Coupling of two server (Master/Slave): Best way?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
M*I*B
Normal user
Normal user
Posts: 47
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Coupling of two server (Master/Slave): Best way?

Post by M*I*B » 2020-05-07 21:23

Greetings all together ...

... how is the best way to couple two server as Master/Slave?

I like to couple a Master, working as real MX like the most, and a 2nd one as Slave, working on a intranet. All communication have to go over the internal slave (inhous and the whole world) and this one give it to the master, if one mail have to go outside the intranet (and verse visa).

Is there a "best practice" for doing this? And if so, where I can read all about how to configure all the stuff?
... with much greetings ...

Micha

User avatar
mattg
Moderator
Moderator
Posts: 20844
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Coupling of two server (Master/Slave): Best way?

Post by mattg » 2020-05-07 23:37

Set an SMTP Relayer on the first server and point it to the second server

Same the other way around for incoming mail if you want the external facing server to handle internet requests
(or perhaps individual SMTP routes for each of multiple domains)

On the external facing server have NO domains or accounts

Does this mean that regular users from physically outside your organisation won't be checking their IMAP or POP3 mail? If they were, the mail clients would need to point to the internal server.
Can be done with clever routing

What is the advantage that you see?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
M*I*B
Normal user
Normal user
Posts: 47
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Re: Coupling of two server (Master/Slave): Best way?

Post by M*I*B » 2020-05-08 07:51

Good Morning ...

... and thank you for this presentation.

First of all the advantages and necessities:
We have a fairly high internal mail volume because the document management is based on it. Sending these documents outside and then back again makes no sense and also represents an unnecessary security risk.

But now to the problem that arises from this configuration:
If the WAN-MX does not have a domain and accounts, then the employees cannot access their messages. These are only selected employees who have access at all, but that is also required. To be honest, I don't like drilling additional "holes" in the LAN especially for this process.

I would much prefer that the WAN-MX contains the accounts and also does all the things like spam filters, virus filters, ... so that no dangerous data can reaches the LAN-MX.
I honestly don't understand how mails from the world are received via the WAN-MX relay if the WAN-MX knows neither its domain nor a user? What happens if I use the LAN-MX as a relay and if both servers have identical domain / user configurations?
... with much greetings ...

Micha

User avatar
mattg
Moderator
Moderator
Posts: 20844
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Coupling of two server (Master/Slave): Best way?

Post by mattg » 2020-05-08 09:36

M*I*B wrote:
2020-05-08 07:51
What happens if I use the LAN-MX as a relay and if both servers have identical domain / user configurations?
A user on the LAN side moves a message via IMAP, or deletes it from the server in POP3, how does the WAN side know?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
M*I*B
Normal user
Normal user
Posts: 47
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Re: Coupling of two server (Master/Slave): Best way?

Post by M*I*B » 2020-05-08 11:08

:roll: you are right; haven't seen that :lol:
... with much greetings ...

Micha

User avatar
M*I*B
Normal user
Normal user
Posts: 47
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Re: Coupling of two server (Master/Slave): Best way?

Post by M*I*B » 2020-05-10 10:34

Ok, a question has not yet been answered; I don't understand one thing here:

Question 1:
If the WAN mail server serves as a pure relay and there are no domains or users entered, how does that work? How does the mail server know that it is responsible if an external mail arrives at User-A, but User-A is not defined in the relay, but on the LAN mail server?

Question 2:
What happens if you do it the other way around? So if I configure the WAN mail server with domain and users and run the LAN mail server as relays?
If I guess to question 1, that relay at the master asks whether the user is known, then it should work the other way round, or not?
... with much greetings ...

Micha

User avatar
SorenR
Senior user
Senior user
Posts: 3578
Joined: 2006-08-21 15:38
Location: Denmark

Re: Coupling of two server (Master/Slave): Best way?

Post by SorenR » 2020-05-10 11:16

Relay server don't care about users, only domains.

Relay server only know local domain(s) and/or routed domain(s).

