slightly OT - my freebsd email topology

Nathan Vidican nvidican at
Thu Apr 5 18:26:16 UTC 2007

Jonathan Horne wrote:
> currently, my email server is just a single box, accepting and sending 
> emails
> from and to the internet.  spamassassin and sendmail, and so far, it 
> works
> satisfactory.
> i would like to change it up, so that i have a pair of servers doing 
> MX from the
> internet, which then passes to an internal server for delivery.  if i 
> do that, i
> could remove spamassassin from the internal server, and run it on just 
> the 2
> external.  all those configurations is really not my issue here... 
> what im
> really pondering is how would external servers that are seperate from 
> where the
> target mailboxes are, know which addressess are acceptable and which 
> to return a
> 550?
> does anyone have any setups that are similar to this, and could advise 
> me or
> point me in the right direction?
> thanks,
> jonathan
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at"
There's really too many variables in your question to provide a good 

ideally, the 'internal' server should be configured as normal, but not 
exposed on a public interface; sendmail should not be listening for 
incoming connections from anything other than your two 'outside' boxes 
if it has a valid public IP address.

If the previous sceenario is true, then all you've really gotta do on 
the 'outside' boxes, is add the domain names for which the 'inside' box 
is going to relay mail for, and set the two outside boxes as MX hosts in 
your public DNS records, while they receive internally the 
hostname/address of the internal MX host.

You could go a step further, by using virtusertable within sendmail to 
redirect incoming mail for a domain to a specific host on the inside 
instead of just relaying, which could provide a more flexible filtering 
mechanism; something like:   %1 at inside-only.server.hostname

Essentially instructing sendmail on the external machine to forward 
along ' at' to ' at inside-only.server.hostname' ... 
or you could go beyond that to only filter specific addresses and error 
out everything else. Well, you get the idea - there's more than one way 
to do this.

You need to really specify your goals more clearly: Are you trying to 
simply offset the load? Are you trying to make a redundant setup for a 
failover setup? Are you trying to be more secure by filtering before 
handling email? Are you trying to avoid having all your eggs in one 
basket? Do you desire a single point of configuration, or are you 
expecting to configure each new account on all servers? These are all 
things you have to consider.

Bottom line is, you need to really sit down and put to thought exactly 
what you're trying to accomplish. If the load created by spamassassin is 
your sole problem - then you can run just spamassassin's filtering 
daemon on another machine - it is capable of running spamd over a 
network (see: spamd/spamc: for more info).

My advice would be to decide exactly what you want to accomplish, then 
come back and ask for further suggestion from this list. There are many 
talented, experienced administrators here - who chances are, have come 
accross an almost exact case that could help you out - they all just 
need a little more to go on before they can tell you what they'd do in 
your case. Ultimately, it's up to you and RTFM'ing the heck out of it 
before you implement it in production is always a good choice.

P.S. - sorry if this double-posts, realized I sent from the wrong 
account and tried to cancel - not sure if it did, so figure better two 
copies than none.

Nathan Vidican
nvidican at
Windsor Match Plate & Tool Ltd.

More information about the freebsd-questions mailing list