On Tue, Apr 29, 2014 at 12:24:23PM +0200, Sebastian wrote:
> Viktor:
> > Your multi-jail design is necessarily rather complex, and requires
> > attention to detail to get right. A simpler design may be a better
> > idea.
>
> Well to be honest, I used a book by Benedikt Nie?en ( www.serverzeit.de )
> to get to where I am now. I guess now it's up to me to find out where I
> shot myself in the foot so to speak.
Your main challenge is to ensure that any required forwarding of
mail between jails does not run into loop detection or IP address
conflicts.
If each jail is to be thought of as a separate machine, that just
happens to run on the same set of CPUs and physical network
interfaces, and if these machines are supposed to be able to send
email to each other via SMTP because they host distinct domains,
then you need:
- A distinct FQDN $myhostname for each jail that receives email
via SMTP, that is different from that of all other jails
(even those that only send, but don't receive SMTP messages).
Each jail's $myorigin and $mydomain need to be set appropriately,
to handle mail for unqualified users and hosts. You'll need
postmaster aliases, and perhaps also aliases for root, and
any accounts of jailed services that you want to read in one
place. The jail's $myorigin (domain of shell user accounts)
may well be "owned" by another jail.
- A unique set of network addresses as "inet_interfaces" for
each jail.
- Appropriate forward/reverse mappings in DNS for each jail's
network addresses and any MX records for associated domains.
This is all doable, but requires some care to make sure that no
inappropriate evidence of the jails sharing the same hardware
breaks the illusion of separate machines.
--
Viktor.
