basic understanding AA/MX-record load-balancing

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

basic understanding AA/MX-record load-balancing

Bauer, Stefan (IZLBW Extern)
Dear Developers/Users,

We want to load balance mails from the intranet to the postfix-relayserver-farm for outgoing traffic.
Can we abuse A-records to load-balance in the same way MX-records have been designed?


A relay.example.com 192.168.0.1
A relay.example.com 192.168.0.2


We want to have the client load-balance between the two servers. And more important to skip to the second if
one is not available anymore.

Is this rfc compliant and can be seen as best practice?

Honestly speaking is this something an administrator should do? :)

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Wietse Venema
Bauer, Stefan (IZLBW Extern):
> Dear Developers/Users,
>
> We want to load balance mails from the intranet to the
> postfix-relayserver-farm for outgoing traffic.  Can we abuse
> A-records to load-balance in the same way MX-records have been
> designed?

Yes, if the sender is Postfix. Postfix will randomly select from
equal-preference IP addresses and IP protocols. This is intentional,
so that mail does not get stuck when one path is broken.

Other MTAs may use a different approach, For example, they may try
only one IP address per MX record, or they may try IPv4 only after
they fail to deliver mail over IPv6.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Wietse Venema
Wietse Venema:

> Bauer, Stefan (IZLBW Extern):
> > Dear Developers/Users,
> >
> > We want to load balance mails from the intranet to the
> > postfix-relayserver-farm for outgoing traffic.  Can we abuse
> > A-records to load-balance in the same way MX-records have been
> > designed?
>
> Yes, if the sender is Postfix. Postfix will randomly select from
> equal-preference IP addresses and IP protocols. This is intentional,
> so that mail does not get stuck when one path is broken.

Primary references:

http://www.postfix.org/postconf.5.html#smtp_randomize_addresses
http://www.postfix.org/postconf.5.html#smtp_address_preference

Also of interest:

http://www.postfix.org/postconf.5.html#smtp_mx_address_limit
http://www.postfix.org/postconf.5.html#smtp_mx_session_limit

> Other MTAs may use a different approach, For example, they may try
> only one IP address per MX record, or they may try IPv4 only after
> they fail to deliver mail over IPv6.
>
> Wietse
>
Reply | Threaded
Open this post in threaded view
|

AW: basic understanding AA/MX-record load-balancing

Bauer, Stefan (IZLBW Extern)
In reply to this post by Wietse Venema
-----Ursprüngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im Auftrag von Wietse Venema
Yes, if the sender is Postfix. Postfix will randomly select from equal-preference IP addresses and IP protocols. This is intentional, so that mail does not get stuck when one path is broken.

Other MTAs may use a different approach, For example, they may try only one IP address per MX record, or they may try IPv4 only after they fail to deliver mail over IPv6.


Hi Wietse,

is this behavior not described in an RFC? Or is it up to the MTA to deal with the dns answers?
Do you know how Microsoft Exchange-Mailservers are behaving in the above setup?


Stefan


Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Peer Heinlein
In reply to this post by Bauer, Stefan (IZLBW Extern)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 13.01.2014 14:23, schrieb Bauer, Stefan (IZLBW Extern):
Hi Stefan,

> We want to load balance mails from the intranet to the
postfix-relayserver-farm for outgoing traffic.
> Can we abuse A-records to load-balance in the same way MX-records
have been designed?

No, because in that case MX-Records would be useless.

> A relay.example.com 192.168.0.1 A relay.example.com 192.168.0.2
>
> We want to have the client load-balance between the two servers.
> And
more important to skip to the second if
> one is not available anymore.

Which Software do you use?

It could be, that the client will always use those IPs round-robin and
NOT make an failover to the other IP address if one is down.

> Is this rfc compliant and can be seen as best practice?

IMHO: No. I hate misusing Round-Robin-A-Records for mailserver
failover setups.

> Honestly speaking is this something an administrator should do? :)

In my opinion: That's exactly what he NOT should do.

Use MX-Records. That what they are made for.

