10-3

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View 10-3 as PDF for free.

More details

  • Words: 1,826
  • Pages: 7
DNS & mail

1997/12/17

Contents

Mail System Design l

Domain master l NULL client l PPP client l Back-up mail server l Firewall and mail server l Virtual host

2

Domain Master

Domain Master Configuration ACCEPT_ADDRS='x.co.jp'

l

Accepts [email protected] in addition to [email protected] l When sending mail, [email protected] is set as the sender address

– address part which should be accepted (Important!)

FROM_ADDRESS='x.co.jp' – domain part of send default – host name assigned to administrator address

u For mail that should specify computer itself

(i.e. mail from root), [email protected] is preferred

l

l

root, daemon, postmaster, etc.

Accept for multiple domains – ACCEPT_ADDRS='sub1.co.jp sub2.x.co.jp'

3

NULL Client

PPP Client

MS l

l

No spooling l All mail goes to mail server

NULL

NULL

– only definition of mail server address is needed

CF_TYPE=R8V7 -null SPOOL_HOST=mail.x.co.jp l

Dial-up environment, so not always connected l IP address is assigned upon connection l DNS host name not fixed either l Not good for internal host name to be public – mail reply will not be returned l

List addresses that reach mail server only – enclose with [] (refer to A RR when there ’s lower MX) – list [IP address] 5

InternetWeek'97

4

Sending address of provider mail server is used l Mail receipt is POP (i.e. popclient)

6

1

DNS & mail

1997/12/17

PPP Client Configuration

Advanced PPP Client

When provider mail server can be used for sending

DIRECT_DELIVER_DOMAINS=none DEFAULT_RELAY=mail.provider.ne.jp FROM_ADDRESS=po.provider.ne.jp CON_EXP=True tips to not send SMTP_MAILER_FLAG_ADD=e immediately l l l

l

Rewriting of sender address – conversion of local and contract user name – use of userdb and usertable

l

Curb sending from non-contracted addresses – use of check_compat rule set

Accumulate initially at mqueue When connected send altogether with sendmail-q Daemon sendmail launches only with -bd (when necessary)

l

Time out for automatic dial-up O DialDelay=15s

7

8

Back-- up Mail Server (cont.) Back l

Back-- up Mail Server (cont’ Back (cont’ d)

Receives on behalf of 1st-MX during failures

l

– operates as 2nd-MX l

– use sharing system such as NIS – also possible to do rdist and newaliases – local aliases and shared aliases separated

If possible, send direct independently of 1st-MX – share alias files with 1st-MX – accept same addresses l

all users

l

designated users

l l

ACCEPT_ADDRS=

l

Problem of ML delivery back-up – what to do with sequence number

9

Firewall and Name Server (cont.)

10

Firewall and Name Server (cont’’ d) (cont l

Name server for outside organization

Name server for inside an organization – Methods to hide outside organization addresses internally

– When defining Wildcard MX $ORIGIN x.co.jp. * IN MX 10 ext-mail.x.co.jp. l doesn’t show existence of internal host

l l

– Define all existing mail addresses

all services are via proxy root server is provided within organization to avoid DNS timeout

– Methods to get outside organizations addresses with forwarders

method that doesn’t use Wildcard MX l mail that should be an error doesn’t reach gateway l

when direct connection can be established from inside to outside l SOCKS l

11

InternetWeek'97

R8 sendmail can handle multiple-file aliases OA/etc/aliases, nis: mail.aliases

– what to do with archive

SECONDARY_*= – those non-designated wait for recovery of 1st-MX

l

Share aliases

12

2

DNS & mail

1997/12/17

With 1 Mail Server

Firewall and Mail Server (1)

a

(To prevent leaking of internal info to outside)

