Multiple Mail/HTTP Server in DMZ

Hi all,

I need some input to get me started on the following issue:

I want to build a firewall (with iptables) on a server with two NIC's.
The first has an official IP Addres (let's say 1.2.3.4) and the second
one connects to an internal network (10.0.0.0). Now I want to put two
or more mail servers and/or web servers in that private network each
of them answering request for a differnt domain. Is it possible to
forward request in the following way, let's say for email traffic?

domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25

I don't know if this can be solved using iptables or not (newbie). I
would appreciate any input on this.

Dave

David Meier wrote:

> Hi all,
>
> I need some input to get me started on the following issue:
>
> I want to build a firewall (with iptables) on a server with two NIC's.
> The first has an official IP Addres (let's say 1.2.3.4) and the second
> one connects to an internal network (10.0.0.0). Now I want to put two
> or more mail servers and/or web servers in that private network each
> of them answering request for a differnt domain. Is it possible to
> forward request in the following way, let's say for email traffic?
>
> domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
> domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
>
> I don't know if this can be solved using iptables or not (newbie). I
> would appreciate any input on this.

You need an external IP for each server.

> Dave

--
Phil Frisbie, Jr.
Hawk Software
http://www.hawksoft.com

On 16 Jul 2003 09:03:17 -0700, David Meier <(E-Mail Removed)> wrote:
> Hi all,
>
> I need some input to get me started on the following issue:
>
> I want to build a firewall (with iptables) on a server with two NIC's.
> The first has an official IP Addres (let's say 1.2.3.4) and the second
> one connects to an internal network (10.0.0.0). Now I want to put two
> or more mail servers and/or web servers in that private network each
> of them answering request for a differnt domain. Is it possible to
> forward request in the following way, let's say for email traffic?
>
> domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
> domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
>
> I don't know if this can be solved using iptables or not (newbie). I
> would appreciate any input on this.

iptables knows nothing about hostnames (just IPs). You need an smtp
server on the firewall that will relay to the appropriate internal host.
And to do that, you would likely need either mailertable entries
(sendmail) or transport file entries (postfix) to relay the mail to the
private name or IP (in square brackets) of each internal server.

I have 3 smtp servers just to test things and learn how they work
(no-ip.com names). 1 (primary) receives mail for itself and another box
(used for fetchmail, which can also send). The primary server also relays
any mail addressed to my wireless laptop to my laptop (which can also
send). Everything works, including relaying only SBC Yahoo related mail
through their authenticated outgoing relay, and any other mail directly.

Similarly at out factory, we have a RedHat smtp server that virus filters
all incoming/outgoing mail, and relays mail for certain mobile users to an
internal exchange server, so they can access their mail from anywhere
using Outlook Web Access (different public IP).

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

On Wed, 16 Jul 2003, Phil Frisbie, Jr. wrote:

> David Meier wrote:
>
> > Hi all,
> >
> > I need some input to get me started on the following issue:
> >
> > I want to build a firewall (with iptables) on a server with two NIC's.
> > The first has an official IP Addres (let's say 1.2.3.4) and the second
> > one connects to an internal network (10.0.0.0). Now I want to put two
> > or more mail servers and/or web servers in that private network each
> > of them answering request for a differnt domain. Is it possible to
> > forward request in the following way, let's say for email traffic?
> >
> > domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
> > domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
> >
> > I don't know if this can be solved using iptables or not (newbie). I
> > would appreciate any input on this.
>
> You need an external IP for each server.

Or some kind of smtp proxy or smtp server which receives and forwards the
emails according to the domain name.

>
> > Dave
>
>

Thank you all for the input. And how could the problem solved for the
web traffic on port 80, since the mail servers come all with webmail
access?