Peer


- --
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-42
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJS0/WkAAoJEAOLLpq5E82HpsIIAL8K7FoPtx0iYLcoBkqkMGYY
PzM6uL6S+TG19KGt/ESuz4SBwFy4syiGcMaBw+4zzSX6y8AeBg1Tjv9YDtvznqFA
NFM3pWhMjo0o5NJPkh3+ouPYhDiWxHu7uamAPvyb1FcVqZGnpriD4zXc0l9YrhZ2
907z7+bNcx3gvH3CB0UMY2rp9bHvQPZC+obdh5UeBfnc6YEtsJ1SsfdX6H/lp4P0
rAuWtyMeZ1bQgohocMRCqGkCNZIyR2LNEkl8UUcyMpWsKk6CU9cqZnHsaa7FsMFx
dltZB1TremChwAe5nCst38/PQ3awDtzgpvfRNeXfbPWe1iuLhp7l653bNrDfr9Y=
=nXop
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Patrick Ben Koetter-2
In reply to this post by Bauer, Stefan (IZLBW Extern)
Stefan,

* Bauer, Stefan (IZLBW Extern) <[hidden email]>:
> We want to load balance mails from the intranet to the postfix-relayserver-farm for outgoing traffic.
> Can we abuse A-records to load-balance in the same way MX-records have been designed?
>
>
> A relay.example.com 192.168.0.1
> A relay.example.com 192.168.0.2

your intranet has a loadbalancer. You can use that for outgoing traffic too.

p@rick


--
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|

Re: AW: basic understanding AA/MX-record load-balancing

Wietse Venema
In reply to this post by Bauer, Stefan (IZLBW Extern)
Wietse:
> Yes, if the sender is Postfix. Postfix will randomly select from
> equal-preference IP addresses and IP protocols. This is intentional,
> so that mail does not get stuck when one path is broken.

See also my second response with pointers to relevant Postfix
configuration parameters that control the order of IP addresses and
how many IP addresses Postfix will try before giving up.

> Other MTAs may use a different approach, For example, they may try
> only one IP address per MX record, or they may try IPv4 only after
> they fail to deliver mail over IPv6.
>
>
> Hi Wietse,

Bauer, Stefan (IZLBW Extern):
> is this behavior not described in an RFC? Or is it up to the MTA
> to deal with the dns answers?  Do you know how Microsoft
> Exchange-Mailservers are behaving in the above setup?

If one MX record expands into multiple IP addresses, then RFC 5321
assumes that those addresses belong to the same host, and says that
the SMTP client must try those addresses in the order as presented.

That is the dumbest idea in the RFC. Postfix takes a different
approach so that mail doesn't get stuck trying the same IP addresses
in the same order over and over and over again.

I have no idea how non-Postfix SMTP clients implement MX/A lookup.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Christian Tardif
In reply to this post by Bauer, Stefan (IZLBW Extern)
DNS is not meant for that. At least, not the DNS itself. It is  
something that goes under another tool, called GSLB (Global Site Load  
Balancer). It will add/remove DNS records based on test availability.  
It is something that is widely used on the Internet.


--
Christian Tardif


Quoting "Bauer, Stefan (IZLBW Extern)" <[hidden email]>:

> Dear Developers/Users,
>
> We want to load balance mails from the intranet to the  
> postfix-relayserver-farm for outgoing traffic.
> Can we abuse A-records to load-balance in the same way MX-records  
> have been designed?
>
>
> A relay.example.com 192.168.0.1
> A relay.example.com 192.168.0.2
>
>
> We want to have the client load-balance between the two servers. And  
> more important to skip to the second if
> one is not available anymore.
>
> Is this rfc compliant and can be seen as best practice?
>
> Honestly speaking is this something an administrator should do? :)
>
> Stefan
>



Reply | Threaded
Open this post in threaded view
|

AW: basic understanding AA/MX-record load-balancing

Bauer, Stefan (IZLBW Extern)
In reply to this post by Peer Heinlein
Hi List,

thank you for confirming my opinions about DNS for load balancing.  I share your opinions.

@Peer - your advice is to use MX records. I don't think, MX-records can be used for relayservers.

Our flow is:

Client -> Exchange - >  Relayserver -> [hidden email]

I only see a use case for using MX-records the other way around:

[hidden email] -> Mailserver -> Exchange -> Client

In the latter case, I can balance with MX records to different Relayservers. Not from inside to outside when a relayserver is used -correct?