External NS

Structure of name servers and mail servers Internet l

To cover with 1 mail server

split-brain DNS (has internal-target zone)

internal delivery

external delivery

Mail server

a. Method of referring outside search name server with internal-target zone l

external search

b External NS

split-brain DNS

static delivery rule for internal

Internet

b. Method of delivering internal mails according to set rules

internal delivery

external delivery

Mail server

13

14

With 2 Mail Servers

Firewall and Mail Server (2)

a

NS for externalStatic sending rule NS for internal

l

With 2 mail servers Internet

– mail server for referring to external DNS – mail server for referring to internal DNS l

Formula a

l

Formula b

Mail server for external

b

– static route configuration in between

Mail server for internal

NS for external NS for internal

– dedicated receiving mail server – dedicated sending mail server

Send to internal Mail server for receiving

Internet Send to external

Mail server for sending

15

16

Configuration of Mail Server for Internal

Configuration of Mail Server for External

l

l

Static rule for external delivery DIRECT_DELIVER_DOMAINS=x.co.jp DEFAULT_RELAY=external.x.co.jp

Static rule for internal delivery STATIC_ROUTE_FILE=x.static x.static content:

– mail server for external

GW [12.34.56.78] # (internal.x.co.jp) DOM x.co.jp – able to accept mail addressed to mail server 17

InternetWeek'97

18

3

DNS & mail

1997/12/17

With 1 Name Server (1) l

With 1 Name Server (2) c. Map internal to separate branch

To make do with 1 NS and MS each...

l

a. Place first MX facing internal by setting NS inner-host IN MX 10 inner-host IN MX 20 gw l direct communication is not possible from outside with 1st-MX; time-out occurs

– convert address with sendmail.cf • MAP line in STATIC_ROUTE_FILE (CF)

d. Multiple daemon launched on 1 server l

– stressful for sender, so not recommended

b. At GW, A RR referred to deliver mails to internal inner-host IN A 12.34.56.78 IN MX 10 gw

l

19

configuration of so-called virtual host

20

With 1 Name Server (4)

Problems with a, b method

l

– although direct communication between internal and external is impossible, – internal host information can be seen from outside l

bind external and internal IP address – External named and internal named • listen-on, query -source, transfer-source (bind8.1.2) – External sendmail and internal sendmail • O DaemonPortOptions=Address=12.34.56.78

With 1 Name Server (3) l

inner.domain.jp → inner.domain.jp.local

Method b specific configuration – sending from gateway to internal l l

static route definition look at A RR – if 1st-MX is itself, adjust behavior TRY_NULL_MX_LIST=True (CF) O TryNullMXList=True (sendmail.cf)

bind8 allow-query alone is insufficient

– if configuration is incorrect local configuration error will be returned 21

22

Hosts within Gateway l

Virtual Host (cont.) l

Everything goes to gateway

a) Sharing of user space

DIRECT_DELIVER_DOMAINS=none DEFAULT_RELAY=internal.x.co.jp l

Multiple addresses used on one host USERTABLE_MAPS='domain1=hash:/etc/map1 ¥ domain2=hash:/etc/map2'

Direct delivery internally

b) Separation of user space (1)

DIRECT_DELIVER_DOMAINS=x.co.jp DEFAULT_RELAY=internal.x.co.jp

– Multiple IP addresses for one host – Bind sendmail for each address

u For qmail, defined at control/smtproutes

O DaemonPortOptions=Address=1.2.3.4 23

InternetWeek'97

– Good to separate environment also with chroot24

4

DNS & mail

1997/12/17

Virtual Host (cont’ (cont’ d)

System Design WrapWrap- up

c) Separation of user space (2)

l

What addresses would be accepted

l

Choosing sending method by address

– Work with sendmail.cf l

Switch local mailer with each address

– Use separate database from /etc/passwd – Dedicated service such as POP l

– Delivery destination statically defined – Refer to name server (MX)

Authenticate user with identifier including domain name

Clarify these conditions 25

Supplement:useful sendmail Supplement: techniques l

26

To gather mail waiting to send at one host l

Gather mail waiting to send at one host Reject huge messages l Change process depending on sender address l If failed with SMTP, send with UUCP l Designation of mailer processing sequence l Configure ML on personal level

