4.3 The ISP Environment

The recommended configuration for an ISP environment should not be that different from that of the corporate but there are some considerations to take into account. ISPs tend to have a very heavy POP3 load as their clients generally use POP3 to get their mail. A medium to large ISP (particularly one which is growing rapidly) might want to consider separating their MX host from their POP3 host. The POP3 host would not need to be an MX host and its MTA could be configured to only accept mail inbound from the primary MX for the domain which would then be delivered locally to the customer's mail spool. In networks where the client load is very, very high a third machine could be added to the architecture which would only accept mail from the provider's dial-up customers and then send it out to its destination. In this way the primary MX for the domain would only accept inbound mail from the world and route it to the POP3 host and the effective load on all three machines would be reduced. The important thing to do with this is to apply limits to what mail is accepted by the non-MX hosts. Here are some sample configurations and comments:

4.3.1 The primary MX host (smtp.isp.net)

 
    divert(-1) 
    include(`/usr/lib/sendmail-cf/m4/cf.m4')
    dnl let's define our OS type. This one is mandatory.
    OSTYPE(`linux')dnl
    define(`confDEF_USER_ID',``8:12'')
    dnl the following line moves the default alias file location to /etc/mail Doing it this way
    dnl allows the newaliases command to function properly with the aliases file
    dnl once it's moved from the Red Hat default location in /etc.
    define(`ALIAS_FILE',`/etc/mail/aliases')dnl
    dnl if the net were a kinder gentler place we wouldn't need the next line.
    define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
    dnl if it's not immediately deliverable let us know in 4 hours and return it if it's
    dnl not been delivered after 4 days.
    define(`confTO_QUEUERETURN', `4d')dnl 
    define(`confTO_QUEUEWARN', `4h')dnl
    dnl Let's tell the system where procmail lives
    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
    dnl we want all mail sent to the pop3 host for delivery
    define(`MAIL_HUB', `pop3.isp.net')
    dnl we don't need either one of the next two entries so lets remove the default.
    undefine(`UUCP_RELAY')dnl
    undefine(`BITNET_RELAY') dnl 
    dnl when people move on it will really help to give them an informative bounce
    FEATURE(`redirect')dnl
    dnl we are 'isp.net' after all. Let's make it so.
    FEATURE(`always_add_domain')dnl
    dnl let's set up class w as a text file. It's easier to manage that way. Since this host is designed 
    dnl to relay be careful about what you put in this file
    FEATURE(`use_cw_file')dnl
    dnl we defined the path to procmail now let's implement it
    FEATURE(`local_procmail')dnl
    dnl we won't be doing any uucp
    FEATURE(`nouucp')dnl 
    dnl with the mailertable we can redirect mail anywhere we want. Very handy. Particularly for an ISP.
    FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
    dnl with the virtusertable we can have multiple mail accounts with the same name
    FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
    dnl the access file gives us fine grained control of our relay capability
    FEATURE(`access_db', `hash -o /etc/mail/access')dnl
    FEATURE(`blacklist_recipients')dnl
    dnl note that we patched our version of sendmail to be able to use more than one rbl entry
    dnl see section 2.3.2 of this document for more information and a HOWTO. These next 3
    dnl entries are completely optional but recommended if you'd like to limit the amount
    dnl of spam you receive inbound to your domain
    FEATURE(rbl,`rbl.maps.vix.com',` Mail from $&{client_addr} rejected; see http://www.mail-abuse.org/rbl/')dnl
    FEATURE(rbl,`dul.maps.vix.com',`Mail from $&{client_addr} rejected; see http://www.mail-abuse.org/dul/')dnl 
    FEATURE(rbl,`relays.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://www.mail-abuse.org/rss/')dnl
    dnl the default MDA with Red Hat Linux is procmail so let's use it. We need this line.
    MAILER(procmail)dnl
    MAILER(smtp)dnl
    

