1 A Modular Architecture Using Open Source Components Presented to MVMRUG April 22, 2005 Scott Courtney Sine Nomine Associates
2 Functional Goals SMTP inbound and outbound mail POP3 and IMAP4 mailbox delivery Webmail Spam blocking Virus scanning and blocking Multiple virtual domains Scalable to 500K users
3 Architectural Goals of System Centralized user authentication, profiles Virtual user accounts (no shell accounts) Modular deployment from server templates Horizontally scaling Near-instantaneous failover where practical Centralized backup Centralized logging Deploy on low-cost Intel hardware or VM/Linux, or mix platforms
4 Design Overview Inet Webmail SMTP out SMTP in Bounces Clients (users) POP/IMAP proxy mbox mbox Arrows show direction of service request, not necessarily data flow "SMTP in" is actually three layers Webmail behaves like a user client, conceptually "outside the box" DNS and LDAP connect to everything (not all shown here) mbox Admin and backup servers omitted for clarity DNS LDAP
5 Network Overview User (Client) Hosts Public Internet FW/Router (Details of network architecture are not part of this presentation.) FW / Router Modular System
6 SMTP Inbound -- Details RBL (SMTP out) Spam Filter Virus Filter mbox mbox Inbound connections distributed by simple round-robin DNS Filters can go offline for scheduled maintenance after letting queue drain Philosophy: Block before scan Scan before route LDAP mbox No spam, virus bounce Early or late lookup of valid destination
7 Virus and Spam Removal Method 1: Direct Daemon SpamAssassin, ClamAV, or similar tools listen on TCP ports May be on dedicated server separate from MTA Simpler configuration and less points of failure than with amavisd-new Scanning closely coupled to MTA configuration Method 2: amavisd-new amavisd-new listens on TCP port, runs spam and/or virus scan from exec() call or API function call, or shells out amavisd-new may be on separate server, but scanner(s) local to amavisdnew host Can change or add new scanners w/o touching MTA configuration MTA Virus and/or Spam Scan MTA amavisd -new Virus and/or Spam Scan
8 SMTP Outbound -- Details Mail between local users Webmail All mail from local users SMTP out Mailbox Servers Clients Bounces for "user not found", "account disabled", etc. (but not spam) Spam Filters All user-originated messages pass through virus and spam filters Outbound servers have local spam, virus filter Philosophy: Outbound << Inbound Nothing nasty out! No spam, virus bounce Decouple outbound queuing
9 POP3/IMAP4 Service Webmail Internet POP/IMAP proxies SMTP in Clients (users) LDAP mbox mbox mbox Mailbox servers are just POP3/IMAP4, nothing else Routing to mailbox host based on LDAP attribute No direct connection to mailbox servers from untrusted hosts POP/IMAP proxy looks up mailbox location in LDAP, emulates (then passes through) authentication No user data whatsoever on proxy server -- admin is trivially simple
10 Webmail Service Users Webmail Servers Webmail authentication is through IMAP, not LDAP Sessions must be in MySQL, not Apache or PHP or Horde native, so load balancing will work correctly MySQL server stores only session data and [optionally] webmail user preferences. MySQL server can be replicated for warm-failover MySQL Server (session data) IMAP Proxy Servers
11 LDAP (My Diagrams vs. Reality) My Diagrams One big LDAP server If LDAP goes down, the world comes to a grinding halt Reality One master LDAP server Any other server that needs LDAP lookups has its own replicant locally Master server down? No user profile changes but things keep working for all that matters.
12 Software Selection: MTA Selected: Exim Other Candidates Sendmail QMail Why? Extremely configurable Sophisticated and readable config syntax Config localized to one file (manageability) Secure, fast, reliable Integrates smoothly with external data sources Superb documentation
13 Software Selection: POP/IMAP Selected: Courier Other Candidates WU-imapd (numerous others) Why? Extremely configurable Modular authentication Widely supported Secure, fast, reliable Integrates smoothly with external data sources
14 Software Selection: IMAP/POP Proxy Selected: Perdition Why? Does what is needed See "Other Candidates" Other Candidates None, really
15 Software Selection: Webmail Selected: Horde (Plus IMP and Turba plugins) Other Candidates Squirrel Mail EMU Webmail Courier Webmail etc. Why? Extremely configurable Modular design with other "groupware" components available Addressbook/contacts Calendar Mainstream and widely supported Integrates smoothly with external data sources
16 Adding z/vm Linux to the Mix Great on z/vm Linux Mailbox Servers +++ POP/IMAP Proxy Servers Webmail Servers MySQL Server(s) Master LDAP (?) Inbound SMTP route (spin off from spam scan) Outbound SMTP -- but, spin off virus/spam scan to Intel Maybe Stay on Intel Virus Scanning Spam Scanning Outbound SMTP if you keep virus/spam scan local to these hosts Note that the servers that don't make sense on z/vm Linux are also the servers that store no important data!
