exim as a backup MX
Hi list, I have two exim4u installation but the mail boxes are only one server, this is done for backup purposes but I advertise both mx on the internet now the secondary server is accepting mails for my domains but can deliver them to any mailboxes as they don't exist on the second box. So I question is can I turn the second exim4u server to a backup MX? So that it can accept mails for my domains and queue/forward them to the primary(main) mail server. If so can you please send me the sample config file? Thanks Kebba
Hi Kebba, Yes, Exim4U is designed to be used for MX relay domains as well as local domains. If you are using Exim4U on both your primary and relay (secondary MX) servers then spam filtering should be setup to occur on both servers such that whichever (primary or relay) server receives a given email also performs the spam filtering for that given email. The recommended Exim4U setup for relay domains is as follows. You must setup your relay domains on your relay (secondary MX) server within Exim4U's domain administration function (logging in as siteadmin). For each relay domain you must specify the appropriate relay server address (to the primary MX host) within the domain administration function. Then, on the primary installation, add the relay server to /etc/exim/exim4U_backup_mx_host_names which will exempt mail relayed by the backup MX server from spam filtering and ratelimit checks (since the relay server will already have performed spam filtering). Reference the documentation in the following Exim4U files: http://exim4u.org/svn/exim4u_src/trunk/NOTES - Refer to section 3 in the NOTES file. http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_global_spam_virus - Refer to BACKUP MX SERVERS (OR RELAY SERVERS) CONFIGURATION NOTE. http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_host_names http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_rl_host_nam... Note that Exim4U does not rely on DNS MX records for relaying mail from a relay host to its destination host. Instead, the destination host is specified in the Exim4U web interface in the Relay Server Address field in Domain Administration. Therefore, multiple relay hosts may be deployed along with the destination host and the MX records can all be set to the same value or any set of values for that matter but all mail will ultimately be delivered to the destination host. Exim4U is then used to specify whether spam processing, tagging and/or spam header rewriting is done by the relay host(s) or the destination host. These features also provide the capability for Exim4U installations to be used as spam filters for any other mail host. FYI, Gordon On 02/14/2011 11:27 AM, Kebba Foon wrote:
Hi list,
I have two exim4u installation but the mail boxes are only one server, this is done for backup purposes but I advertise both mx on the internet now the secondary server is accepting mails for my domains but can deliver them to any mailboxes as they don’t exist on the second box. So I question is can I turn the second exim4u server to a backup MX? So that it can accept mails for my domains and queue/forward them to the primary(main) mail server. If so can you please send me the sample config file?
Thanks
Kebba
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
You must setup your relay domains on your relay (secondary MX) server within Exim4U's domain administration function (logging in as siteadmin). For each relay domain you must specify the appropriate relay server address (to the primary MX host) within the domain administration function. Then, on the primary installation, add the relay server to /etc/exim/exim4U_backup_mx_host_names which will exempt mail relayed by the backup MX server from spam filtering and ratelimit checks (since the relay server will already have performed spam filtering). As far as I understood your message, one can do the spam filtering on
Hello, On Mon, Feb 14, 2011 at 04:54:44PM -0500, Gordon Dickens wrote: the backup-MX or/and on the primary MX. But if now spam filtering is done on the backup-MX how does the primary MX know about this? Doing no spam filtering at all for mails coming in through the backup-MX would be a problem, I think. If I decide to do spam-checking (spamassassin) only on the primary-MX and not on the relay, then I guess I should add the relay MX to the file etc/exim/exim4u_backup_mx_rl_host_names on the primary-MX host instead of /etc/exim/exim4u_backup_mx_host_names, right?
http://exim4u.org/svn/exim4u_src/trunk/NOTES - Refer to section 3 in the NOTES file. http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_global_spam_virus - Refer to BACKUP MX SERVERS (OR RELAY SERVERS) CONFIGURATION NOTE. http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_host_names http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_backup_mx_rl_host_nam...
Note that Exim4U does not rely on DNS MX records for relaying mail from a relay host to its destination host. Instead, the destination host is specified in the Exim4U web interface in the Relay Server Address field in Domain Administration. Therefore, multiple relay hosts may be deployed along with the destination host and the MX records can all be set to the same value or any set of values for that matter but all mail will ultimately be delivered to the destination host. Exim4U is then used to specify whether spam processing, tagging and/or spam header rewriting is done by the relay host(s) or the destination host. These features also provide the capability for Exim4U installations to be used as spam filters for any other mail host. Is there also an easy way to rely on the DNS MX information? I simple setups it is more administrative work to keep up to date the primary MX both in DNS and in the exim4u database. Maybe one could introduce some keyword in the field for the primary-MX to indicate that exim should rely on DNS MX information? I would appreciate this.