If you create "acme.inc" locally and at the same time create a route to "acme.inc" on another server, the other server becomes an "overflow" server, any users not known locally is routed to the other server.

So if you have 3 offices you can have 3 servers where 1 server receive from internet and route to next, which will route to next, which will route to next.... In theory 😏
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
M*I*B
Normal user
Normal user
Posts: 47
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Re: Coupling of two server (Master/Slave): Best way?

Post by M*I*B » 2020-05-10 11:57

... ok, I will repeat in my own words and then let's see if I have understand it right...

On the external Server where also the Webside of the Company resist I install hMail without enter a domainname under "/Domains". Then I go to "/Settings/Protocols/SMTP/Routes/" and set a Route to the local hMail. Here I enter the Companys Domainname that I normaly enter under /Domains, the IP of the Company as "Target SMTP Host:Port". What I have then to do with the two options (... treat sender/recipement as /local/remote)? Both as remote where "remote" means the hMail in our companys LAN?

On the internal Server in our LAN I set under "Settings/Advanced/Incomming Relays/" the Name and the IP of the outside Relay that I have setup in the 1st part, where "Name" is any I like and the lower and upper IP is the same (only a single Relay)?

If that right at this point?

Withch one then do the Spam/AV Job? Can the Relay do that same like a normal use of the server?

What's with the Ports under "Settings/Advanced/TCP/IP ports"? Which of them can I delete?

And what will going on if I set a webmail (i.e. RoundCube) to the relay (at localhost)? The Relay don't know about users... so do they ask the master that webmail will work as normal?


Sorry if there maybe some dumb questions but I'm very unsave with that and can't test it out before. It have to run from scratch to prevent trouble with my boss...
... with much greetings ...

Micha

User avatar
SorenR
Senior user
Senior user
Posts: 3578
Joined: 2006-08-21 15:38
Location: Denmark

Re: Coupling of two server (Master/Slave): Best way?

Post by SorenR » 2020-05-10 14:19

M*I*B wrote:
2020-05-10 11:57
... ok, I will repeat in my own words and then let's see if I have understand it right...

On the external Server where also the Webside of the Company resist I install hMail without enter a domainname under "/Domains". Then I go to "/Settings/Protocols/SMTP/Routes/" and set a Route to the local hMail. Here I enter the Companys Domainname that I normaly enter under /Domains, the IP of the Company as "Target SMTP Host:Port". What I have then to do with the two options (... treat sender/recipement as /local/remote)? Both as remote where "remote" means the hMail in our companys LAN?

On the internal Server in our LAN I set under "Settings/Advanced/Incomming Relays/" the Name and the IP of the outside Relay that I have setup in the 1st part, where "Name" is any I like and the lower and upper IP is the same (only a single Relay)?

If that right at this point?

Withch one then do the Spam/AV Job? Can the Relay do that same like a normal use of the server?

What's with the Ports under "Settings/Advanced/TCP/IP ports"? Which of them can I delete?

And what will going on if I set a webmail (i.e. RoundCube) to the relay (at localhost)? The Relay don't know about users... so do they ask the master that webmail will work as normal?


Sorry if there maybe some dumb questions but I'm very unsave with that and can't test it out before. It have to run from scratch to prevent trouble with my boss...
"Local" and "Remote" ... The associated HELP refers to "local" and "external" (typo??) Anyways, "local" and "external" refer IP Range settings. "Local" = MY domain, "external" = Everybody else" :wink:
Security
When a person tries to send an email where the recipient matches a route, hMailServer will use IP ranges and the security settings in the route to determine whether the delivery should be made. Using the two security settings, "When sender matches route" and "When recipient matches route", you specify whether the sender and recipient should be seen as local or external. Combined with the settings in the IP ranges, this specifies when deliveries should be permitted, and whether or not SMTP authentication is required.

