Le 12/11/2010 14:52, Carlos Mennens a écrit :
I was just curious is it common in enterprise environments for Linux
administrators to combine their primary email server (Postfix) with
their companies web server (Apache)? I'm just more curious than
anything and I know this is a relative question with random possible
answers but I was just wondering if hardware resources are not an
issue, just from a software / configuration stand point, is it likely
to just have mail on a separate server and web on another or do most
commonly configure and combine those two services to one Linux
machine? Just trying to get an idea for what most / majority do when
configuring their companies Postfix mail server.
Unless you have a budget issue, you should run different services on
differents OSes (different physical servers or different VMs). This
makes it easier to watch one service for anomalies. if you put every
service on a single box, you'll have a hard time finding out which one
has caused that foo to bar (exceptionally since that foo may bar because
of a combination of services).
another thing to keep in mind is dependencies: if two services run on
the same OS, they will use the same libraries. you can't upgrade one
service unless you are certain that upgrade won't break the other
service (example: if both postfix and apache depend on openssl, then it
won't be easy to use different versions of openssl, one for apache and
one for postfix).
for similar reasons, inbound smtp relays (MX), outbound smtp relays
("RMX") and "mail access servers" (POP3/IMAP) are not mixed in
"enterprise" setups (whatever "enterprise" really means:).
Also, in a dual firewall setup (which is not uncommon),
- inbound and oubtound smtp relays, proxies, reverse proxies, ... are in
the zone between the external and internal firewall.
- web and app servers are "inside" (so they are separated from the
internet by the internal and the external firewall).
- (almost) no traffic goes between the internet and the "inside" without
being intercepted by a proxy/reverse-proxy/relay.
In short, the system formed by the two firewalls and the dmz between
them forms a "bigger" firewall. call it a (real?) UTM or whatever. it
has two layers of firewalls (most people prefer different firewall
technologies, which implies a slightly higher cost) and application
level proxies/gateways.
Of course, these are general rules. (and another one is "the perfect is
the ennemy of the good"...).