4.3.2 The POP3 host (pop3.isp.net)

 
    divert(-1) 
    include(`/usr/lib/sendmail-cf/m4/cf.m4')
    dnl let's define our OS type. This one is mandatory.
    OSTYPE(`linux')dnl
    define(`confDEF_USER_ID',``8:12'')
    dnl the following line moves the default alias file location to /etc/mail. Doing it this way
    dnl allows the newaliases command to function properly since we've moved the aliases file
    dnl from the default Red Hat Linux location in /etc.
    define(`ALIAS_FILE',`/etc/mail/aliases')dnl
    dnl if the net were a kinder gentler place we wouldn't need the next line.
    define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
    dnl if it's not immediately deliverable let us know in 4 hours and return it if it's
    dnl not been delivered after 4 days.
    define(`confTO_QUEUERETURN', `4d')dnl 
    define(`confTO_QUEUEWARN', `4h')dnl
    dnl Let's tell the system where procmail lives
    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
    dnl we don't need either one of the next two entries so lets remove the default.
    undefine(`UUCP_RELAY')dnl
    undefine(`BITNET_RELAY') dnl 
    dnl let's set up class w as a text file. It's easier to manage that way.
    FEATURE(`use_cw_file')dnl
    dnl we defined the path to procmail now let's implement it
    FEATURE(`local_procmail')dnl
    dnl we won't be doing any uucp
    FEATURE(`nouucp')dnl 
    dnl with the mailertable we can redirect mail anywhere we want. Very handy. 
    FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
    dnl with the virtusertable we can have multiple mail accounts with the same name
    FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable')dnl
    dnl the access file gives us fine grained control of our relay capability
    FEATURE(`access_db', `hash -o /etc/mail/access')dnl
    FEATURE(`blacklist_recipients')dnl
    dnl note that we patched our version of sendmail to be able to use more than one rbl entry
    dnl see section 2.3.2 of this document for more information and a HOWTO. These next 3
    dnl entries are completely optional but recommended if you'd like to limit the amount
    dnl of spam you receive inbound to your domain
    FEATURE(rbl,`rbl.maps.vix.com',` Mail from $&{client_addr} rejected; see http://www.mail-abuse.org/rbl/')dnl
    FEATURE(rbl,`dul.maps.vix.com',`Mail from $&{client_addr} rejected; see http://www.mail-abuse.org/dul/')dnl 
    FEATURE(rbl,`relays.mail-abuse.org',` Mail from $&{client_addr} rejected; see http://www.mail-abuse.org/rss/')dnl
    dnl the default MDA with Red Hat Linux is procmail so let's use it. We need this line.
    MAILER(procmail)dnl
    MAILER(smtp)dnl
    

4.3.3 The outbound SMTP host (out.isp.net)

 
    divert(-1) 
    include(`/usr/lib/sendmail-cf/m4/cf.m4')
    dnl let's define our OS type. This one is mandatory.
    OSTYPE(`linux')dnl
    define(`confDEF_USER_ID',``8:12'')
    dnl the following line moves the default alias file location to /etc/mail Doing it this way
    dnl allows the newaliases command to function properly with the aliases file
    dnl once it's moved from the Red Hat Linux default location in /etc. We've also added a majordomo
    dnl aliases file as this machine would be the right one to be the listserv if your service needs one.
    define(`ALIAS_FILE',`/etc/mail/aliases,/etc/mail/majordomo')dnl
    dnl if the net were a kinder gentler place we wouldn't need the next line.
    define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,noexpn,novrfy')dnl
    dnl if it's not immediately deliverable let us know in 4 hours and return it if it's
    dnl not been delivered after 4 days.
    define(`confTO_QUEUERETURN', `4d')dnl 
    define(`confTO_QUEUEWARN', `4h')dnl
    dnl we don't need either one of the next two entries so lets remove the default.
    undefine(`UUCP_RELAY')dnl
    undefine(`BITNET_RELAY') dnl 
    dnl Let's tell the system where procmail lives
    define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
    dnl we are 'isp.net' after all. Let's make it so.
    FEATURE(`always_add_domain')dnl
    dnl Let's set up masquerading since we will need it.
    MASQUERADE_AS(`isp.net')dnl
    dnl Let's also set it up so that we can have all of our domains listed in an unmapped text file. This way clients with custom or vanity
    dnl domains can send mail with a from address that uses their domain.
    MASQUERADE_DOMAIN_FILE(`/etc/mail/masq-domains')dnl
    dnl we won't be doing any uucp
    FEATURE(`nouucp')dnl 
    dnl The genericstable gives us the ability to manipulate outbound addresses so we should use it here on 
    dnl the outbound host.
    FEATURE(`genericstable', `hash -o /etc/mail/genericstable')dnl
    dnl We need the mailertable on this machine to handle cases where the mail is intended for other local users on the same service.
    dnl We would add the following to the mailertable:
    dnl @isp.net        SMTP:pop3.isp.net
    FEATURE(`mailertable', `hash -o /etc/mail/mailertable')dnl
    dnl The access file gives us fine grained control of our relay capability. For our outbound host we must be sure to explicitly allow
    dnl all of our dialup IP addresses by adding them to the access table
    FEATURE(`access_db', `hash -o /etc/mail/access')dnl
    FEATURE(`blacklist_recipients')dnl
    dnl The default MDA with Red Hat Linux is procmail so let's use it. We need this line.
    MAILER(procmail)dnl
    MAILER(smtp)dnl
    

4.3.4 Summary for the three configurations

So as you can see what we've done is setup our three machines to handle three associated mail tasks separately. Smaller service providers can handle all three tasks plus any listserv functionality required on a single host by combining the features highlighted here in a single configuration. But in this config your clients will never touch the inbound SMTP host. They would set their POP3 value in their MDA to pop3.isp.net and their SMTP value to out.isp.net. Note that the access file for the outgoing mail host has to include an explicit RELAY authorization for all of your dial-up ports, otherwise your clients will get rejected when they try to send mail. Whet we've actually done here is distributed the load amongst three machines and in an ISP with a significant number of dial-up clients this can really improve performance.