I think I'm going to need three zones. I could probably get away with two, but for the moment three makes things a little simpler. All three zones are going to run the dtrace-enabled Sendmail, but with different configurations.
A typical network configuration looks like this:
.---------------.
| internal-zone | Internal network
`---------------'
|
=========]|[========= Firewall (port 25 permitted)
|
.---------------.
| relay-zone | DMZ mail relay
`---------------'
|
=========]|[========= Firewall (port 25 permitted)
|
.---------------.
| external-zone | Internet sender/
`---------------' recipient
This is a fairly standard setup. Your internal hosts (one or more instances of "internal-zone") do not have Internet connectivity, but they do have local users that can send and receive e-mail. The
Any external mail from an internal-zone host is first set to the relay-zone host. Typically there are many of these, probably configured to do perimeter e-mail filtering (anti-spam, anti-virus, attachment filtering, that sort of thing).
A relay-zone host has to route mail both ways. It needs to accept messages from internal hosts and send them on to the next MX hop (possibly queuing them if the next hop is down). And they need to accept connections from the Internet (i.e., "external-zone" hosts) and forward accepted mail on to the appropriate internal-zone host.
The three zones are going to (reasonably) closely mirror this, although I won't bother with the firewall component.
Per the zoneadm(1M) man page, it doesn't have to be used interactively. You can prepare a file that contains a list of the commands to run.
So I've created three command files and committed them to the repository. I've done this in a different directory to the one that holds the Sendmail code, since these files are nothing to do with the changes that will add DTrace support to Sendmail.
Greetings,
ReplyDeleteI hope you realise that you can not filter packets between zones. the IP Filter config runs in the Global zone and does not see packets that zones pass between each other :-( The Sun guys are aware that people need the functionality you mention (at least from my limited reading on the OS Forums).
Regards,
Peter
Sydney, Australia
Yeah -- I wasn't planning on actually filtering packets between the zones, but I realise the write up wasn't completely clear on that. I've reworded it a bit to hopefully make it clearer.
ReplyDeleteThanks for pointing that out.
[...] And does it work? Well, everything compiles, which is a good start. The next step is to configure the test zones that I created earlier to use the new Sendmail binary. Then testing can start in earnest. [...]
ReplyDelete[...] It’s now that the multiple zones I created back in day 5 have started to come in to their own, and I’ve made a number of changes to the configuration files in the repository to use them. [...]
ReplyDelete