Dave

(E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
> On 16 Jul 2003 09:03:17 -0700, David Meier <(E-Mail Removed)> wrote:
> > Hi all,
> >
> > I need some input to get me started on the following issue:
> >
> > I want to build a firewall (with iptables) on a server with two NIC's.
> > The first has an official IP Addres (let's say 1.2.3.4) and the second
> > one connects to an internal network (10.0.0.0). Now I want to put two
> > or more mail servers and/or web servers in that private network each
> > of them answering request for a differnt domain. Is it possible to
> > forward request in the following way, let's say for email traffic?
> >
> > domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
> > domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
> >
> > I don't know if this can be solved using iptables or not (newbie). I
> > would appreciate any input on this.
>
> iptables knows nothing about hostnames (just IPs). You need an smtp
> server on the firewall that will relay to the appropriate internal host.
> And to do that, you would likely need either mailertable entries
> (sendmail) or transport file entries (postfix) to relay the mail to the
> private name or IP (in square brackets) of each internal server.
>
> I have 3 smtp servers just to test things and learn how they work
> (no-ip.com names). 1 (primary) receives mail for itself and another box
> (used for fetchmail, which can also send). The primary server also relays
> any mail addressed to my wireless laptop to my laptop (which can also
> send). Everything works, including relaying only SBC Yahoo related mail
> through their authenticated outgoing relay, and any other mail directly.
>
> Similarly at out factory, we have a RedHat smtp server that virus filters
> all incoming/outgoing mail, and relays mail for certain mobile users to an
> internal exchange server, so they can access their mail from anywhere
> using Outlook Web Access (different public IP).

On 17 Jul 2003 08:40:20 -0700, David Meier <(E-Mail Removed)> wrote:
> Thank you all for the input. And how could the problem solved for the
> web traffic on port 80, since the mail servers come all with webmail
> access?

One webserver would have to proxy for the others as virtual hosts that are
on private IPs (unless you want to use different port in URL for each).
See apache docs for mod_proxy and ProxyPass.

> (E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
>> On 16 Jul 2003 09:03:17 -0700, David Meier <(E-Mail Removed)> wrote:
>> > Hi all,
>> >
>> > I need some input to get me started on the following issue:
>> >
>> > I want to build a firewall (with iptables) on a server with two NIC's.
>> > The first has an official IP Addres (let's say 1.2.3.4) and the second
>> > one connects to an internal network (10.0.0.0). Now I want to put two
>> > or more mail servers and/or web servers in that private network each
>> > of them answering request for a differnt domain. Is it possible to
>> > forward request in the following way, let's say for email traffic?
>> >
>> > domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
>> > domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
>> >
>> > I don't know if this can be solved using iptables or not (newbie). I
>> > would appreciate any input on this.
>>
>> iptables knows nothing about hostnames (just IPs). You need an smtp
>> server on the firewall that will relay to the appropriate internal host.
>> And to do that, you would likely need either mailertable entries
>> (sendmail) or transport file entries (postfix) to relay the mail to the
>> private name or IP (in square brackets) of each internal server.
>>
>> I have 3 smtp servers just to test things and learn how they work
>> (no-ip.com names). 1 (primary) receives mail for itself and another box
>> (used for fetchmail, which can also send). The primary server also relays
>> any mail addressed to my wireless laptop to my laptop (which can also
>> send). Everything works, including relaying only SBC Yahoo related mail
>> through their authenticated outgoing relay, and any other mail directly.
>>
>> Similarly at out factory, we have a RedHat smtp server that virus filters
>> all incoming/outgoing mail, and relays mail for certain mobile users to an
>> internal exchange server, so they can access their mail from anywhere
>> using Outlook Web Access (different public IP).


--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/

Thanks again and sorry for another question I forgot about: How could
POP3 and IMAP traffic be handeled on this matter?

(E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
> On 17 Jul 2003 08:40:20 -0700, David Meier <(E-Mail Removed)> wrote:
> > Thank you all for the input. And how could the problem solved for the
> > web traffic on port 80, since the mail servers come all with webmail
> > access?
>
> One webserver would have to proxy for the others as virtual hosts that are
> on private IPs (unless you want to use different port in URL for each).
> See apache docs for mod_proxy and ProxyPass.
>
> > (E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
> >> On 16 Jul 2003 09:03:17 -0700, David Meier <(E-Mail Removed)> wrote:
> >> > Hi all,
> >> >
> >> > I need some input to get me started on the following issue:
> >> >
> >> > I want to build a firewall (with iptables) on a server with two NIC's.
> >> > The first has an official IP Addres (let's say 1.2.3.4) and the second
> >> > one connects to an internal network (10.0.0.0). Now I want to put two
> >> > or more mail servers and/or web servers in that private network each
> >> > of them answering request for a differnt domain. Is it possible to
> >> > forward request in the following way, let's say for email traffic?
> >> >
> >> > domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
> >> > domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
> >> >
> >> > I don't know if this can be solved using iptables or not (newbie). I
> >> > would appreciate any input on this.
> >>
> >> iptables knows nothing about hostnames (just IPs). You need an smtp
> >> server on the firewall that will relay to the appropriate internal host.
> >> And to do that, you would likely need either mailertable entries
> >> (sendmail) or transport file entries (postfix) to relay the mail to the
> >> private name or IP (in square brackets) of each internal server.
> >>
> >> I have 3 smtp servers just to test things and learn how they work
> >> (no-ip.com names). 1 (primary) receives mail for itself and another box
> >> (used for fetchmail, which can also send). The primary server also relays
> >> any mail addressed to my wireless laptop to my laptop (which can also
> >> send). Everything works, including relaying only SBC Yahoo related mail
> >> through their authenticated outgoing relay, and any other mail directly.
> >>
> >> Similarly at out factory, we have a RedHat smtp server that virus filters
> >> all incoming/outgoing mail, and relays mail for certain mobile users to an
> >> internal exchange server, so they can access their mail from anywhere
> >> using Outlook Web Access (different public IP).

