Routing scheme of clustered mail system under phys

Routing scheme of clustered mail system under internal and external physical isolation

1 overview

there are many schemes to realize the interworking and mutual sending of internal and external mail servers in the environment of internal and external isolation, such as point-to-point communication between two servers through uucp, PPP communication through server serial port, soft switching mode through dual card fortress host, etc. Its most fundamental requirement lies in the safe, reliable and practical operation of the system. In addition, it should have a high degree of automation and reduce manual intervention

it is a good way to investigate the existing network environment and form a mail system isolation area through the fortress host + internal and external mail cache servers. The fortress host is connected to the inside and outside respectively through two cards, and the IP forwarding function of the fortress host operating system kernel (Linux kernel) is turned off, so that the internal and external communication is completely disconnected from the network layer. The internal and external mail data is exchanged by the application through the file system of the fortress host. At the same time, through the timer, the internal card (eth1) and the external card (eth0) of the timing switch form a network soft switch, which guarantees the absolute safety in the application layer. In addition, the internal and external mail cache servers form a mail buffer to ensure the safety of data

fortress host mode does not need to change the existing network configuration. It only needs to install dual cards on an existing IBM xserver232 host to realize the hardware configuration. The mail data exchange speed is fast (depending on the network data transmission speed), which can basically meet the current and future use requirements

2 network architecture

the basic architecture is shown in the following figure: (the basic system environment is: redhat7.3+qmail)

mail isolation area composed of three servers dmz

3 detailed design instructions

3.1 network configuration

isolation area composed of three pcservers, including a fortress host and two mail cache servers, Suppose the IP address configuration is as follows:

fortress host:

connect external card: eth0: 211.157.101.35

connect internal card: eth1: 192.168.0.1

external cache server: 211.157.101.34

internal cache server: 192.168.0.9

external mail server (two): 211.157.101.31 and 211.157.101.33

internal mail server: (1): 192.168.0.145

3.2 server functions

(1) Fortress host: connect two networks through two cards, and realize data exchange through file system

fortress host diagram

(2) mail cache server: internal and external mail is temporarily stored and then forwarded regularly

(3) external mail server: receive external mail, forward internal mail

(4) internal mail server: receive internal mail, Forwarding external mail

3.3 mail routing path

3.3.1 internal mail server sending mail process

3.3.2 external mail server forwarding external mail process

4 implementation method

4.1 mail storage and forwarding mode (receiving mail)

forward all mail belonging to the domain to a specific directory, call the forwarding program regularly to forward to the next server

forwarding program: send local mail (provided by Chundi company, based on C, supporting SMTP and qmtp protocols)

4.2 mail routing mode (outgoing mail)

forward all mail that does not belong to the domain to the next server (specify the routing path)

forwarding program: send remote mail (provided by Chundi company, based on C, supporting SMTP and qmtp protocols)

4.3 server system configuration files

192.168.0.1:

cat/var/qmail/control/virtualdomains

: intramail

* * * root/send local mail

0 * * root/connect internet

30 * market environment further improve * * root/root/connect intranet

fortress machine soft switch:

connect Internet: ifconfig eth0 down; ifconfig eth1 up

connect-intranet: ifconfig eth0 up; Ifconfig eth1 down

#/etc/tp

127.0.0.1:allow, relayclient=\ "\"

192.168.0.: allow,RELAYCLIENT=\“\”

192.168.0.145:

#cat/var/qmail/control/virtualdomains

:extramail

::

# cat/etc/crontab

* * * * root/root/send-remote-mail

/home/extramail

. qmail-default

./Maildir/

maildir/

192.168.0.9:

cat/var/qmail/control/virtualdomains

: extramail

: intramail

etc/crontab

* * * root/root/send remote mail

* * * * root/root "/send local mail <./p>

4.4 mail routing path

received mail: a (a\\\\\\\\\\\\\\\\\\\\\ Reliable

card software switch hardware isolation; Collateral layer isolation; Application layer security verification

5.2 high mail exchange efficiency

Ethernet based communication, 10m-100m/s

5.3 distributed architecture, strong scalability

mail routing table can be modified at any time, and isolation buffer server can be added or deleted at any time

5.4 fully automatic operation without manual intervention, reducing human errors

the system timer triggers the mail routing and forwarding program regularly without manual intervention

5.5 the data synchronization cycle and frequency can be changed at any time according to the needs and the wide range of mail utilization

provides more convenient and flexible options

5.6 when used together with the mail system monitoring program, it can monitor the mail data flow and master the system operation status at any time

5.7 reserved email filter program and virus scanner call interface, which can realize system level spam filtering and virus scanning

6 precautions

* the above IP addresses are assumed IP addresses, which need to be specified according to the actual network environment of SIIM during specific implementation

* minimum mail data exchange interval> = the time required for mail data transmission in one exchange cycle

7 conclusion

the mail isolation system based on the fortress host is a convenient and easy method to realize the reliable exchange of internal and external mail systems on the premise of ensuring absolute internal security. Many security schemes are based on the fortress host. There are many successful cases in this regard, and there are no technical risks in the implementation. (end)