Using regular postfix as backup MX for Zimbra OSE

[Yalla-One]

Hi,

I've successfully set up a Zimbra 7 (first 7.0, now 7.1) environment based on the Open Source Edition, and it works great. However, I also would like a backup MX, and instead of going for a full Zimbra install, I would like to handle this with a more simple postfix install. I am writing here to get a feedback from other, more experienced Zimbra administrators that my thoughts are somewhat in the right direction before I venture off on this task.

It is important that the backup MX does not become a spam trap because its spam guard is lower than the primary, Zimbra-based, MX. Thus I want the backup MX to be installed with postfix, spamassassin and the whole 9 yards. The install is OK, but the question is what data to transfer.

In order for this to be secure, I have identified only two areas that need to be transferred from Zimbra to the backup MX on an hourly or daily basis:

1. User accounts so that email to non-existent users are bounced immediately on the backup as well. This is planned with this script on the zimbra-side run once an hour (from the forums):

Code:

/opt/zimbra/openldap/bin/ldapsearch -LLL -x -D"`/opt/zimbra/bin/zmlocalconfig -s zimbra_ldap_userdn | \
       awk '{print $3}'`" -w"`/opt/zimbra/bin/zmlocalconfig -s zimbra_ldap_password | \
       awk '{print $3}'`" -H `/opt/zimbra/bin/zmlocalconfig ldap_url | \
       awk '{print $3}'` $* | \
       grep ^mail | \
       awk '{print $2}' | \
       sort > zimbra_recipients.list

and;

2. Backup of SpamAssassin bayes data on a daily basis:

Code:

/opt/zimbra/libexec/sa-learn -p /opt/zimbra/conf/salocal.cf.in --dbpath /opt/zimbra/data/amavisd/.spamassassin/ --siteconfigpath /opt/zimbra/conf/spamassassin --backup > /tmp/zimbra_q.backup

Is this sufficient to be reasonably safe from a spam, virus and security point of view, or are there also other aspects that should be transferred from Zimbra to the backup MX?

Are there any special postfix configurations in Zimbra I should be aware of to replicate on the backup MX, or can I use the paranoia-settings from my own manual install I used before migrating to Zimbra?

Thanks in advance for any insight - rather long post for a first post in this forum...

-y1

[phoenix]

My advice would be to use a professional service as your backup MX and you'll not have to worry about it becoming a spam trap nor will you have any maintenance to worry about. You can find many paid-for services on the internet or use a free service provided as part of another package. I use easydns for my DNS hosting and they provide a backup mail service for free as part of that (there are many others), I have no association with that company other than as a satisfied user.

[Yalla-One]

Thanks for the reply!

One question - I have googled quite a few of these services, and have not found a single one that offers integration of user-data and SpamAssassin-data in order to properly fight spam. Quite contrary, they seem to just blindly accept quite a lot, and forward onwards to the primary MX once it's become available.

Am I missing something here? If not - how do I set up exporting of relevant data needed for proper and secure backup-MX handling in Zimbra to export to these paid-for services?

[DerekShaw]

You are not missing anything here. You have identified the exact reason you need to proceed with your original plan. Unless you have found an outsourced solution that actually does what you want, in which case, please tell us here!

I'm on the same track as you, a few steps behind.

[phoenix]

Quote:

Originally Posted by DerekShaw

You are not missing anything here. You have identified the exact reason you need to proceed with your original plan. Unless you have found an outsourced solution that actually does what you want, in which case, please tell us here!

I'm on the same track as you, a few steps behind.

You are missing something, here's one: Emergency Mail

[centrex]

Quote:

Originally Posted by phoenix

My advice would be to use a professional service as your backup MX and you'll not have to worry about it becoming a spam trap nor will you have any maintenance to worry about. You can find many paid-for services on the internet or use a free service provided as part of another package. I use easydns for my DNS hosting and they provide a backup mail service for free as part of that (there are many others), I have no association with that company other than as a satisfied user.

There's still plenty of points for setting up a VM and rolling your own backup MX.

1) Confidentiality - Some clients of mine will not want their mail to be leaked to a backup MX provider that is controlled by an unknown entity in a random jurisdiction out of our control

2) Reliability - The free guys always seem to get DDOSed or bought out.

EveryDNS was good until Dyn Inc. bought them and killed all the free stuff.

Same goes for editdns.net - Great provider, backup MX worked well but constantly got DDOSed and then bought out by Dyn Inc. who killed all the free stuff.

I won't deny that for a great majority of people these concerns are not going to be an issue.

I'm just sayin': There's a lot of reasons for rolling your own, too.

[frosticus]

I'm at the same point myself and am curious which route you chose and if you have any insight you'd care to share.

Also adding dnsexit to the list of backup mx providers that include spam control. I haven't used their service so can't vouch for them personally, but I am considering trying them out.