exim as a backup MX

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

exim as a backup MX

Kebba Foon

Hi list,

 

I have two exim4u installation but the mail boxes are only one server, this is done for backup purposes but I advertise both mx on the internet now the secondary server is accepting mails for my domains but can deliver them to any mailboxes as they don’t exist on the second box. So I question is can I turn the second exim4u server to a backup MX? So that it can accept mails for my domains and queue/forward them to the primary(main) mail server. If so can you please send me the sample config file?

 

Thanks

Kebba


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: exim as a backup MX

gldickens3
Administrator
Hi Kebba,

Yes, Exim4U is designed to be used for MX relay domains as well as local
domains. If you are using Exim4U on both your primary and relay
(secondary MX) servers then spam filtering should be setup to occur on
both servers such that whichever (primary or relay) server receives a
given email also performs the spam filtering for that given email. The
recommended Exim4U setup for relay domains is as follows.

You must setup your relay domains on your relay (secondary MX) server
within Exim4U's domain administration function (logging in as
siteadmin). For each relay domain you must specify the appropriate relay
server address (to the primary MX host) within the domain administration
function. Then, on the primary installation, add the relay server to
/etc/exim/exim4U_backup_mx_host_names which will exempt mail relayed by
the backup MX server from spam filtering and ratelimit checks (since the
relay server will already have performed spam filtering). Reference the
documentation in the following Exim4U files:

http://exim4u.org/svn/exim4u_src/trunk/NOTES
- Refer to section 3 in the NOTES file.
http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_global_spam_virus
- Refer to BACKUP MX SERVERS (OR RELAY SERVERS) CONFIGURATION NOTE.
http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_host_names
http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_rl_host_names


Note that Exim4U does not rely on DNS MX records for relaying mail from
a relay host to its destination host. Instead, the destination host is
specified in the Exim4U web interface in the Relay Server Address field
in Domain Administration. Therefore, multiple relay hosts may be
deployed along with the destination host and the MX records can all be
set to the same value or any set of values for that matter but all mail
will ultimately be delivered to the destination host. Exim4U is then
used to specify whether spam processing, tagging and/or spam header
rewriting is done by the relay host(s) or the destination host. These
features also provide the capability for Exim4U installations to be used
as spam filters for any other mail host.

FYI,

Gordon



On 02/14/2011 11:27 AM, Kebba Foon wrote:

>
> Hi list,
>
> I have two exim4u installation but the mail boxes are only one server,
> this is done for backup purposes but I advertise both mx on the
> internet now the secondary server is accepting mails for my domains
> but can deliver them to any mailboxes as they don’t exist on the
> second box. So I question is can I turn the second exim4u server to a
> backup MX? So that it can accept mails for my domains and
> queue/forward them to the primary(main) mail server. If so can you
> please send me the sample config file?
>
> Thanks
>
> Kebba
>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: exim as a backup MX

Udo Hortian
Hello,

On Mon, Feb 14, 2011 at 04:54:44PM -0500, Gordon Dickens wrote:
> You must setup your relay domains on your relay (secondary MX) server
> within Exim4U's domain administration function (logging in as
> siteadmin). For each relay domain you must specify the appropriate relay
> server address (to the primary MX host) within the domain administration
> function. Then, on the primary installation, add the relay server to
> /etc/exim/exim4U_backup_mx_host_names which will exempt mail relayed by
> the backup MX server from spam filtering and ratelimit checks (since the
> relay server will already have performed spam filtering).
As far as I understood your message, one can do the spam filtering on
the backup-MX or/and on the primary MX. But if now spam filtering is
done on the backup-MX how does the primary MX know about this? Doing no
spam filtering at all for mails coming in through the backup-MX would
be a problem, I think.

If I decide to do spam-checking (spamassassin) only on the primary-MX
and not on the relay, then I guess I should add the relay MX to the file
etc/exim/exim4u_backup_mx_rl_host_names on the primary-MX host instead
of /etc/exim/exim4u_backup_mx_host_names, right?

> http://exim4u.org/svn/exim4u_src/trunk/NOTES
> - Refer to section 3 in the NOTES file.
> http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_global_spam_virus
> - Refer to BACKUP MX SERVERS (OR RELAY SERVERS) CONFIGURATION NOTE.
> http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_host_names
> http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_rl_host_names
>
>
> Note that Exim4U does not rely on DNS MX records for relaying mail from
> a relay host to its destination host. Instead, the destination host is
> specified in the Exim4U web interface in the Relay Server Address field
> in Domain Administration. Therefore, multiple relay hosts may be
> deployed along with the destination host and the MX records can all be
> set to the same value or any set of values for that matter but all mail
> will ultimately be delivered to the destination host. Exim4U is then
> used to specify whether spam processing, tagging and/or spam header
> rewriting is done by the relay host(s) or the destination host. These
> features also provide the capability for Exim4U installations to be used
> as spam filters for any other mail host.
Is there also an easy way to rely on the DNS MX information? I simple
setups it is more administrative work to keep up to date the primary MX
both in DNS and in the exim4u database. Maybe one could introduce some
keyword in the field for the primary-MX to indicate that exim should
rely on DNS MX information? I would appreciate this.

