Hi,

I'm hoping someone can me, I'm trying to think through this issue
and could probably use some advice from wise postfix users. :-)

We operate a setup that serves two domains: domain1 and domain2.

There are 2 firewalls, one for each domain (Juniper Netscreen fyi)
being routed to a DMZ containing one postfix server listening on 2
interfaces, which then relays to internal virus checking (Trend IMSS),
which then uses a transport map to direct mail to one of 2 antispam
boxes, which then forwards mail to the correct mail store, of which
there are 2 - Exchange and Notes.

Basically the inbound flow for both sides is:

->NS->(DMZ)[Postfix->IMSS]->Antispam(DMZ)->Store ([...] = postfix
server)

Outbound flow is:

LAN->Store->(DMZ)[Postfix->IMSS](DMZ)->NS->

The postifx server is due for decommisioning, and I've been charged
with setting up not only one new server, but two - to provide
redundancy against a server failure. Currently, we only have redundancy
against a line failure / DOS, but if the server died, well I guess we'd
be creating a very quick firewall policy to another listening
mailserver.

Currently we have 2 MX records for each 'side', each the reverse of one
another - domain1's primary route is to the domain1 fw, secondary route
to domain2. Vice versa for domain2. This corresponds to the available
interfaces that postfix is listening on, as when the new servers are
in, we will then have 4 MX records, and I've worked out how they should
be arranged.

A problem is arising when working out how to handle trust. The DMZ is
on a different subnet (10.10.10/24 for domain1, 10.10.11/24 for
domain2). Because of how the default route is set up on each server,
I'm slightly confused as to how I can allow the DMZ subnets in
$mynetworks, and avoid allowing spam in from one side.

I know there's some more reading I can do, I would just like to get
advice perhaps from someone who has been in a similar position.

Thanks in advance.

orsocio@googlemail.com wrote:
> Hi,
>
> I'm hoping someone can me, I'm trying to think through this issue
> and could probably use some advice from wise postfix users. :-)
>
> We operate a setup that serves two domains: domain1 and domain2.
>
> There are 2 firewalls, one for each domain (Juniper Netscreen fyi)
> being routed to a DMZ containing one postfix server listening on 2
> interfaces, which then relays to internal virus checking (Trend IMSS),
> which then uses a transport map to direct mail to one of 2 antispam
> boxes, which then forwards mail to the correct mail store, of which
> there are 2 - Exchange and Notes.
>
> Basically the inbound flow for both sides is:
>
> ->NS->(DMZ)[Postfix->IMSS]->Antispam(DMZ)->Store ([...] = postfix
> server)
>
> Outbound flow is:
>
> LAN->Store->(DMZ)[Postfix->IMSS](DMZ)->NS->
>
> The postifx server is due for decommisioning, and I've been charged
> with setting up not only one new server, but two - to provide
> redundancy against a server failure. Currently, we only have redundancy
> against a line failure / DOS, but if the server died, well I guess we'd
> be creating a very quick firewall policy to another listening
> mailserver.
>
> Currently we have 2 MX records for each 'side', each the reverse of one
> another - domain1's primary route is to the domain1 fw, secondary route
> to domain2. Vice versa for domain2. This corresponds to the available
> interfaces that postfix is listening on, as when the new servers are
> in, we will then have 4 MX records, and I've worked out how they should
> be arranged.
>
> A problem is arising when working out how to handle trust. The DMZ is
> on a different subnet (10.10.10/24 for domain1, 10.10.11/24 for
> domain2). Because of how the default route is set up on each server,
> I'm slightly confused as to how I can allow the DMZ subnets in
> $mynetworks, and avoid allowing spam in from one side.
>
> I know there's some more reading I can do, I would just like to get
> advice perhaps from someone who has been in a similar position.
>
> Thanks in advance.

I understood the existing architecture layout, but I didn't comprehend
what the specific problem/question is.

Why wouldn't Postfix server #2 be an exact clone of Postfix server #1,
with all the same basic routing and Postfix configs, only with different names
and IP addresses ?

I assume you will be load balancing externally through the use of round-robin DNS
(equal precedence MX records).
--
Greg

Hi, sorry I just read over it again and it wasn't too clear. Apologies.

FYI it's not really round robin LB, just a simple MX precedence setup,
which makes sure there's always 1 of the 4 hosts available. Let me know
if you think this is wacky.

The specific problem I'm facing is that, having already installed one
of the new servers, I found that having NAT enabled on the same side as
I had my default route created an open relay because I was trusting the
subnet by default. Setting mynetworks=127.0.0.1 solved that, and I just
have to create a different IP on the firewall to NAT to and add that to
$mynetworks, so that hosts on the inside can send mail through the
relay.

e.g. the standard IP on the DMZ port is 10.10.10.254. I can create a
DIP on the netscreen for 10.10.10.50, and create a rule for all traffic
on port 25 from inside to the DMZ to NAT to this address. I then simply
add 10.10.10.50 to $mynetworks.

To answer your question, they are almost clones, but for political
reasons each one is set up to be master for that particular company
(each domain is for a subsiduary), so they are both gateway for
themselves and backup gateway for each other.

Sorry if I'm answering my own questions here, I just thought this setup
was a bit complex, and could use feedback on any particular best
practices I could apply.

Many thanks.

On the Postfix server, does the inbound email appear to arrive from the real-world
server's actual IP address, or from the Juniper device 10.10.10.254 ?

If the latter, that would be a really really really bad setup regarding the abililty to
client block, RBL, etc.

In that case, then I guess you could trust your whole network
except the Juniper IP, using the "not(!)" feature:

mynetworks= !10.10.10.254, 10.10.10.0/24, 10.10.11.0/24, 127.0.0.1

But if it's the former, then I guess I don't understand exactly where the spam is arriving
from that's related to the DMZ IP spam/trust issue.

At a few large corporations I've worked for, they used a double relay and triple firewall approach:

Raw_Internet-->
Inet_Firewall-->
External_Postfix_Relay-->
Outer_DMZ_Firewall-->
DMZ_Postfix_Relay-->
Inner_DMZ_to_LAN_Firewall-->
LAN_Mail_Stores_and_Mail_Servers

--
Greg

<quote>
On the Postfix server, does the inbound email appear to arrive from the
real-world
server's actual IP address, or from the Juniper device 10.10.10.254 ?
</quote>

You hit the nail on the head Greg, it's the latter - yes you're right,
it's not great, but the box has to serve both Netscreens with only one
default route, so at least one Netscreen is going to use NAT for each
side. My initial confusion was how to handle both the DMZ address on
the Juniper, and any internal hosts, but as you point out there's at
least one solution, and I found another one that will work.

I think the problem arises out of having each host dual-homed, with a
different DMZ subnet on each interface, rather than a much simpler
option of perhaps bonding each pair of interfaces and running equal MX
preference, with 2 MX records instead of 4. I may have to speak to my
boss about this.

Thanks for letting me use this as a sounding board, much appreciated!