Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Multiple Email Domains

ClearOS does not support multiple discrete email domains. The limitation here is the ability to layer additional services which are collaborative in nature onto ClearOS. While the mail server is certainly capable of doing discrete domains, the directory required to support this would necessarily have to use fully qualified email addresses. This breaks ClearOS in usefulness for nearly all other services except for mail.

Options

The two ways many companies and organizations get around this are:

  • Shared Domain
  • Multi-server (usually in done with virtualization)

Shared Domain

Highlights

The shared domain model works with organizations that are discrete yet related. For example, two businesses might be owned by the same holding company. They would like to use ClearOS to consolidate their email domains into a single management device.

Advantages
  • One box to manage.
  • Consolidated use of services (anti-spam, anti-virus, intrusion prevention).
Disadvantages
  • Cannot have usernames at different organizations that are the same.
  • Usernames work for all domains listed.
  • Collaboration software shows all users between companies as the same.
  • Other services require attention to security controls.

Example

Running in this mode, all users from all domains would be created on the same server. For management purposes, you would want to create groups to track which company each user belonged to. The individual domains would be aliases for the main domain. We recommend using a neutral domain name for the main domain because the email server will reveal the default domain in many cases, this means emails can be sent out using the default domain in some cases; you will need to test extensively to ensure it works the way you want it.

You would not be able to create the user 'bsmith' for both companies so a policy for usernames may need to differ between entities if you are trying to keep consistency. For example:

  • Bob Smith, CompanyA (bsmith)
  • Joe Emerty, CompanyA (jemery)
  • Bob Smith, CompanyB (bob_smith)
  • Bob Samuelson, CompanyC (bobs)

Under this paradigm, each user on the system can receive mail for any domain on the system. If someone emails bsmith@companya.com they will also be able to email bsmith@companyb.com…it is the same mailbox. It is important that the individual client workstations be configured to have their reply address specified. Moreover, there is a potential security problem because if bsmith is an executive and bill_smith is not, then it would be trivial for bill_smith to send out an email as bob_smith@companya.com and have users reply to HIS email box and not the real Bob Smith at CompanyA. If this is a concern, please use the multi-server method.

If you are using LDAP tools for directory listings, you will want to constrain your search to the group membership for example as a general user search will reveal all users, but perhaps the working relationship between companies warrants this.

For collaboration tools, all users will by default appear to everyone. This is the downside to this method and cannot be avoided in all cases. Additionally, any user created under this system will

Multi-server

Highlights

The multi-server model works when organizations require discrete security barriers and cannot tolerate any crossover. If two businesses are separate and needed to be treated as such then this is the model you must use.

Advantages
  • Everyone has their own machine.
  • Security is tight.
Disadvantages
  • Increase management.
  • Increased costs.

Example

There are ways where consolidation can occur across multiple email domains. For example, if an engineer requires that multiple discrete domains be consolidated onto a single machine then you could, for example, run ClearOS on the hardware and host the individual discrete domains as ClearOS VMs under the main ClearOS box (we'll call it the master).

In this scenario, you can have the anti-virus and anti-spam protections on the ClearOS license associated with the hardware version's OS only, the master. This would forgo the need to have multiple licenses and provide the same protection. In this scenario, the discrete email domains would receive their email through the 'master'. No user accounts would be created on the master but rather on each of the individual VMs. The master's SMTP server would be configured to forward all mail to the VMs and would actually store and forward the email to the VM when the VM is available. The MX records for each domain will point only to the master. For outbound mail, each VM can either send the mail directly or you can have each discrete VM send their outbound mail through the master. The advantage of doing this is that you can run anti-virus and anti-spam through your outbound host.

content/en_us/kb_o_multiple_email_domains.txt · Last modified: 2016/07/20 09:04 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_o_multiple_email_domains&1710831675