User Tools

Site Tools


Mail node subproject

The sub-progect include as an enabler into Rebuilding of legacy corporate mail system, project

Impacts

  • Needs to upgrade quality, agility and scalability of corporate mail system.

Generic targets

  • Create template of independent mail node,
  • for later rebuilding corporate mail system with the independent mail node,
  • where an mail node response for own set of domain.

Generic/Concept definition and requirements

Generic mail direction/trace

mx is a independ mail node/relay, delivery mail from/to customer for some set of mail domains (mail zones).

trust_host is mail sender from $local_domains to any without auth and wo spam/malware checking. notes! only from $local_domains, because this we can add domain name to local or relay domains

inside mail list is set of recipients with an input name only for internal corporate usage/delivery

  1. mx is responsible only for $local_domains and partially for $relay_domains.
  2. mx can accept for relay only:
    1. from $local_domains to any, with spam checking off, with auth/trust
    2. from any to $local_domains, with spam cheking on, wo auth/trust
    3. from any to $relay_domains, with spam checking off
  • mx can relay from $local_domain only with auth/trust

  • mx delivery mail for non-local domain base on dns 'mx' and 'a' records.

  • mx must:
    1. DKIM sign all mail from $local_domains
    2. delivery to inside mail list only from $local_domain or $relay_domain sender
    3. execute mail to unix system users at the mx
    4. have own recursive DNS resolver

mail domains

  • $local: have user with mailbox or aliases to some mail address (world or local).
  • $relay: have not user or aliases, clear relay only, mail node use as backup mx
  • outside: any other into the world

$local and $relay domains must have actual dns domain definition.

$local domain must have

  1. dns up/sub domain delegation
  2. dns mx record
  3. mail.domain cname/a & mx a record
  4. spf record
  5. dkim public key
  6. pop3/imap/smtp.domain a/cname record

acls, again

from to spam checking auth/trust cheking
$local_domains any off on
any $local_domains on off
any $relay_domains off off

Apps draft

Schematic of apps communication.
Note: direction of arrows are from initiator/client to service

Validation

outside is no-local, non-relay

@from @to result must
outside wo auth/trust outside reject
outside wo auth/trust local accept
outside wo auth/trust relay accept
@from @to result must
local, wo auth/trust local reject
local, wo auth/trust relay reject
local, wo auth/trust outside reject
@from @to result must
relay, wo auth/trust local reject
relay, wo auth/trust relay reject
relay, wo auth/trust outside reject
@from @to result must
auth, local local accept
trust, local local accept
auth, local relay accept
trust, local relay accept
auth, local outside accept
trust, local outside accept
@from @to result must
auth, non-local local reject
trust, non-local local reject
auth, non-local relay reject
trust, non-local relay reject
auth, non-local outside reject
trust, non-local outside reject
@from @to result must
auth, relay local reject
trust, relay local reject
auth, relay relay reject
trust, relay relay reject
auth, relay outside reject
trust, relay outside reject

Typical smtp deny message

message reason
550 mx9.lazurit.com: Please authenticate for send mail from lazurit.com domain The user send mail from local domain but have not authorization/trust
message reason
550 mx9.lazurit.com: Please use own mail service for send mail from lazurit.com The sender was authorize/trust but used non-local sender domain
message reason
550 mx9.lazurit.com: Sorry, relay for lazurit.org not permitted The message for banned sender with from: and to: outside both

DNS template

reg.lazurit.com.	600	IN	SOA	...

imap.reg.lazurit.com.	600	IN	CNAME	mail.reg.lazurit.com.
mail.reg.lazurit.com.	600	IN	CNAME	mx3.lazurit.com.
pop3.reg.lazurit.com.	600	IN	CNAME	mail.reg.lazurit.com.

reg.lazurit.com.	600	IN	MX	10 mx3.lazurit.com.

reg.lazurit.com.	600	IN	NS	pdns4.lazurit.us.
reg.lazurit.com.	600	IN	NS	pdns3.lazurit.us.
reg.lazurit.com.	600	IN	NS	pdns1.lazurit.us.

reg.lazurit.com.	900	IN	TXT	"v=spf1 redirect=_spf.lazurit.com ~all"

mail._domainkey.reg.lazurit.com. 900 IN TXT	"k=rsa\; t=s\; p=MIIBIjANBgkqhk..."

_imap._tcp.reg.lazurit.com. 86400 IN	SRV	10 1 143 imap.reg.lazurit.com.
_imaps._tcp.reg.lazurit.com. 60	IN	SRV	10 1 993 imap.reg.lazurit.com.
_pop3._tcp.reg.lazurit.com. 600	IN	SRV	10 1 110 pop3.reg.lazurit.com.
_pop3s._tcp.reg.lazurit.com. 600 IN	SRV	10 1 995 pop3.reg.lazurit.com.
_submission._tcp.reg.lazurit.com. 600 IN SRV	10 1 587 smtp.reg.lazurit.com.


First PagePrevious PageBack to overviewNext PageLast Page