Results 1 to 10 of 10

Thread: Can you please advise on below Backup MX server I am planning

  1. #1
    blason is offline Elite Member
    Join Date
    Sep 2011
    Posts
    255
    Rep Power
    3

    Default Can you please advise on below Backup MX server I am planning

    Hi Friends,


    Please share your thoughts on below scenario and let me know if this would be possible.


    My domain is say example.com, installed on zCS 7.2.1 with. I am planning to add backup MX server which will be a store,forward kindaa setup. Now, at the second MX server I can only install postfix and configure recipient_maps through LDAP to fetch from Primary server.


    1. Can I simply install postfix and then configure to fetch the accounts from primary server specified using method stated above to save from becoming SPAM Trap?
    2. That way I believe I don't need to maintain recipient_maps on other server since the entries are being fetched from primary server [through LDAP] which eventually will always be in SYNC?
    3. Or Do I need to install complete zimbra server to achieve the above scenario?


    Please advise.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    You would be well advised to use a professional service to provide a backup MX server (you can actually get it free as part of another service such as DNS hosting), it's a target for spammand and you'll have to maintain it. If you want to do it then read any of these articles: +"how to" +postfix +"backup mx" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    blason is offline Elite Member
    Join Date
    Sep 2011
    Posts
    255
    Rep Power
    3

    Default

    In that case how recipient_maps will be kept in sync? And if I need build my own Backup MX server, will above method work? i.e through LDAP database?

  4. #4
    blason is offline Elite Member
    Join Date
    Sep 2011
    Posts
    255
    Rep Power
    3

    Default

    Bill, further to the above scenario lets assume I configure zimbra as my backup MX which will forward all my emails for primary domain to primary server if it is up and store/forward if it is down. I need to understand how that will be spammed?

    lets assume this scenario.

    domain = example.com
    Primary MX = 10 mail.example.com 20.20.20.20 ZCS 7.2.1 [genuine users user1@example.com, user2@example.com]
    Secondary MX = 20 mail.test.com 30.30.30.30 ZCS 7.2.1

    On mail.test.com I added new domain and configured below stuff
    ****************
    zmprov md example.com zimbraMailCatchAllAddress @example.com
    zmprov md example.com zimbraMailCatchAllForwardingAddress @example.com
    zmprov md example.com zimbraMailTransport smtp:mail.example.com
    *********************
    Now If
    I being a spammer try to send mail to user50@example.com which never exists, assuming

    1. If primary is down, mails from malicious@intent.com To user50@example.com will be accepted by secondary mail server and will be kept in queue. As soon as the primary comes up it will try to deliver the mail. In this case mail.example.com which is primary will reject the mail since it doesn't have that user configured and secondary will send Recipient rejected mail to sender and so on. In this case spam mails are never gonna delivered by primary server. The only disadvantage I see is my mail queue at secondary will get jammed.

    Any other issue do you observe here?

    2. And any way if primary is up and spammers target my secondary server to relay mails for example.com again it wont be delivered at users Inbox and original sender is gonna receive Recipient address rejected message.

    3. and If I have good spam service enabled on secondary I guess SPAM emails will direclty be rejected from secondary itself...
    Please share your thoughts
    Last edited by blason; 12-03-2012 at 01:52 PM.

  5. #5
    blason is offline Elite Member
    Join Date
    Sep 2011
    Posts
    255
    Rep Power
    3

    Default

    So no comments at all? I just wanted to check if I am conceptually correct?

  6. #6
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    ZImbra's Postfix does LDAP lookups to check for valid users. If the secondary MX is not local to the primary MX, but has a good VPN-WAN connection between the two, then you can install an LDAP replica on the secondary MX and configure the secondary MX to use itself at first for LDAP lookups. zmreplchk run on the secondary will document if the two LDAPs are in sync.

    Just be careful that either interprocess security is turned on or you are doing this over a good VPN.

    Hope that helps,
    Mark

  7. #7
    blason is offline Elite Member
    Join Date
    Sep 2011
    Posts
    255
    Rep Power
    3

    Default

    hmmm..That is a good suggestion. Security I can achive by either implementing firewall rules between those 2 server only for port 389 . Definitely secondary MX is not gonna be local to achieve HA or partial HA.

    Have to tried that out? Is it working well in prod environment?

    But in this case what if I am offering backup MX for multiple domains/servers or kindaa MSP environment and offering backup MX server? I guess in that case this scenario wouldn't scale well.

    what say?

  8. #8
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Quote Originally Posted by blason View Post
    hmmm..That is a good suggestion. Security I can achive by either implementing firewall rules between those 2 server only for port 389 . Definitely secondary MX is not gonna be local to achieve HA or partial HA.

    Have to tried that out? Is it working well in prod environment?

    But in this case what if I am offering backup MX for multiple domains/servers or kindaa MSP environment and offering backup MX server? I guess in that case this scenario wouldn't scale well.

    what say?
    LDAP doesn't get updated all that often if you think about it. Major LDAP updates happen when you add or deprovision a new domain and all of the users mailboxes. If LDAP replication is a little slow, in either of those two use cases it's not a problem, really.

    I would not use the secondary MX as the webmail MTA for the mailbox servers at the primary site of course. But if inbound email takes a few extra seconds to be transported from the secondary MX to the primary site's mailbox servers, is that really a problem either when mailbox refreshes are measured in minutes?

    And yes, this is what we do on our own Zimbra hosting farm with the tertiary MX in Atlanta and the primary and secondary MX colocated with the mailbox servers in Portsmouth, NH.

    Hope that helps,
    Mark

  9. #9
    yonatan is offline Special Member
    Join Date
    May 2010
    Posts
    171
    Rep Power
    5

    Default

    LMStone do you suggest using Zimbra for the secondary/ backup mx or a simple postfix server? Do you have any how-to/ recipe you can share for how to set up either option?

    Thanks.

  10. #10
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,499
    Rep Power
    56

    Default

    Quote Originally Posted by yonatan View Post
    Do you have any how-to/ recipe you can share for how to set up either option?
    +"how to" +"backup mx" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. server numbers and partition size planning?
    By tiger2000 in forum Installation
    Replies: 1
    Last Post: 12-01-2011, 08:50 AM
  2. Zimbra Server Backup Planning
    By tejassawai in forum Administrators
    Replies: 2
    Last Post: 10-22-2010, 04:43 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •