail waiting to send at one host l Use FallBackMX option
l Reject huge messages – when DNS can’t be checked
l Change process depending on sender – when mail can’t be sent to all MX, transfer mail
to designated host
address
l Administration etc. of mqueue is easier
l If failed with SMTP, send with UUCP
– adjustment of longest storage life
l Designation of mailer processing sequence
l Route trouble is easier to catch
l Configure ML on personal level

27 28

Change process depending


Reject Huge Messages
on sender address
l When using MaxMessageSize option l Carry out categorization of error mail and
– reject message if surpassing size upon receipt spam at sendmail.cf level
– when using ESMTP, size is notified at point of CT root news postmaster MAILER-DAEMON uucp cron
MAIL FROM, so reject there S0
: Envelope sender
l When designating M= in mailer definition
R $* $: $1 $| $>3 $&f
– receive message initially R motonori $| <@> $: trash when <>
– check size immediately before sending R motonori $| $=T<@$*> $: trash review at class T
l due to possibility of different acceptable size range R $* $| $* $: $1
depending on mailer :
29 30

InternetWeek'97 5
DNS & mail 1997/12/17

If SMTP doesn’
doesn’t work, send with Designation of Mailer Processing
UUCP (3.1W patch) Sequence (3.1W patch)
l Use function to launch multiple mailers l With large-scale ML etc., when local
sequentially delivery processing before SMTP(to oneself,
archive)is preferred
S0 – Designate priority (cost) in mailer definition
: with %=
R $*<@x.co.jp>$* $# smtp $@ x.co.jp $: $1<@x.co.jp>$2
(space) $# uucp $@ uucp-x $: $1<@x.co.jp>$2
Mlocal …, %=0
:
Msmtp …, %=10 (will be processed after local
mailer)
31 32

Configure ML on personal
Important sendmail options (1)
level
l Use CF local deliver function l EightBitMode=pass8
– Not only user@host, user+opt@host also may be – 8bit data that is not MIME may pass through
used l SendMimeErrors
– opt@user.host is also supported – Whether or not to return error notification as
– User can use .forward as well as .forward+opt according to RFC1894 - DSN (Delivery Status
and .forward+default Notification)
– By configuring .forward+ML, ML@user.host can l ConnectionCacheSize
be employed
– Number of SMTP to stay connected
– Reference:Samples/virt-domain+.def
33 – Helpful for run queue 34

Important sendmail options (2) Important sendmail options (3)


l PostMasterCopy l MeToo
– Send header only of error mail to postmaster – Whether or not to send back if sender is included
also in alias deployment
– to prevent fatal troubles before they happen l PrivacyOption
l DoubleBounceAddress – Forbidding of SMTP EXPN, VRFY, etc.
– Destination address in case error mail can’t be l QueueSortOrder
returned to sender – sort sequence of mail accumulated in mqueue
– Take note that body of mail will also be sent – by order of time might be good (order of arrival)
35 36

InternetWeek'97 6
DNS & mail 1997/12/17

Important sendmail options (4) Important sendmail options (5)


l MinQueueAge l DontBlameSendmail
– Minimum resend interval for mail accumulated – From later half of 8.7, for better host internal
in mqueue security, became stricter towards file modes etc.
– To override when resending manually, use -qI – Designate when you want to ease checks
l ConnectionRateThrottle – Details at http://www.jpcert.or.jp/tech/98 -0001/
– Number of receiving connections allowed per l DontProbeInterface
second – prohibits reverse look-up of interface address
– Default is 0 (unlimited) upon launching
– Might be effective against DoS attacks 37 38

Important sendmail options (6)


l Timeout.queuereturn .*
– Maximum time limit for resending mails due to
not reaching destination
– Once exceeded, error is returned to sender
– Consider long holidays when deciding limit
l Timeout.queuewarn .*
– Time until notifying that mail is in resend mode
– Set at 0 when unneeded

39

InternetWeek'97 7