Example _former_ configuration of my mail servers (University of Economics in Bratislava): Internet /\ Internet || Internet || || || || CLIENTS || CLIENTS || || || || || || || || -------------------- || || || \/ /====| amavisd-new |===\ || || || port 25 | (virus/spam check) | port 25 \/ || || (qmail-outside) -------------------- (qmail-outside) || || /\ port 10025 /\ || || || (qmail-inside) || || || || || || || || || || || || || || || || || || || || || || \/ || || || \/ port 25 (qmail-outside) || port 25 (qmail-outside) /\ ------------------- || ------------------ /\ || | qmailhost | || | qmailhost | || || | (students' mails) | || | (mails of staff) | || || ------------------- || ------------------ || || port 10025 || port 10025 || || (qmail-inside) <=========== ==============> (qmail-inside) || || || || || || || CLIENTS CLIENTS 1. When a mail for some student arrives, qmail-outside will send it to amavishost which will return it on safe port 10025 to qmail-inside. /etc/tcp.smtp-outside looks like this: 127.0.0.1:allow,RELAYCLIENT="" euba_subnet:allow,RELAYCLIENT="" :allow /etc/tcp.smtp-inside looks like this: amavishost_ip:allow :deny 2. When a mail for some employee arrives, qmail-outside will send it to amavishost which will return it on safe port 10025 to qmail-inside. /etc/tcp.smtp-outside looks like this: 127.0.0.1:allow,RELAYCLIENT="" euba_subnet:allow,RELAYCLIENT="" :allow /etc/tcp.smtp-inside looks like this: amavishost_ip:allow :deny 3. Clients can send mails through any machine, smtproutes assures proper delivery. However, sending mail directly through amavishost is somehow a little bit faster ;-). 4. When a client sends a mail for a domain which is not handled in our subnet, amavishost knows which domains are local so it will not send the mail back to originating qmailhost machine and not ask her for delivery it after checking - instead, amavishost take care of that itself. 5. Thanks to this very easy-to-setup/simple architecture, mail is being _always_ checked only once.