Best regards, Udo
On 02/17/2011 05:20 AM, Udo Hortian wrote:
As far as I understood your message, one can do the spam filtering on the backup-MX or/and on the primary MX. But if now spam filtering is done on the backup-MX how does the primary MX know about this? Doing no spam filtering at all for mails coming in through the backup-MX would be a problem, I think.
Hi Udo, It is most efficient to run spam checks during the smtp session with the sending server. This is a generally accepted "best practice" for mail servers. So, the only way to do that with relay domains is to perform the spam checks on the relay server during the smtp session. Otherwise, if you do the spam checking on the primary server then, for reasons explained later in this post, you will accumulate all spam sent to each primary domain on the relay MX server's mail queue. With this theory in mind, if spamassassin is enabled for a backup MX domain on an Exim4U server then all spam checks occur in the exim ACLs during the smtp session regardless of whether the incoming mail is for a local domain or a relay domain. The following spam checks are executed for both local domains and relay domains: Recipient addresses are verified via callouts to the primary host. URIBL/SURBL/DBL checks are performed via exim_surbl. Spamassassin checks are performed. Ratelimiting is performed for a variety of causes including dictionary attacks. So, mail to a relay domain has already been processed for spam prior to forwarding the mail on to the primary MX server. Therefore, there is no reason to run the spam checks again on the primary server since that would simply be a duplication of effort. However, you can alternatively run the spam checks again on the primary server if you want but you will normally gain nothing from it. In all cases, you should disable ratelimiting for the backup MX server because spammer dictionary attacks on the relay server will otherwise cause the primary MX server to ratelimit the backup MX server due to recipient callout failures. So, for relay domains, you should tell the primary MX server to either exempt the spam checks or to only exempt ratelimiting. The way that you tell the primary MX server to exempt the spam checks is by including the backup MX in the /etc/exim/exim4u_backup_mx_host_names file. Alternatively, you can include the backup MX server in the /ec/exim/exim4u_backup_mx_rl_host_names file which will only disable ratelimiting. As an aside, Exim4U runs clamd virus checks on ALL incoming mail for all local domains and all relay domains. That is, on a primary MX host, clamd is run on all incoming mail regardless of whether it comes from a relay host or not. clamd is run even if the relay host is included in exim4u_backup_mx_host_names or exim4u_backup_mx_rl_host_names.
If I decide to do spam-checking (spamassassin) only on the primary-MX and not on the relay, then I guess I should add the relay MX to the file etc/exim/exim4u_backup_mx_rl_host_names on the primary-MX host instead of /etc/exim/exim4u_backup_mx_host_names, right?
If you only do spam checking on the primary MX then, yes, you should add the relay MX to the etc/exim/exim4u_backup_mx_rl_host_names file. However, that is not nearly as efficient as processing the spam on the relay MX server since all of your spam will then otherwise accumulate on the relay MX servers's mail queue. Processing the spam on the relay server is most efficient since you then will have rejected all of the spam during the relay server's smtp connection in the exim ACLs and therefore you should not have any spam accumulating in your relay server's mail queue. This is much better especially for folks that prefer clean mail queues.
Is there also an easy way to rely on the DNS MX information? I simple setups it is more administrative work to keep up to date the primary MX both in DNS and in the exim4u database. Maybe one could introduce some keyword in the field for the primary-MX to indicate that exim should rely on DNS MX information? I would appreciate this.
Usually, DNS MX records are not often changed. In any event, the setup as I have described is ultimately more efficient and ensures that all spam processing is done during the smtp session with the sending servers. If you rely on DSN MX records for determining the primary server and that server changes then, at the very least, you would need to disable the primary server's ratelimiting for the relay server. The net benefit of Exim4U's recommended method of processing relay domains is that all spam can be processed by the exim ACLs during the smtp session so that you don't accumulate lots of spam in your mail queues. In any event, while I have not tested this, if you want to rely on the DNS MX records instead for determining the prmary MX server then you can try commenting out all lines in the following three routers in etc/exim.conf: relay_MX_direct_SA_off, relay_MX_direct_no_header_mod and relay_MX_direct_header_mod. Note that this would also disable spam tagging on the relay host. Again, I have not tested this but it should be close to what you have requested. Give it a try if you would like - just do plenty of testing first. Nevertheless, please consider the methodology that I have suggested for ensuring that all spam processing is performed during the smtp session. I think that you will find it to be a superior method in the long run. Gordon
participants (3)
-
Gordon Dickens -
Kebba Foon -
Udo Hortian