17 Performance in the Real World Configuration Intel P4-class hardware ~2.0 GHz Uniprocessor except virus, spam scan and master LDAP 2 GB RAM per host 100 Mb Ethernet ~40K users > 30K inbound/hour not counting deleted spam, virus Performance Virus + spam >= 2X actual inbound mail About 8K~10K users per mbox 2 servers at each other pipeline stage can handle full load (3 used by choice to allow scheduled outages) In production ~2 years with no large outages
18 Remaining Challenges Mailbox servers are "single point of failure" to the specific users of a given server Using z/vm Linux largely eliminates this problem Can use tools like "heartbeat" for hot failover Spam and viruses are absolutely rampant on the Internet -- even state-of-the-art filtering isn't good enough yet Sender Policy Framework (SPF) CRM114, Bayesian filter -- good but complex Authenticated SMTP (supported by this design!)
19 Conclusion System is horizontally and vertically scalable Platform-neutral, and most pieces work just fine on z/vm Linux All pieces work fine on z/vm Linux if you have a small number of users Load balancing accomplished with simple roundrobin DNS and built-in replication features of OpenLDAP and MySQL Servers can go offline easily for scheduled maintenance Servers can be cloned from server-type templates
20 Contact Information Scott Courtney, Senior Engineer Sine Nomine Associates
Kerio Connect Administrator s Guide Kerio Technologies 2011 Kerio Technologies s.r.o. All rights reserved. This guide provides detailed description on Kerio Connect, version 7.2. All additional modifications
Managed Workplace 2012 Setup Guide On Premise See All. Manage All. Service All. www.levelplatforms.com TABLE OF CONTENTS Welcome... vii About this Document... viii Where To Get More Help... viii Contact
InterWorx Clustering Guide by InterWorx LLC Contents 1 What Is Clustering? 3 1.1 What Does Clustering Do? What Doesn t It Do?............................ 3 1.2 Why Cluster?...............................................
Scalable Linux Clusters with LVS Considerations and Implementation, Part I Eric Searcy Tag1 Consulting, Inc. email@example.com April 2008 Abstract Whether you are perusing mailing lists or reading
Loadbalancer.org Appliance Setup v5.9 This document covers the basic steps required to setup the Loadbalancer.org appliances. Please pay careful attention to the section on the ARP problem for your real
INTRODUCTION TO LINUX CLUSTERING DOCUMENT RELEASE 1.1 Copyright 2008 Jethro Carr This document may be freely distributed provided that it is not modified and that full credit is given to the original author.
The Claws Mail Team (http://www.claws-mail.org/) Copyright 2006-2014 The Claws Mail Team. 1. Introduction 1.1. What is Claws Mail? Claws Mail is an email client aiming at being fast, easy-to-use and powerful.
Barracuda Load Balancer Administrator s Guide Version 2.3 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2004-2008, Barracuda Networks
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
CIPHERMAIL EMAIL ENCRYPTION Ciphermail Gateway Administration Guide September 23, 2014, Rev: 9112 Copyright 2008-2014, ciphermail.com. Acknowledgements: Thanks goes out to Andreas Hödle for feedback. CONTENTS
IceWarp Unified Communications VoIP Service Reference Version 10.4 Printed on 13 April, 2012 Contents VoIP Service 1 Introduction... 1 The Big Picture... 4 Reference... 5 General... 5 Dial Plan... 7 Dial
NEFSIS TRAINING SERIES Nefsis Dedicated Server version 5.2.0.XXX (DRAFT Document) Requirements and Implementation Guide (Rev5-113009) REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER Nefsis
Linux on IBM Netfinity Servers A Collection of Papers Introduces Linux high availability solutions Describes systems and network management tools Explores interoperability of Linux solutions Jonathan Follows
UNIVERSITY OF OSLO Department of Informatics Performance Measurement of Web Services Linux Virtual Server Muhammad Ashfaq Oslo University College May 19, 2009 Performance Measurement of Web Services Linux
DocuFire for Windows User Manual Version: 5.20 Date: February 19, 2010 Web: http://www.docufire.com TABLE OF CONTENTS Introduction to DocuFire for Windows... 4 Contacting Technical Support... 4 Getting
Best Practices for Deploying and Managing Linux with Red Hat Network Abstract This technical whitepaper provides a best practices overview for companies deploying and managing their open source environment
DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server Table of Contents Table of Contents Deploying the BIG-IP LTM with Tomcat application servers and Apache web
Appliance Administration Manual v6.21 This document covers all required administration information for Loadbalancer.org appliances Copyright 2014 Loadbalancer.org, Inc. Table of Contents Section A Introduction...7
Technology detail Scale-out file sync and share Deploying owncloud and Red Hat Storage Server on HP ProLiant SL4540 Servers Abstract Scale to 42,000 users on a single HP ProLiant SL4540 Gen8 two-node server,
Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman) firstname.lastname@example.org December 2001 For Presentation in Tokyo, Japan http://verge.net.au/linux/has/ http://ultramonkey.org/
MASARYK UNIVERSITY FACULTY OF INFORMATICS Best Practices in Scalable Web Development MASTER THESIS Martin Novák May, 2014 Brno, Czech Republic Declaration Hereby I declare that this paper is my original