Articles October 7, 2006 at 11:19 pm

How to Split a Server (Part 3 of 4)

Part 3 of the series where we focus on DNS and mail.

You can find Part 1 and Part 2 of this series which were published eariler.

Author’s Note: OK, so the first thing I learned on seeing these articles actually posted on is that I need to make sure that the settings are not just in the graphics but also in the text, since graphics and screenshots don’t get posted on that site. The full article with images is on my website at here.

For Stage II, the goal is to set up the infrastructure for the domain to provide a home base for the open source project. External contributors will get replacement accounts in the domain, and their old domain accounts will be forwarded. We also need to set up the DMZ server so that it acts as a forwarder for DNS requests from the internal server, to cut off the last direct connection between the internal server and the outside world. In addition, the project will get its own separate website, rather than just having a piece of the website.

DNS Configuration

Part of this is external, part of it is internal.

Internal DNS configuration

In the DNS service on, create a new zone called, whose name server is called “server” with IP address

Add another machine called “dmzserver” with IP address Aliases: www, mail, imap, and set it to be the mail server for the zone.


The reverse DNS lookup for will still point to

External DNS configuration

This needs to happen at your ISP or registrar.

  • Aliases: www, mail, imap
  • MX for

The net result is that all of the host entries point to the same machine, whether from inside the network or from outside the network.

Mail Service Reconfiguration

Shut down the mail service

This is to ensure that no e-mail is lost while this transfer process is going on. Outside mail servers should try to send in e-mail, recognize that the server is down, and re-try after a reasonable interval (generally 15 or 30 minutes). Turn off the Mail service using Server Admin on both and

Move IMAP mail storage to dmzserver

In order to ensure that none of the outside contributors lose any e-mail, we will need to move their existing imap mail stores to the dmzserver. The easiest way to do this is to use the command line tool tar, which among other things preserves ownership and permissions if invoked as root.

You will need to move only some of the folders within /var/spool/imap, in particular the folders for contributor1 and contributor2, only. From the command line on, execute the following commands:

	cd /var/spool/imap/
	sudo tar zcf /tmp/contributors.tgz users/contributor1 users/contributor2

Copy the file /tmp/contributors.tgz to and un-tar it into the same relative location:

	cd /var/spool/imap/
	sudo tar zxf /tmp/contributors.tgz

Open Workgroup Manager and select the accounts for the external contributors to the project. Change their mail server to


Lastly, tell Cyrus to re-index the mail files on the dmzserver by using the command:

	sudo -u cyrusimap /usr/bin/cyrus/bin/reconstruct

Postfix configuration

Postfix can host domains other than the local domain. In this case, we’ll set to host the domain as well as the domain. Open Server Admin and connect to Select the Mail service and click on the Settings tab, then click on the Advanced tab, then select the Hosting sub-tab. Add the domain to the list of Locally Hosted Domains. This tells Postfix to deliver all mail addressed to the domain to the local mail agent, Cyrus IMAP, rather than looking up the MX record and passing the mail on to the destination.


The last part of the Postfix configuration is to make sure that mail sent to the external contributors in the domain ends up in the domain. To do this, we need to edit the /etc/postfix/ and /etc/postfix/aliases files on

In the file, make sure the alias_maps parameter includes the hash:/etc/postfix/aliases settings. The line should read something like:

	alias_maps = hash:/etc/postfix/aliases

In the aliases file, put the entries:

	[email protected]: [email protected]
	[email protected]: [email protected]g

Next, run the postmap command on the aliases file so that the file /etc/postfix/aliases.db file is updated.

	sudo postmap /etc/postfix/aliases

Lastly, use Server Admin to set the Mail service on to relay all mail through

But what to do if we want to have the same e-mail username for both domains, e.g. [email protected] and [email protected]? We can handle this through Workgroup Manager. Set up two users with different short names, e.g. infoexamplecom and infoexampleorg. As additional short names, add [email protected] and [email protected], respectively. Set up the mail service for each user (either as a normal mail box or as a forwarder), and it should just work.


Don’t forget to turn the Mail service back on.

Web Server Reconfiguration

We had been running the website for the open source project from the /opensource subdirectory of the main webserver. However, we would like to give the project its own website. Fortunately, Mac OS X Server makes it easy to do.

In Server Admin, connect to and click on the Web service. Click on the Sites tab and duplicate the website. (Make sure that the default site — which has a domain name of “*” — is disabled or deleted.) Change all of the references from to Also, change the location of the document root of the website to be some place other than the same place as the website. Then have your web designer create the new website in the new location.


One good way to organize a website’s underlying directories is to create a structure that looks like:


This isolates all of the parts of a website into one directory, including any additional config files, the HTML and image files for the site, and the logs.

The last thing we need to do is set up an HTTP redirect so that visitors to the old project location at /opensource will be sent over to the new website. Create a new plain text file called /WebServer/ This file should contain three lines:

    Redirect /opensource

To pull this configuration file into the Apache web server system, you will need to add the line:

	Include /WebServer/

near the end of the website configuration file for the website. It will be named something like /etc/httpd/sites/ (The number at the front of the filename may vary.) Insert the additional line just before the line that closes the VirtualHost block.

Network Configuration

There’s only one minor networking change. Instead of redirecting port 993 to, redirect port 993 to This cuts off the last inbound connection from outside directly to the internal server. This does mean that inside users can no longer check their e-mail from the outside world without using VPN or some sort of tunneling service, but that’s what we want anyway.


At this point there are no longer any connections directly from the outside to the internal server. Nor is the internal server making any connections directly to the outside. This makes your server much safer, as anyone trying to break in will need to crack the defenses of the dmzserver before they can attempt to attack the internal server.

The domain is up and running (albeit without mailing lists yet), and external contributors now have official email addresses in the domain. Their old addresses still work, so people who haven’t updated their address books won’t have their mail bounce. Here’s what the final situation looks like:


Leave a reply

You must be logged in to post a comment.