(OT) IP Filter: Multiple mail servers behind one firewall

(OT) IP Filter: Multiple mail servers behind one firewall

Post by Alexander Selc » Tue, 18 Nov 2003 22:53:26



Hello,

I want to run 2 different mail servers behind an IPF Firewall, one
serving domain-a.com and the other serving domain-b.com:

        OUTSIDE
----------||-----------
      ------------
      | Firewall |
      ------------
        /      \
       /        \
      /          \
------------   ------------
|Mailserver|   |Mailserver|
|Domain-a  |   |Domain-b  |
------------   ------------

Problem is, tcp/ip packets don't contain domain name information, only
IP address and TCP/IP port.
Is there any way getting this setup to work?

Regards,
Alex

 
 
 

(OT) IP Filter: Multiple mail servers behind one firewall

Post by Barbie LeVil » Wed, 19 Nov 2003 06:48:00


On Mon, 17 Nov 2003 14:53:26 +0100


> Hello,

> I want to run 2 different mail servers behind an IPF Firewall, one
> serving domain-a.com and the other serving domain-b.com:

>         OUTSIDE
> ----------||-----------
>       ------------
>       | Firewall |
>       ------------
>         /      \
>        /        \
>       /          \
> ------------   ------------
> |Mailserver|   |Mailserver|
> |Domain-a  |   |Domain-b  |
> ------------   ------------

> Problem is, tcp/ip packets don't contain domain name information, only
> IP address and TCP/IP port.
> Is there any way getting this setup to work?

One way would be to nat.
use two different ips on the outside, and port forward those to the
different mailservers inside.

--
Barbie - Prayers are like junkmail for Jesus

I have seen things you lusers would not believe.
I've seen Sun monitors on fire off the side of the multimedia lab.
I've seen NTU lights glitter in the dark near the Mail Gate.
All these things will be lost in time, like the root partition last week.
Time to die.

 
 
 

(OT) IP Filter: Multiple mail servers behind one firewall

Post by Thomas H Jones I » Sat, 22 Nov 2003 05:49:38




Quote:>Hello,

>I want to run 2 different mail servers behind an IPF Firewall, one
>serving domain-a.com and the other serving domain-b.com:

>        OUTSIDE
>----------||-----------
>      ------------
>      | Firewall |
>      ------------
>        /      \
>       /        \
>      /          \
>------------   ------------
>|Mailserver|   |Mailserver|
>|Domain-a  |   |Domain-b  |
>------------   ------------

>Problem is, tcp/ip packets don't contain domain name information, only
>IP address and TCP/IP port.
>Is there any way getting this setup to work?

You have two choices, but both require two external IPs:

- put the real IPs on the mail servers and set up the firewall to do
  transparent bridging/filtering
- put both real IPs on the external interface of the firewall and do
  a one-to-one NAT of each address to a mailserver.

-tom

 
 
 

(OT) IP Filter: Multiple mail servers behind one firewall

Post by Logan Sha » Sat, 22 Nov 2003 09:10:36





>>I want to run 2 different mail servers behind an IPF Firewall, one
>>serving domain-a.com and the other serving domain-b.com:

      :
      :

Quote:>>Problem is, tcp/ip packets don't contain domain name information, only
>>IP address and TCP/IP port.
>>Is there any way getting this setup to work?
> You have two choices, but both require two external IPs:

Couldn't you also just make mail.domain-a.com a Mail eXchanger for
mail.domain-b.com?  Then, expose mail.domain-a.com's IP address
beyond the firewall.  Mail will for domain-b.com will come in to
mail.domain-a.com but will get forwarded to mail.domain-a.com
immediately and without a huge cost.

This only addresses the SMTP end of things.  The POP or IMAP
end (accessing the mailboxes) is a little tougher.  There may be
some software out there that can do application level proxy
load-levelling, and you could configure it to direct the TCP
connections to the right place with some sort of rule.  Or,
if that doesn't exist, you probably could run the POP and IMAP
daemons on different ports on mail.domain-b.com.  You'd have
to translate the ports at the firewall, though.

Of course, it would be a million times cleaner to have a separate
public IP address for each domain.

   - Logan

 
 
 

(OT) IP Filter: Multiple mail servers behind one firewall

Post by Thomas H Jones I » Sun, 23 Nov 2003 05:09:37




Quote:>This only addresses the SMTP end of things.  The POP or IMAP
>end (accessing the mailboxes) is a little tougher.  There may be
>some software out there that can do application level proxy
>load-levelling, and you could configure it to direct the TCP
>connections to the right place with some sort of rule.  Or,
>if that doesn't exist, you probably could run the POP and IMAP
>daemons on different ports on mail.domain-b.com.  You'd have
>to translate the ports at the firewall, though.

Or, use an A record for each service, but all have the same value, e.g.:
   mail.mydomain.com EXT.IP.5.5
   pop.mydomain.com  EXT.IP.5.5
   imap.mydomain.com EXT.IP.5.5
   ftp.mydomain.com  EXT.IP.5.5

All services could run on a single box, or use PNAT to forward the apropriate
ports on the external IPs to corresponding ports on whichever internal hosts
are providing the service. The PNATing is actually fairly trivial (one rule
- the rdr - in ipnat.conf and one - the allow -in ipf.conf for each service).

-tom

 
 
 

1. Traffic routing for Multiple Web & Mail Servers behind a single linux firewall

I have a single linux firewall (e-smith SME Server).  It uses 2xNICs 1
for the external DSL connection and 1 to the local network.

On the local network I have 2 Win2K web servers each running
Exchange.(stuck with this)


How do I set up the e-smith box to forward the appropriate port 80,
443, 25 etc traffic to each server.

i.e.
WEB PAGE: If a user goes to www.domain1.com, the external DNS points
to the external IP of the e-smith box.  This should then forward this
to Win2K server1 on the same port as the request.


to mail.domain1.com at the external IP of the e-smith box.  This
should also be forwarded to Win 2K server1.

2. xdm authorization problems

3. Using a True IP for Mail server instead of port mapping behind firewall ?

4. IPX_DLTITF "Invalid argument"??

5. FTP server behind linux firewall communicating w/ FTP behind linux firewall

6. pam_smb on Solaris 8

7. dening certain ip addresses to http server running behind a IP Masq Firewall

8. HELP : PAS16 CD-ROM time_out when mounting

9. Multiple Domains Behind Firewall with ip forwarding......can it be done?????

10. Multiple domains on one server with one ip addy...

11. Problem with multiple physical web servers behind a firewall

12. 2 servers, one won't ping from behind firewalls

13. Mail server behind Firewall