>>>>> On Wed, 02 Feb 94 14:08:32 -0500, lazear @
laz> Any ideas how to finesse the MX's of the external world to allow correct
laz> resolution and at the same time allow all internal mail to flow thru
laz> the bastion?
Yes. The long answer is that I really don't think you want to do it,
because it's a huge undertaking, and diametrically opposes the
distributed design of DNS.
Instead, I'll describe how we worked around this.
We're a small organization. What we did is declare one host the Mail
Host for both incoming and outgoing mail. This makes configuring the
other hosts easy because they just blindly forward all mail to the
Mail Host. We use sendmail, and have a boiler-plate "outlying.cf"
which goes to each host, derived from one which Rich $alz has
distributed widely. Most sendmails accept this minimalist
configuration file without any modification. These outlying hosts
don't even look up the MX for the "actual" hosts to which the mail is
ultimately destined. They only look up the MX for the "forwarder"
host, which is our Mail Host. The Mail Host takes responsibility for
delivering it outside our administrative domain, and is a single point
of failure; it looks up all the MX entries outside our administrative
domain. Similarly, we have an MX for our organization which directs
all incoming mail to the Mail Host. We use POP from other hosts to
retrieve incoming mail. (You could just as easily give the Mail Host
directions on how to route mail internally instead. The boiler-place
configuration file on each outlying host simultaneously gets slightly
more complicated because it has to distinguish between local delivery
and everything else.)
I don't know the size of Mitre, but I think you have described a
similar single point of failure (bastion), so perhaps this approach is
INET: Mark-Ludwig @
COM NIC: ML255 ICBM: USA; Lower Left Coast
"Anything worth doing in Japan is worth doing in a crowd." -- T. R. Reid