Best regards,
Udo

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: exim as a backup MX

gldickens3
Administrator
On 02/17/2011 05:20 AM, Udo Hortian wrote:
> As far as I understood your message, one can do the spam filtering on
> the backup-MX or/and on the primary MX. But if now spam filtering is
> done on the backup-MX how does the primary MX know about this? Doing no
> spam filtering at all for mails coming in through the backup-MX would
> be a problem, I think.

Hi Udo,

It is most efficient to run spam checks during the smtp session with the
sending server. This is a generally accepted "best practice" for mail
servers. So, the only way to do that with relay domains is to perform
the spam checks on the relay server during the smtp session.  Otherwise,
if you do the spam checking on the primary server then, for reasons
explained later in this post, you will accumulate all spam sent to each
primary domain on the relay MX server's mail queue.  With this theory in
mind, if spamassassin is enabled for a backup MX domain on an Exim4U
server then all spam checks occur in the exim ACLs during the smtp
session regardless of whether the incoming mail is for a local domain or
a relay domain.

The following spam checks are executed for both local domains and relay
domains:

Recipient addresses are verified via callouts to the primary host.
URIBL/SURBL/DBL checks are performed via exim_surbl.
Spamassassin checks are performed.
Ratelimiting is performed for a variety of causes including dictionary
attacks.

So, mail to a relay domain has already been processed for spam prior to
forwarding  the mail on to the primary MX server.  Therefore, there is
no reason to run the spam checks again on the primary server since that
would simply be a duplication of effort. However, you can alternatively
run the spam checks again on the primary server if you want but you will
normally gain nothing from it.  In all cases, you should disable
ratelimiting for the backup MX server because spammer dictionary attacks
on the relay server will otherwise cause the primary MX server to
ratelimit the backup MX server due to recipient callout failures.

So, for relay domains, you should tell the primary MX server to either
exempt the spam checks or to only exempt ratelimiting. The way that you
tell the primary MX server to exempt the spam checks is by including the
backup MX in the /etc/exim/exim4u_backup_mx_host_names file.  
Alternatively, you can include the backup MX server in the
/ec/exim/exim4u_backup_mx_rl_host_names file which will only disable
ratelimiting.

As an aside, Exim4U runs clamd virus checks on ALL incoming mail for all
local domains and all relay domains. That is, on a primary MX host,
clamd  is run on all incoming mail regardless of whether it comes from a
relay host or not. clamd is run even if the relay host is included in
exim4u_backup_mx_host_names or exim4u_backup_mx_rl_host_names.

> If I decide to do spam-checking (spamassassin) only on the primary-MX
> and not on the relay, then I guess I should add the relay MX to the file
> etc/exim/exim4u_backup_mx_rl_host_names on the primary-MX host instead
> of /etc/exim/exim4u_backup_mx_host_names, right?

If you only do spam checking on the primary MX then, yes, you should add
the relay MX to the etc/exim/exim4u_backup_mx_rl_host_names file.
However, that is not nearly as efficient as processing the spam on the
relay MX server since all of your spam will then otherwise accumulate on
the relay MX servers's mail queue.  Processing the spam on the relay
server is most efficient since you then will have rejected all of the
spam during the relay server's smtp connection in the exim ACLs and
therefore you should not have any spam accumulating in your relay
server's mail queue.  This is much better especially for folks that
prefer clean mail queues.

> Is there also an easy way to rely on the DNS MX information? I simple
> setups it is more administrative work to keep up to date the primary MX
> both in DNS and in the exim4u database. Maybe one could introduce some
> keyword in the field for the primary-MX to indicate that exim should
> rely on DNS MX information? I would appreciate this.

Usually, DNS MX records are not often changed.  In any event, the setup
as I have described is ultimately more efficient and ensures that all
spam processing is done during the smtp session with the sending
servers.  If you rely on DSN MX records for determining the primary
server and that server changes then, at the very least, you would need
to disable the primary server's ratelimiting for the relay server.  The
net benefit of Exim4U's recommended method of processing relay domains
is that all spam can be processed by the exim ACLs during the smtp
session so that you don't accumulate lots of spam in your mail queues.

In any event, while I have not tested this, if you want to rely on the
DNS MX records instead for determining the prmary MX server then you can
try commenting out all lines in the following three routers in
etc/exim.conf:  relay_MX_direct_SA_off, relay_MX_direct_no_header_mod
and relay_MX_direct_header_mod. Note that this would also disable spam
tagging on the relay host.  Again, I have not tested this but it should
be close to what you have requested.  Give it a try if you would like -
just do plenty of testing first.  Nevertheless, please consider the
methodology that I have suggested for ensuring that all spam processing
is performed during the smtp session. I think that you will find it to
be a superior method in the long run.

Gordon


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users