Handling MX change
Looking at options for migrating from our existing POP3 Mercury mail system to Zimbra, specifically how to transition MX records smoothly. Mercury mail is currently set to a priority of 10 in public dns, while Zimbra is set to 20. The same domain exists on both systems as well as the same users. Currently, I am prohibiting mail flow from going to Zimbra by keeping SMTP port 25 closed on for Zimbra's IP on our Juniper firewall facing the internet. We are a small company with about 25 users.
I have always been under the impression that public dns propogation can take some time, up to 72 hours which can make MX changes tricky when it comes to migrating mail systems. I have reviewed the Split Domain article on how to handle this situation with forwarding and it seems like a bit of overkill for a small environment like ours.
My question is since I have the MX record already in place, would it be easier to simply block SMTP port 25 on the firewall to the old system when I wish to migrate? I can't shut it down completely, since other services are hosted there. That way mail would bypass the primary MX and flow to the secondary MX, Zimbra, and all I would be left to do is change user client settings to point to Zimbra. Of course I would make the changes to reflect Zimbra as the primary MX, but would not be dependent on DNS propogation for desired mail flow. What am I missing here?
- setup a new VM inside your network, the OS you prefer, the MTA you prefer
- setup this MTA to accept mails for your domains only (in order not to be public relay)
- setup this MTA to relay emails to your old Mercury system
- remove the second MX from your DNS, it's not needed (actually you SHOULD have a second MX but not on the same network/LAN)
- setup your firewall to forward all incoming mails (previously going to the Mercury system) to the new VM (that will relay them to the Mercury system)
- create the accounts on the ZCS systems, migrate the mails (imapsync?), allow ZCS to receive the mail
- at the exact second you wish, stop the Mercuy incoming MTA: the VM will spool the mails
- take the needed time to sync the mails between the Mercuy and the ZCS
- close the Mercury
- resetup the MTA on the VM to relay to Zimbra instead of the Mercury system: spooled mails will be delivered to the ZCS accounts
You can resetup the firewall to deliver mails directly to the ZCS but I wouldn't do so: this way, when you stop your ZCS to upgrade it, mails are spooled on your LAN and delivered as soon as the ZCS comes back online.
If you don't have a "spool VM", emails will be spooled by the senders' MTA and you have no real idea when the mail will be delivered to you.
The VM can also be hosted outside of your network/LAN and do some AV/AS filtering.
This way, your ZCS server will only get "nice" emails.
Thanks for the reply. Some great, well thought out ideas for sure. A couple of things, my current system is POP3 I am dealing with local .pst files, so syncing between Mercury and Zimbra will not be necessary. And I do have a very small environment with 25 or so users. Thats why I was considering a simple, somewhat abrupt cut. I more or less simply want to "flip a switch" and redirect mail to Zimbra. Because an MX change can take some time, the best way I could think to control this would be with our firewall blocking SMTP to the old system which would allow mail to flow down to the secondary MX.
For example, I make this change at 7 am on Monday morning, catch users as they arrive at work, change local mail/mobile device settings, migrate their local .pst's. With 25 users, I could likely finish the process in a single day. The only drawback I see is there may be some delay between the time I make the firewall change and the time I could get to them to change their settings to get to the new mail system. I think they will be alright with this as long as I communicate beforehand to temper expectations. Of course, I could always direct them to the web client to send/receive mail in the meantime. Does this make sense?
Originally Posted by Klug
Why not changing the IP on the Mercury system (it won't receive mails) and on the ZCS system (to get previous Mercury IP) ?
And obviously do the correct changes in the DNS to reflect IP changes: rename the Mercury in the DNS, get the correct IP/name combinaison for ZCS and have the previous Mercury name to point to the Zimbra (no change of IP in the DNS for this name).
If you can do this, you won't have to change anything on the firewall nor on your users system: their tools/mobile will connect to the same name but it's now the ZCS and not the Mercury anymore.
Then you can import your PSTs to ZCS.
I do like the way you are thinking here when it comes to making things simple here. :)
I forgot to mention the current Mercury system is hosting our company's website on port 80. So, that sort of screws up the IP change idea. I owe the previous system admin a big thanks for this. :mad:
We are also running the Zimbra system as IMAP, so I don't see a way around reconfiguring all client devices.
Originally Posted by Klug
It mainly depends on your firewall then...
If you have a "1:1 NAT" (external IP to internal IP then some port allowed), you might want to change this to "port NAT" (aka "port mapping") and then redirect the mail ports (25, 143, 110, the same with enabled SSL) to the ZCS and the web port (80) to the Mercury once its IP is changed.
Yes, that sounds like a good option as well. I supposed I would need to enable the options for POP3 on the server for the POP3 clients to work correctly after the change? Would Outlook clients continue to work without the connector under this setup? User passwords are stored in a database on Mercury, so if I set each user to the same password in Zimbra everything should be happy, right? Of course I would then visit each user and migrate their .pst's to the server, and install the connector for Outlook so that IMAP would work correctly. Any pitfalls to be aware of here? Thanks!!!
Originally Posted by Klug
Yes you have to enable/allow POP3 on ZCS for it to work, obviously.
The ZCO needs http/https access so you have to setup DNS/firewall for it to be accessible from the outside.
ZCO and IMAP are two different things : ZCO gives mail sync but also calendars and contacts and tasks, while IMAP is only for mails.