Email server deploy on public or private ip

[veer singh]

Where a mail and web server is kept. Is it placed inside lan confidured with private ip. Or it should be configured with public ip.

[deanwebb]

Moved to security...

If you have an email server hosted in your data center, it will have an IP address for that local network, which will be a private IP.

The firewall will then be set up to forward traffic. When someone contacts your public IP on port 25 (SMTP), the firewall will send that traffic to the private IP for the email server.

For your internal DNS, your mailserver record will point to the internal IP address. For the external DNS, the mailserver record will point to the public IP address.

[veer singh]

First I thank you for your quick reply. I am taking a small office network. It has a email and a web server iside the lan. Lan is connected to lan port of router. All lan machins inside lan are configured with private IP. Routers WAN port is configured on public IP. router will do port forwardind for any request coming on this public ip  on port 25 or 80. And it will reach to that mail/web server. In this scenerio We c
annot have two or more mail/web servers inside the lan. And why do we need DNS server in our lan if we have a registered domain.

[veer singh]

For the comment 'external DNS, the mailserver record will point to the public IP address', I have one query, which device like router, firewall is assigned this public IP which is pointed by mx record in dns, or this IP is used only for forwarding without assigning to any device.

[deanwebb]

There needs to be a firewall between the LAN and the Internet. It can be in front of or behind the router, but there needs to be a firewall.

There can be more than one email or web server, even with only one IP address: either use clustering or have different ports associated with the public IP address for different servers. In the email example, port 25 could be for the first server, port 25025 for the second server, port 26033 for the third, and so on.

However, with this being a small office, there is likely only a need for one server of each type, so the limitation is not a damaging on.

You do not want all your internal resources exposed to the public Internet. Therefore, you will need an internal DNS server.

To explain the last point a bit more... say your external IP address is 200.1.1.1. The router has that as the IP address of its Internet-facing port. Both the A and MX records can use that IP address. Mailservers will contact the MX IP address on port 25, so that can be forwarded back to the internal mail server. www.yourcompany.com can resolve to that IP address, but traffic on ports 80 and 443 can be forwarded internally.

[veer singh]

OK I am taking one diagram here having 3 mail servers. Now my objective is to access all three servers from internet.
Now MAU (eg. thunderbird or outlook) will send mail to SMTP server. SMTP server will relay mail to MTA. Now the MTA will resolve ip of donmain myexaple.no-ip.org ie 8.3.2.45 and in last will send mail to  IP 8.3.2.45 on port 25. And this IP 8.3.2.45 is a router's WAN port's Public IP. and this ip + port ie. 8.3.2.45:25 is mapped to ip+port 192.168.1.20:25. So this mail will reach to 192.168.1.20 mail server.
So In this case we are not able to access mail server 192.168.1.30 and 192.168.1.40.

And the problem here is that MTAs always send mail on port 25 in case of SMTP not SMTPs.
If MTA is knowing that router is configured on port 25025 and sending mail to ip 8.3.2.45 on port 25025 then mail will reach to this mail server192.168.1.30. but practically MTAs don't know what port are configured on router to reach to 192.168.1.30 or to 192.16.8.1.40.
So this is the problem here.
Now If we are taking a dns server inside lan, I am not getting what mx entries  this dns server will have, and who is making dns query to this dns server. And how this LAN DNS is going to help.
Thanks

Screenshot file attached is not opening, so attaching doc file having network diagram for above description.

[deanwebb]

Well, if all three servers need to be reachable from the Internet, are they servicing the same domain or different domains? If the same domain, they can be clustered in a round-robin fashion as per vendor recommendations.

[veer singh]

I am not much clear about domain. But as per my understanding here in diagram public IP 8.3.2.45 which is resolved by second level dns server is representing domain.Please Let me know if my understanding is correct here.
So they are in same domain. If they are in the same domain, then can we use sub domain for individual mail servers?

what is Round robin clustering here?

Could you please explain in the network diagram I previously attached to get these server accesed from internet. And if anything is need to changed in the diagram or needed to add in the diagram.

[deanwebb]

Subdomains can be used for the other servers.

Round Robin clustering means that all the servers will respond to traffic bound to the mail server, but a load balancer will distribute the traffic across each member of the cluster.

[veer singh]

In clustering case all three mail server will behave as a single server,means any mail server is able to receive any the same mail. But we dont want that.

We are takeing name for each mail server. eg. mail1.myexaple.no-ip.org, mail2.myexaple.no-ip.org,mail3.myexaple.no-ip.org.

mailserver1 has users u1@mail1.myexaple.no-ip.org,u2@mail1.myexaple.no-ip.org.

This is the scenario we want to achieve.
mailserver2 has users u1@mail2.myexaple.no-ip.org, u2@mail2.myexaple.no-ip.org

mailserver3 has users u1@mail3.myexaple.no-ip.org,u2@mail3.myexaple.no-ip.org

[deanwebb]

That's a bad implementation of email. I used to support Microsoft Exchange, and I know that a cluster of email servers can handle traffic for a subdomain, like mail1, mail2, and mail3 are at myexample.no-ip.org.

This is where it becomes important to ask if this is a homework problem or an actual workplace issue. If homework, then the question is asked in this way so as to prove an elegant point. If it is the real world, then set up the cluster and be done with it.

If, however, the domains are a.com, b.com, and c.com, totally different address spaces with nothing in common, then each needs its own public IP. Then it becomes a bit of a routing issue on the firewall, but it can handle separating the traffic flows for each domain.

[veer singh]

Could you please provide some reference, web links,or books for this kind of LAN server scenarios. So I can go through that, and can understand more comlex server installing scenarios and more practical scenarios.
Thanks for your relevant help.

[deanwebb]

I would recommend looking over vendor-specific whitepapers and knowledge base articles. What works for Microsoft is likely not going to be the same solution for RedHat.

[veer singh]

Where should I look for this.

[deanwebb]

Where should I look for this.

Vendor websites, typically in the support area of the website. Google searches with appropriate keywords can also produce good results. This forum will deal mostly with the networking aspects of IT, so we'll likely be light in our current knowledge of system administration specifics, but we also have experience in knowing what's out there and what seems to work OK.

For example, I know that Exchange can be clustered. I don't know what commands to use or what the exact demands are in terms of switching and cabling, but I'm sure that if I queried Google on "Microsoft Exchange cluster setup", I'd get some good results... in fact, I just did that and discovered that such a thing is called a "Database Availability Group". I would continue reading and searching and then testing with my lab gear until I had something that looked and felt like what I wanted.