Use FallBackMX option – when DNS can’t be checked – when mail can’t be sent to all MX, transfer mail to designated host

l

l

Administration etc. of mqueue is easier

l

Route trouble is easier to catch

– adjustment of longest storage life

27

28

Change process depending on sender address

Reject Huge Messages l

l

When using MaxMessageSize option – reject message if surpassing size upon receipt – when using ESMTP, size is notified at point of MAIL FROM, so reject there

l

When designating M= in mailer definition – receive message initially – check size immediately before sending l

due to possibility of different acceptable size range depending on mailer

InternetWeek'97

29

Carry out categorization of error mail and spam at sendmail.cf level

CT root news postmaster MAILER-DAEMON uucp cron S0 : Envelope sender R $* $: $1 $| $>3 $&f R motonori $| <@> $: trash when <> R motonori $| $=T<@$*> $: trash review at class T R $* $| $* $: $1 : 30

5

DNS & mail

1997/12/17

If SMTP doesn’ doesn’t work, send with UUCP (3.1W patch) l

l

Use function to launch multiple mailers sequentially

S0 : R $*<@x.co.jp>$* (space) :

$# smtp $@ x.co.jp $: $1<@x.co.jp>$2 $# uucp $@ uucp-x $: $1<@x.co.jp>$2

Configure ML on personal level

Mlocal …, %=0 Msmtp …, %=10 (will be processed after local mailer)

– Not only user@host, user+opt@host also may be used – [email protected] is also supported – User can use .forward as well as .forward+opt and .forward+default – By configuring .forward+ML, [email protected] can be employed – Reference:Samples/virt-domain+.def

l

EightBitMode=pass8

l

SendMimeErrors

– 8bit data that is not MIME may pass through – Whether or not to return error notification as according to RFC1894 - DSN (Delivery Status Notification) l

Important sendmail options (2) – Send header only of error mail to postmaster also – to prevent fatal troubles before they happen

MeToo – Whether or not to send back if sender is included in alias deployment

l

PrivacyOption

l

QueueSortOrder

DoubleBounceAddress

– Forbidding of SMTP EXPN, VRFY, etc.

– Destination address in case error mail can’t be returned to sender – Take note that body of mail will also be sent

– sort sequence of mail accumulated in mqueue – by order of time might be good (order of arrival) 35

InternetWeek'97

34

Important sendmail options (3) l

PostMasterCopy

ConnectionCacheSize – Number of SMTP to stay connected – Helpful for run queue

33

l

32

Important sendmail options (1)

Use CF local deliver function

l

With large-scale ML etc., when local delivery processing before SMTP(to oneself, archive)is preferred – Designate priority (cost) in mailer definition with %=

31

l

Designation of Mailer Processing Sequence (3.1W patch)

36

6

DNS & mail

1997/12/17

Important sendmail options (4)

Important sendmail options (5)

l

l

MinQueueAge – Minimum resend interval for mail accumulated in mqueue – To override when resending manually, use -qI

l

– From later half of 8.7, for better host internal security, became stricter towards file modes etc. – Designate when you want to ease checks – Details at http://www.jpcert.or.jp/tech/98 -0001/

ConnectionRateThrottle – Number of receiving connections allowed per second – Default is 0 (unlimited) – Might be effective against DoS attacks

DontBlameSendmail

l

DontProbeInterface – prohibits reverse look-up of interface address upon launching

37

38

Important sendmail options (6) l

Timeout.queuereturn .* – Maximum time limit for resending mails due to not reaching destination – Once exceeded, error is returned to sender – Consider long holidays when deciding limit

l

Timeout.queuewarn .* – Time until notifying that mail is in resend mode – Set at 0 when unneeded 39

InternetWeek'97

7

Related Documents

103
August 2019 43
103
May 2020 24
103
November 2019 38
103
November 2019 42
103.
December 2019 38
103
November 2019 33