Viktor Dukhovni:
> On Tue, Apr 29, 2014 at 12:24:23PM +0200, Sebastian wrote:
> > Viktor:
> > > Your multi-jail design is necessarily rather complex, and requires
> > > attention to detail to get right. A simpler design may be a better
> > > idea.
> >
> > Well to be honest, I used a book by Benedikt Nie?en ( www.serverzeit.de )
> > to get to where I am now. I guess now it's up to me to find out where I
> > shot myself in the foot so to speak.
>
> Your main challenge is to ensure that any required forwarding of
> mail between jails does not run into loop detection or IP address
> conflicts.
>
> If each jail is to be thought of as a separate machine, that just
> happens to run on the same set of CPUs and physical network
> interfaces, and if these machines are supposed to be able to send
> email to each other via SMTP because they host distinct domains,
> then you need:
>
> - A distinct FQDN $myhostname for each jail that receives email
> via SMTP, that is different from that of all other jails
> (even those that only send, but don't receive SMTP messages).
>
> Each jail's $myorigin and $mydomain need to be set appropriately,
> to handle mail for unqualified users and hosts. You'll need
> postmaster aliases, and perhaps also aliases for root, and
> any accounts of jailed services that you want to read in one
> place. The jail's $myorigin (domain of shell user accounts)
> may well be "owned" by another jail.
>
> - A unique set of network addresses as "inet_interfaces" for
> each jail.
>
> - Appropriate forward/reverse mappings in DNS for each jail's
> network addresses and any MX records for associated domains.
>
> This is all doable, but requires some care to make sure that no
> inappropriate evidence of the jails sharing the same hardware
> breaks the illusion of separate machines.
Additionally, appropriate inet_interfaces settings for the "global"
environment (i.e. non-jail) so that it does not listen on all IP
addresses (which is the Postfix default).
This may not be an issue anymore, but it was an issue with early
jail implementations where the default Postfix inet_interfaces
setting would listen on the IP addresses of jailed environments.
Wietse
