Table of Contents
Mail node subproject
The sub-progect include as an enabler into Rebuilding of legacy corporate mail system, project
Impacts
- Needs to upgrade quality, agility and scalability of corporate mail system.
Generic targets
- Create template of independent mail node,
- for later rebuilding corporate mail system with the independent mail node,
- where an mail node response for own set of domain.
Generic/Concept definition and requirements
mx is a independ mail node/relay, delivery mail from/to customer for some set of mail domains (mail zones).
trust_host is mail sender from $local_domains to any without auth and wo spam/malware checking. notes! only from $local_domains, because this we can add domain name to local or relay domains
inside mail list is set of recipients with an input name only for internal corporate usage/delivery
- mx is responsible only for $local_domains and partially for $relay_domains.
- mx can accept for relay only:
- from $local_domains to any, with spam checking off, with auth/trust
- from any to $local_domains, with spam cheking on, wo auth/trust
- from any to $relay_domains, with spam checking off
mx can relay from $local_domain only with auth/trust
mx delivery mail for non-local domain base on dns 'mx' and 'a' records.
- mx must:
- DKIM sign all mail from $local_domains
- delivery to inside mail list only from $local_domain or $relay_domain sender
- execute mail to unix system users at the mx
- have own recursive DNS resolver
mail domains
- $local: have user with mailbox or aliases to some mail address (world or local).
- $relay: have not user or aliases, clear relay only, mail node use as backup mx
- outside: any other into the world
$local and $relay domains must have actual dns domain definition.
$local domain must have
- dns up/sub domain delegation
- dns mx record
- mail.domain cname/a & mx a record
- spf record
- dkim public key
- pop3/imap/smtp.domain a/cname record
acls, again
| from | to | spam checking | auth/trust cheking |
|---|---|---|---|
| $local_domains | any | off | on |
| any | $local_domains | on | off |
| any | $relay_domains | off | off |
Apps draft
Note: direction of arrows are from initiator/client to service
Validation
outside is no-local, non-relay
| @from | @to | result must |
|---|---|---|
| outside wo auth/trust | outside | reject |
| outside wo auth/trust | local | accept |
| outside wo auth/trust | relay | accept |
| @from | @to | result must |
| local, wo auth/trust | local | reject |
| local, wo auth/trust | relay | reject |
| local, wo auth/trust | outside | reject |
| @from | @to | result must |
| relay, wo auth/trust | local | reject |
| relay, wo auth/trust | relay | reject |
| relay, wo auth/trust | outside | reject |
| @from | @to | result must |
| auth, local | local | accept |
| trust, local | local | accept |
| auth, local | relay | accept |
| trust, local | relay | accept |
| auth, local | outside | accept |
| trust, local | outside | accept |
| @from | @to | result must |
| auth, non-local | local | reject |
| trust, non-local | local | reject |
| auth, non-local | relay | reject |
| trust, non-local | relay | reject |
| auth, non-local | outside | reject |
| trust, non-local | outside | reject |
| @from | @to | result must |
| auth, relay | local | reject |
| trust, relay | local | reject |
| auth, relay | relay | reject |
| trust, relay | relay | reject |
| auth, relay | outside | reject |
| trust, relay | outside | reject |
Typical smtp deny message
| message | reason |
|---|---|
| 550 mx9.lazurit.com: Please authenticate for send mail from lazurit.com domain | The user send mail from local domain but have not authorization/trust |
| message | reason |
| 550 mx9.lazurit.com: Please use own mail service for send mail from lazurit.com | The sender was authorize/trust but used non-local sender domain |
| message | reason |
| 550 mx9.lazurit.com: Sorry, relay for lazurit.org not permitted | The message for banned sender with from: and to: outside both |
DNS template
reg.lazurit.com. 600 IN SOA ... imap.reg.lazurit.com. 600 IN CNAME mail.reg.lazurit.com. mail.reg.lazurit.com. 600 IN CNAME mx3.lazurit.com. pop3.reg.lazurit.com. 600 IN CNAME mail.reg.lazurit.com. reg.lazurit.com. 600 IN MX 10 mx3.lazurit.com. reg.lazurit.com. 600 IN NS pdns4.lazurit.us. reg.lazurit.com. 600 IN NS pdns3.lazurit.us. reg.lazurit.com. 600 IN NS pdns1.lazurit.us. reg.lazurit.com. 900 IN TXT "v=spf1 redirect=_spf.lazurit.com ~all" mail._domainkey.reg.lazurit.com. 900 IN TXT "k=rsa\; t=s\; p=MIIBIjANBgkqhk..." _imap._tcp.reg.lazurit.com. 86400 IN SRV 10 1 143 imap.reg.lazurit.com. _imaps._tcp.reg.lazurit.com. 60 IN SRV 10 1 993 imap.reg.lazurit.com. _pop3._tcp.reg.lazurit.com. 600 IN SRV 10 1 110 pop3.reg.lazurit.com. _pop3s._tcp.reg.lazurit.com. 600 IN SRV 10 1 995 pop3.reg.lazurit.com. _submission._tcp.reg.lazurit.com. 600 IN SRV 10 1 587 smtp.reg.lazurit.com.
