Postfix as backup MX

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix as backup MX

subscription1

I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks to these instructions (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more than a year without any issues.

I'm using a paid service (Mail Reflector) to handle the times my server is down or (initially) to get the my mail server up and running.

I'd like set up another server as a backup and while there are some "How To" out there, they seem to be 'ignoring' spam and/or security issues.

Could I just use the same approach I used when setting up my current server with the exception of the following:

  1. No virtual mailboxes on the backup
  2. with an empty smtp_recipients_maps
  3. with relay_domains = $mydestination mydomain.com

Thanks,

Leo

Reply | Threaded
Open this post in threaded view
|

Re: Postfix as backup MX

Peter Ajamian
On 23/09/19 1:24 PM, subscription1 wrote:

> I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks
> to these instructions
> (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more than
> a year without any issues.
>
> I'm using a paid service (Mail Reflector) to handle the times my server
> is down or (initially) to get the my mail server up and running.
>
> I'd like set up another server as a backup and while there are some "How
> To" out there, they seem to be 'ignoring' spam and/or security issues.
>
> Could I just use the same approach I used when setting up my current
> server with the exception of the following:
>
>  1. No virtual mailboxes on the backup
>  2. with an empty smtp_recipients_maps
>  3. with relay_domains = $mydestination mydomain.com

This is asking for trouble.  Spammers target backup MXes because they
typically have fewer anti-spam protections than the primary MXes.  In
this particular case you are accepting mail to literally anyone and when
you attempt to forward mail on to your primary for a user that does not
exist you will end up creating a bounce message.  If the envelope sender
is spoofed (and it typically is in SPAM) then your backup MX becomes a
source of backscatter and exacerbates the SPAM problem greatly.  If your
backup MX doesn't have as good anti-spam protections as your primary, or
even if they are different in any way then you end up giving spammers an
easy target to bypass your best anti-spam protections.

Backup MXes are a relic from times past when servers were often times on
dialup connections and hence not available 24/7.  Today they typically
cause more problems than they solve.  Submission servers should (and
typically will) retry messages for up to five days if your server is
offline, and so backup MXes are rarely needed.  If you think you need a
backup MX then rethink.  If you absolutely must have a backup MX then
you should follow these guidelines:

* Make sure your backup MX has exactly the same anti-spam protections as
your primary MX.

* Keep an up to date list of valid recipients and *reject* mail to any
invalid recipient on the backup MX.

* If your primary MX enforces quotas of any type then you should attempt
to enforce those same quotas on the backup MX.

* Don't use 3rd-party services for backup MX, they will rarely, if ever,
be able to copy your exact anti-spam protections and restrictions.

* If you really need a high availability environment for your mail
consider a 2nd primary with the same priority instead of a backup.  It
will serve the same purpose as a backup with the additional benenfit
that it won't be sitting idle most of the time but actually be handling
part of the load all of the time.

All of this said, you very likely don't need a backup MX and without a
lot of planning, effort and thought it can actually make things much
worse for you than if you didn't have one at all, plus the benefits of
having a backup MX are almost non-existent nowadays.  In short, just
don't do it.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Postfix as backup MX

subscription1
Thanks Peter for the detailed information.

Given that I run this mail server just for my family and in light of
your advice, I probably don't need the backup.

Thanks,

Leo

On 23/9/19 5:49 pm, Peter wrote:

> On 23/09/19 1:24 PM, subscription1 wrote:
>> I've been running my own Postfix (Dovecot, MySQL, Rspamd) server
>> thanks to these instructions
>> (https://thomas-leister.de/en/mailserver-debian-stretch/ ) for more
>> than a year without any issues.
>>
>> I'm using a paid service (Mail Reflector) to handle the times my
>> server is down or (initially) to get the my mail server up and running.
>>
>> I'd like set up another server as a backup and while there are some
>> "How To" out there, they seem to be 'ignoring' spam and/or security
>> issues.
>>
>> Could I just use the same approach I used when setting up my current
>> server with the exception of the following:
>>
>>  1. No virtual mailboxes on the backup
>>  2. with an empty smtp_recipients_maps
>>  3. with relay_domains = $mydestination mydomain.com
>
> This is asking for trouble.  Spammers target backup MXes because they
> typically have fewer anti-spam protections than the primary MXes.  In
> this particular case you are accepting mail to literally anyone and
> when you attempt to forward mail on to your primary for a user that
> does not exist you will end up creating a bounce message.  If the
> envelope sender is spoofed (and it typically is in SPAM) then your
> backup MX becomes a source of backscatter and exacerbates the SPAM
> problem greatly.  If your backup MX doesn't have as good anti-spam
> protections as your primary, or even if they are different in any way
> then you end up giving spammers an easy target to bypass your best
> anti-spam protections.
>
> Backup MXes are a relic from times past when servers were often times
> on dialup connections and hence not available 24/7.  Today they
> typically cause more problems than they solve.  Submission servers
> should (and typically will) retry messages for up to five days if your
> server is offline, and so backup MXes are rarely needed.  If you think
> you need a backup MX then rethink.  If you absolutely must have a
> backup MX then you should follow these guidelines:
>
> * Make sure your backup MX has exactly the same anti-spam protections
> as your primary MX.
>
> * Keep an up to date list of valid recipients and *reject* mail to any
> invalid recipient on the backup MX.
>
> * If your primary MX enforces quotas of any type then you should
> attempt to enforce those same quotas on the backup MX.
>
> * Don't use 3rd-party services for backup MX, they will rarely, if
> ever, be able to copy your exact anti-spam protections and restrictions.
>
> * If you really need a high availability environment for your mail
> consider a 2nd primary with the same priority instead of a backup.  It
> will serve the same purpose as a backup with the additional benenfit
> that it won't be sitting idle most of the time but actually be
> handling part of the load all of the time.
>
> All of this said, you very likely don't need a backup MX and without a
> lot of planning, effort and thought it can actually make things much
> worse for you than if you didn't have one at all, plus the benefits of
> having a backup MX are almost non-existent nowadays.  In short, just
> don't do it.
>
>
> Peter