Front cover - IBM Redbooks

ehalf of the acme.com domain. If the smtp1 host is down or unreachable, then
external systems would deliver messages to smtp2. For outbound messages, we
configured the mail servers in the internal network to send all messages
addressed outside the internal domain to a virtual relay host called
relay.acme.com. Then, within the internal DNS, we define MX records for the
virtual host relay.acme.com to point to both of the actual SMTP relay hosts, with
the weighting set to favor smtp2 as the preferred route. We refer to this as a
virtual host because there is no host (A) record. Note there would be “A” records
for smtp1 and smtp2 hosts. This scheme provides outbound redundancy and
fail-over: if smtp2 is down or unreachable, the internal mail servers will deliver
outbound messages to smtp1. It is important to note that the internal DNS entries
should resolve to the network addresses of the internally reachable network
adapters on the relay hosts. Likewise, the external DNS should resolve to the
externally reachable network adapter addresses.
For detailed information on “spam” (unsolicited e-mail) prevention and relay host
operation best practices, we recommend the Redbook Lotus Domino 6 spam
Survival Guide for IBM e-Server, SG24-6930.
FTP servers
FTP servers are servers dedicated to receiving files from the Internet using File
Transfer Protocol. They are typically set up as repositories only, although
depending on the business needs of the organization, they may permit certain
users to have the ability to retrieve files from the Internet. FTP servers are
generally required to exchange files that are too large to be sent as SMTP
message attachments. The definition of “large” will vary depending on the
message size limits imposed by partner organization’s SMTP relay hosts. You
should ensure the accounts used by external users are highly restrictive, and
anonymous FTP should be limited, or restricted to yet another dedicated host. If
your FTP server supports passive mode, and you have decided to permit it,
ensure the range of data IP port numbers is limited to a relatively small, finite
range, with all other ports blocked by the firewall.
SSL
The primary goal of the Secure Sockets Layer (SSL) protocol is to provide
privacy and reliability between two communicating applications. The protocol is
composed of two layers. At the lowest level, layered on top of some reliable
transport protocol, is the SSL record protocol. The SSL record protocol is used
for encapsulation of various higher level protocols. One such encapsulated
protocol, the SSL handshake protocol, allows the server and client to
authenticate each other and to negotiate an encryption algorithm and
cryptographic keys before the application protocol transmits or receives its first
byte of data. One advantage of SSL is that it is application protocol independent.
A higher level protocol can layer on top of the SSL protocol transparently. An
Chapter 4. Security components and layers 133