If you configure hMailServer to treat recipients matching the route as local addresses, and IP ranges does not permit deliveries to local addresses, the delivery will not be accepted by hMailServer. In the same manner, if you configure the recipient to be treated as external, and the IP ranges specifies that SMTP authentication is required for deliveries to external addresses, hMailServer will require SMTP authentication before accepting the delivery.

Examples:
If you want external users (users on other email servers) to be able to send email to the route, select that "When recipient matches route, treat recipient as local". The default IP ranges in hMailServer permits delivery from external addresses to local addresses without any SMTP authentication.
If you only want local users to be able to deliver messages to the route, select that the recipient should be treated as an external domain. By default, the IP ranges in hMailServer does not permit deliveries from external users to external recipients without the use of SMTP authentication.
In short I would assume sender = "External/Remote" and recipient = "Local" but it depends on your IP Range configuration WRT authentication on your "Outside hMailServer".

"Outside hMailServer" = Incoming Relay on "Inside hMailServer". When I had a Backup MX (Incoming Relay), I had a special IP Range just for that IP address with ONLY SMTP active (and antivirus/spam/etc) and a priority higher than the AutoBan priority - just in case :wink:

"Outside hMailServer" should only need port 25 (TLS optional) for incoming Internet mail and e.g. 465 SSL/AUTH for parsing mails from "Inside hMailServer" to the World.

Roundcube ... Well ... will need to connect to your "Internal hMailServer" on IMAP and SMTP. Roundcube support SSL and you are free to define your own custom ports for IMAP and SMTP.

My public Roundcube is on Apache/Linux and we all know Linux do not support DCOM. Well, @tunis (a user on this forum) made custom plugins for Roundcube on Linux to have Apache speak to IIS on hMailServer. Benefit is I can use a non-standard port for my DCOM stuff.
My IIS server is blocked from general Internet and is internal only.

https://github.com/tunis78
The password driver is not on GitHub but I have a copy of it on my servers.

WRT scripts/Anti-Spam/Anti-Virus I believe you can choose either one however most scripting would probably be on the "Internal hMailServer".
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
M*I*B
Normal user
Normal user
Posts: 47
Joined: 2008-12-30 19:09
Location: Germany
Contact:

Re: Coupling of two server (Master/Slave): Best way?

Post by M*I*B » 2020-06-02 13:36

... sorry for late response; much to do and also some inside my family ...

Friday, 19. Juny is the day of the truth :roll:
I hope I have all well understand. The "problems" with Linux I don't have due the WAN and the LAN Servers are both WIN.

There are so much points you can enter information to the external or internal server that I'm realy unshure about all the stuff... Also my bad english skill is also a problem... So here is what I have do meanwhile:

Code: Select all

EXTERNAL:

* \Domains\
- Enter the domain and the other names for it as aliases
- Leave Accounts, Aliases, Dsitribution lists untouched/empty

* \Settings\Protocols\SMTP\[Delivery of e-mail]
- Set "Local host name" to "localhost"
- Set "Remote host name" to the IP/PORT of the INTERNAL
- Set authentication and SSL

* \Advanced\Incomming relays\
- Create entry for the INTERNAL with same lower- and upper IP

* \Advanced\TCP/IP Ports\
- Only leave SMTP for port 25 and 587; delete all other

~ ToDo: SSL certificates if running


INTERNAL:

* \Domains\
- Enter the domain and the other names for it as aliases (same as EXTERNAL)
- Enter all the accounts we like to use incl. Aliases and Distribution Lists

* \Settings\Protocols\SMTP\[Delivery of e-mail]
- Set "Local host name" to "localhost"
- Set "Remote host name" to the IP/PORT of the EXTERNAL
- Set authentication and SSL

* \Settings\Protocols\SMTP\Routes\
- Create an entry for all the Domains are used in EXTERNAL under \Domains\

* \Advanced\Incomming relays\
- Create entry for the EXTERNAL with same lower- and upper IP

* \Advanced\TCP/IP Ports\
- Leave untouched

~ ToDo: SSL certificates if running

... is that right to this point???
... with much greetings ...

Micha

Post Reply