Articles May 2, 2006 at 5:59 am

How to Split a Server (Part 1 of 4)

Some thoughts on getting a small office network setup.

Read on for the beginning of a four part series on configuring some basic connectivity on your server.Ed. Note: You can find this article with a bit more graphic flavor at the author’s website.


Typically when you first set up your domain you have a single Mac OS X Server that serves incoming mail, outgoing mail, and mailing lists for a single domain. This is less than ideal for a few reasons.

  • Internal-only mail and mail to or from external locations are on the same server. This can lead to data leaks and loss of privacy. It may also have legal implications, depending on the industry that you are working in.
  • Any connections directly from external sources to your mail server (that may hold sensitive information in an IMAP data store, for instance) are potential attack avenues.
  • If you host any additional domains their mail is commingled with your own mail.

Also, as your organization grows you may wish to host public mailing lists on a server in the network DMZ but keep your organization’s internal mail on a server in the internal zone. You may also want to have some e-mail accounts delivered to your DMZ server (e.g., for collaborating researchers) but have most of your mail delivered to the internal mail server.

This is fairly advanced stuff. You’ll need to be comfortable with the command line in order to do this, along with some understanding of the SMTP mail system. I’m not going to cover the details of the network routing and firewall setup, that’s another article entirely.


To make things a bit more concrete, let’s suppose we have a small software company,, which develops a software package. Part of it has been open-sourced as the project with external contributors, some of whom have already been given mail accounts. There is also a support mailing list in the domain for the software package. All of is run off of a single Mac OS X Server — Open Directory master, mail, file, webserver and internal DNS. The internal network is behind a NAT layer, provided by a dedicated NAT/firewall router. External DNS is provided by the ISP who is providing the domain registration.

Surprised that the Mac OS X Server is not also the NAT router for this company? You shouldn’t be. Separate, very capable NAT/firewall routers are dirt cheap these days, and you should NOT expose your server to the Internet directly. Stage 0 for this scenario should be setting up a separate NAT/firewall router. Either a commercial box (such as Cisco or Linksys) or an open source solution (such as OpenBSD or Linux) would be appropriate here.


The ultimate goal is to limit all inbound connections to only machines in the DMZ. However, as anyone who has ever done a large project knows, a surefire way to have a project go south is to do everything in as one big bang. Break it down into little steps and you stand a much better chance of succeeding. Therefore, I’ve broken down the process into three stages.

Stage 1

Set up a separate server in the DMZ that handles mail and web serving. This will reduce the direct connections from the outside to the inside server. External contributors will still connect directly to the internal mail server to pick up their mail.

Stage 2

Set up mail delivery on the external server for accounts. This will provide a home base for the open source project. External contributors will get replacement accounts in the domain, and their old domain accounts will be forwarded.

Stage 3

Set up mailing lists on the external server for, and move the support mailing list for onto the external server as well. In the end we want a web server and external mail server in the DMZ, and an internal mail server, file server, and OD master in the inner zone.

Each of the articles in the series will address these stages in succession.

Original Configuration

To conclude this article, here’s what the network looks like at the start, and what it should look like when we’re finished.

What’s port 993? It’s the port for IMAP over SSL. You are using SSL for your IMAP, aren’t you?

Internal DNS info

  • Aliases: mail, imap, odmaster, www
  • mail server for the zone (MX)

External DNS info

  • aliases mail, www
  • MX for

Final Configuration

Internal DNS info

  • Aliases: mail, imap, odmaster
  • mail server for the zone (MX)

  • Aliases: www

In Part 2, I’ll cover stage 1 — setting up an SMTP and HTTP server in the DMZ to reduce the number of direct connections to the internal server.

Leave a reply

You must be logged in to post a comment.