On 19 Jul 2003 13:16:33 -0700, David Meier <(E-Mail Removed)> wrote:
> Thanks again and sorry for another question I forgot about: How could
> POP3 and IMAP traffic be handeled on this matter?

It would be relatively easy if one server received all incoming mail for
all the virtual domains and everyone had a unique username. It would get
a bit more complicated if you have (E-Mail Removed)in and (E-Mail Removed)in.
But I just ssh in and use pine, so I do not know pop3/imap server details.

I do know that when the same pop3/imap server handles multiple domains,
the login username typically includes the domain. For example my pop3
username for SBC is my full e-mail address. On the other hand, my pop3
username on a virtual host is just my unique login name.

> (E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
>> On 17 Jul 2003 08:40:20 -0700, David Meier <(E-Mail Removed)> wrote:
>> > Thank you all for the input. And how could the problem solved for the
>> > web traffic on port 80, since the mail servers come all with webmail
>> > access?
>>
>> One webserver would have to proxy for the others as virtual hosts that are
>> on private IPs (unless you want to use different port in URL for each).
>> See apache docs for mod_proxy and ProxyPass.
>>
>> > (E-Mail Removed) (David Efflandt) wrote in message news:<(E-Mail Removed)>...
>> >> On 16 Jul 2003 09:03:17 -0700, David Meier <(E-Mail Removed)> wrote:
>> >> > Hi all,
>> >> >
>> >> > I need some input to get me started on the following issue:
>> >> >
>> >> > I want to build a firewall (with iptables) on a server with two NIC's.
>> >> > The first has an official IP Addres (let's say 1.2.3.4) and the second
>> >> > one connects to an internal network (10.0.0.0). Now I want to put two
>> >> > or more mail servers and/or web servers in that private network each
>> >> > of them answering request for a differnt domain. Is it possible to
>> >> > forward request in the following way, let's say for email traffic?
>> >> >
>> >> > domain1.com -> 1.2.3.4 on Port 25 -> 10.0.0.1 on Port 25
>> >> > domain2.com -> 1.2.3.4 on Port 25 -> 10.0.0.2 on Port 25
>> >> >
>> >> > I don't know if this can be solved using iptables or not (newbie). I
>> >> > would appreciate any input on this.
>> >>
>> >> iptables knows nothing about hostnames (just IPs). You need an smtp
>> >> server on the firewall that will relay to the appropriate internal host.
>> >> And to do that, you would likely need either mailertable entries
>> >> (sendmail) or transport file entries (postfix) to relay the mail to the
>> >> private name or IP (in square brackets) of each internal server.
>> >>
>> >> I have 3 smtp servers just to test things and learn how they work
>> >> (no-ip.com names). 1 (primary) receives mail for itself and another box
>> >> (used for fetchmail, which can also send). The primary server also relays
>> >> any mail addressed to my wireless laptop to my laptop (which can also
>> >> send). Everything works, including relaying only SBC Yahoo related mail
>> >> through their authenticated outgoing relay, and any other mail directly.
>> >>
>> >> Similarly at out factory, we have a RedHat smtp server that virus filters
>> >> all incoming/outgoing mail, and relays mail for certain mobile users to an
>> >> internal exchange server, so they can access their mail from anywhere
>> >> using Outlook Web Access (different public IP).


--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/