User Tools

Site Tools

Mail node subproject

The sub-progect include as an enabler into Rebuilding of legacy corporate mail system, project


  • Needs to upgrade quality, agility and scalability of corporate mail system.

Generic targets

  • Create template of independent mail node,
  • for later rebuilding corporate mail system with the independent mail node,
  • where an mail node response for own set of domain.

Generic/Concept definition and requirements

Generic mail direction/trace

mx is a independ mail node/relay, delivery mail from/to customer for some set of mail domains (mail zones).

trust_host is mail sender from $local_domains to any without auth and wo spam/malware checking. notes! only from $local_domains, because this we can add domain name to local or relay domains

inside mail list is set of recipients with an input name only for internal corporate usage/delivery

  1. mx is responsible only for $local_domains and partially for $relay_domains.
  2. mx can accept for relay only:
    1. from $local_domains to any, with spam checking off, with auth/trust
    2. from any to $local_domains, with spam cheking on, wo auth/trust
    3. from any to $relay_domains, with spam checking off
  • mx can relay from $local_domain only with auth/trust

  • mx delivery mail for non-local domain base on dns 'mx' and 'a' records.

  • mx must:
    1. DKIM sign all mail from $local_domains
    2. delivery to inside mail list only from $local_domain or $relay_domain sender
    3. execute mail to unix system users at the mx
    4. have own recursive DNS resolver

mail domains

  • $local: have user with mailbox or aliases to some mail address (world or local).
  • $relay: have not user or aliases, clear relay only, mail node use as backup mx
  • outside: any other into the world

$local and $relay domains must have actual dns domain definition.

$local domain must have

  1. dns up/sub domain delegation
  2. dns mx record
  3. mail.domain cname/a & mx a record
  4. spf record
  5. dkim public key
  6. pop3/imap/smtp.domain a/cname record

acls, again

from to spam checking auth/trust cheking
$local_domains any off on
any $local_domains on off
any $relay_domains off off

Apps draft

Schematic of apps communication.
Note: direction of arrows are from initiator/client to service


outside is no-local, non-relay

@from @to result must
outside wo auth/trust outside reject
outside wo auth/trust local accept
outside wo auth/trust relay accept
@from @to result must
local, wo auth/trust local reject
local, wo auth/trust relay reject
local, wo auth/trust outside reject
@from @to result must
relay, wo auth/trust local reject
relay, wo auth/trust relay reject
relay, wo auth/trust outside reject
@from @to result must
auth, local local accept
trust, local local accept
auth, local relay accept
trust, local relay accept
auth, local outside accept
trust, local outside accept
@from @to result must
auth, non-local local reject
trust, non-local local reject
auth, non-local relay reject
trust, non-local relay reject
auth, non-local outside reject
trust, non-local outside reject
@from @to result must
auth, relay local reject
trust, relay local reject
auth, relay relay reject
trust, relay relay reject
auth, relay outside reject
trust, relay outside reject

Typical smtp deny message

message reason
550 Please authenticate for send mail from domain The user send mail from local domain but have not authorization/trust
message reason
550 Please use own mail service for send mail from The sender was authorize/trust but used non-local sender domain
message reason
550 Sorry, relay for not permitted The message for banned sender with from: and to: outside both

DNS template	600	IN	SOA	...	600	IN	CNAME	600	IN	CNAME	600	IN	CNAME	600	IN	MX	10	600	IN	NS	600	IN	NS	600	IN	NS	900	IN	TXT	"v=spf1 ~all" 900 IN TXT	"k=rsa\; t=s\; p=MIIBIjANBgkqhk..." 86400 IN	SRV	10 1 143 60	IN	SRV	10 1 993 600	IN	SRV	10 1 110 600 IN	SRV	10 1 995 600 IN SRV	10 1 587

First PagePrevious PageBack to overviewNext PageLast Page