On 11/04/2012 09:52 PM, Roman Gelfand wrote:
This is an excellent help.
Just to confirm. You are saying that 1) postfix should be just on a
gateway without SASL service 2) the mail gateway should, after doing
some filtering, pass the email to the back end server which is dovecot
via lmtp. 3) setup virtual users and sasl authentication on dovecot.
4) for outbound email, the user agents should use mail gateway.
Please, let me know if this is what you meant.
You've got it.
While this creates a dependency on the dovecot/SASL machine to be
running in order to be able to /send/ mail, this dependency existed
already, since it must be running to _deliver_ mail, too.
Collapsing all authentication duties onto one server means simpler
(centralized) administration, too.
If the absence of a queueing mechanism on the mailstore is unacceptable
to you, by all means add one,. and use that for local submission - but
it doesn't solve the issue of the mailstore being down, since both
machines really need to be running in order to send or receive mail.
To solve that conundrum, you'd have to have some way of synchronizing
the authentication database across the two machines, which is a bit out
of the scope of this list.
You might consider setting up both boxes as full standalone
MTA/mailstore systems, but again, that requires you to synchronize the
mailstores themselves.
It's always a balance of risk vs. practicality.
Thanks again
On Sun, Nov 4, 2012 at 3:17 PM, Jeroen Geilman <jer...@adaptr.nl> wrote:
On 11/04/2012 04:09 PM, Roman Gelfand wrote:
Consider the following config...
postfixF - mail gateway
postfixB - backend mail server
The mail client agents are pointing to postfixB for outbound email.
That sounds backwards. Since the former machine is your mail gateway, surely
that handles all outgoing mail.
In case you really meant that it is your MX, there is no reason not to use
it for both.
Both postfixF and postfixB are authenticating users using saslauthd
service. In postfixB's main.cf relayhost postfixF. Assuming the same
user/password exists on both servers, is it possible to specify in
postfixB's main.cf/master.cf just the user name with which to connect
to postfixF?
No, that doesn't make sense.
SASL authentication (whether for relaying or anything else) happens on the
machine you are authenticating against.
So it doesn't matter if the SASL user exists on the sending machine; it has
to exist on the receiving relayhost.
You setup sounds sub-optimal, since these functions can (and most likely
should) be combined to offer a robust and simple interface.
I would suggest using a single authentication service to both send and read
mail, since SASL is easily scaled over multiple machines.
This saves you from duplicating the user database, and all possible user
errors that may ensue.
Since this authentication service will be used on the mailbox store to
validate IMAP users, it makes most sense to run it from there, especially
since Dovecot can do both IMAP and SASL exceedingly well.
Furthermore, it is debatable whether postfix is even needed on a backend
mail store (unless it has to do a lot of routing or manipulation), since
postfix is an MTA, not a mail store.
--
J.
--
J.
