Re: Q: fwtk & mail

To: tvarga@diablo.datanet.hu
Cc: debian-user@lists.debian.org
Subject: Re: Q: fwtk & mail
From: thb@regioservice.de (Thomas Baetzler)
Date: Wed, 13 Aug 1997 11:29:43 +0200 (MET DST)
Message-id: <[🔎] m0wyZkN-000BkkC@hestia.regioservice.de>
In-reply-to: <[🔎] 33F174EA.5241@diablo.datanet.hu> from "Varga R. Tamas" at Aug 13, 97 10:48:42 am

Hi,

Varga R. Tamas wrote:
:I set up TIS fwtk and in the docs found that smap is used as a wrapper
:for mailing. My problem is that smap is installed on the firewall, but
:in order to receive mail sendmail should also be installed on the same
:machine which results in putting all users on the firewall. This is a
:contradiction as no users should be on a firewall machine, right?
:
:What am I getting wrong?

The notion that you have to have your mail server on the firewall.
At least the TIS Gauntlet (which I'm familiar with) lets you specify
a mailhub for your mail domain - any incoming mail gets forwarded to
it. If you don't want to rely on this, you'll have to set up a split
DNS for your domain(s) with an NS serving your domains on the inside 
of the secure perimeter. The trick with split DNS is that the NSs on
the outside (that everybody uses) give the firewall as MX for your
domain(s). However, the firewall should be set up to resolve from the
internal NS. Here you redeclare the domains you're running with the
proper MX records to point at your mail server. Of course all of your
machines inside the secure perimeter will have to use that NS, too.
Let's make an example: your site is foo.org, and you've got a mail
server (mail.foo.org) in your secure perimeter. gate.foo.org is the
name of the external interface of the firewall. On the "public" NS
you declare the zone foo.org containing a line 
"foo.org. IN MX 10 gate.foo.org". On the internal NS, you keep the
same zone but with the line "foo.org. IN MX 10 mail.foo.org". 
So if I now want to send mail to Joe Bar (bar@foo.org), my sendmail
grabs the MX info from your external NS records and uses gate.foo.org
as a relay. Provided I haven't set up a mailhub there, the sendmail
on the firewall then notices that this isn't a local address, and
then in turn looks up the MX record on the internal NS and proceeds
to relay the message to the proper machine.

HTAYQ,
-- 
Thomas Baetzler, thb@regioservice.de, bath0011@fh-karlsruhe.de
<A HREF="http://www.fh-karlsruhe.de/~bath0011/>Visit my Homepage!</A>
"The cowards never came, and the weaklings died on the way" - R.A.H.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Nobody user doing a find / ( -fstype ?????
  - From: David M <davidm@harmonic.gse.rmit.EDU.AU>

References:
- Q: fwtk & mail
  - From: "Varga R. Tamas" <tvarga@diablo.datanet.hu>

Prev by Date: Q: fwtk & mail
Next by Date: Re: procmail -- 'or'
Previous by thread: Q: fwtk & mail
Next by thread: Nobody user doing a find / ( -fstype ?????
Index(es):
- Date
- Thread