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: AW: basic understanding AA/MX-record load-balancing

Seann Clark
MX records only apply to the destination FQDN for the email. Spoofing
the destined domain to force everything through the relays is not a good
idea.

Most load balancing of an outbound relay requires you to force or
manually configure the relay in your mail programs, to point to the load
balanced resource (typically a VIP on a load balancing device, or the
server IP directly in regards to Round Robin DNS).

Round robin DNS, as bad as it is, is the cheapest way to 'load balance'
multiple relays.

Using a load balancing program, say pup, or commercial hardware from
vendors such as F5 or Citrix, would be the most stable and efficient
manner to achieve what you are after.

Tie the dns for your relay name to the VIP on the load balancer, and tie
your email servers to the VIP. This will force all your clients that use
the relay, to send email to the VIP, which will load balance your relays.

Regards,
Seann

On 1/13/2014 8:55 AM, Bauer, Stefan (IZLBW Extern) wrote:

> Hi List,
>
> thank you for confirming my opinions about DNS for load balancing.  I share your opinions.
>
> @Peer - your advice is to use MX records. I don't think, MX-records can be used for relayservers.
>
> Our flow is:
>
> Client -> Exchange - >  Relayserver -> [hidden email]
>
> I only see a use case for using MX-records the other way around:
>
> [hidden email] -> Mailserver -> Exchange -> Client
>
> In the latter case, I can balance with MX records to different Relayservers. Not from inside to outside when a relayserver is used -correct?
>
> Stefan


Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Robert Schetterer-2
In reply to this post by Bauer, Stefan (IZLBW Extern)
Am 13.01.2014 15:55, schrieb Bauer, Stefan (IZLBW Extern):

> Hi List,
>
> thank you for confirming my opinions about DNS for load balancing.  I share your opinions.
>
> @Peer - your advice is to use MX records. I don't think, MX-records can be used for relayservers.
>
> Our flow is:
>
> Client -> Exchange - >  Relayserver -> [hidden email]
>
> I only see a use case for using MX-records the other way around:
>
> [hidden email] -> Mailserver -> Exchange -> Client
>
> In the latter case, I can balance with MX records to different Relayservers. Not from inside to outside when a relayserver is used -correct?
>
> Stefan
>

to my knowledge
in exchange outgoing relayserver is called smarthost, to setup this you
have to configure sending connector, you should be able to have more
then one sending connectors ( point to different relays ) with different
or equal costs

http://social.technet.microsoft.com/Forums/exchange/en-US/42f9c2ce-b943-487a-9660-2f6598a5e781/smarthost-costweight

http://technet.microsoft.com/en-us/library/bb267003.aspx

sorry i am not an exchange specialist, but fallback transport should be
buildable

hope this is what you search for, i wouldnt trust in pure whatever dns
balancing with exchange


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Viktor Dukhovni
In reply to this post by Peer Heinlein
On Mon, Jan 13, 2014 at 03:18:12PM +0100, Peer Heinlein wrote:

> > We want to load balance mails from the intranet to the
> > postfix-relayserver-farm for outgoing traffic.
> > Can we abuse A-records to load-balance in the same way MX-records
> > have been designed?
>
> No, because in that case MX-Records would be useless.

MX records can redirect mail delivery across organizational
boundaries, where using A records that track the IP addresses of
remote hosts would be impractical and allow for backup-MX hosts,
which round-robin A records cannot.  When all MX preferences are
equal one may be able to achieve a similar effect with "round-robin"
DNS A records, provided the DNS server or client actually randomizes
the address list.

Unfortunately, as Wietse notes, the text in RFC 5321, Section 5.1:

   The destination host (perhaps taken from the preferred MX record) may
   be multihomed, in which case the domain name resolver will return a
   list of alternative IP addresses.  It is the responsibility of the
   domain name resolver interface to have ordered this list by
   decreasing preference if necessary, and the SMTP sender MUST try them
   in the order presented.

(incorrectly) discourages address randomization by the SMTP client.
What kind of address RRset ordering, if any, is performed by
nameservres is configuration and implementation dependent.

When the client is Postfix, it sensibly ignores the advice in RFC
5321 and randomizes the addresses.  The randomization algorithm
was made more uniform in Postfix 2.11-20130513.  When the reply
order from DNS is not uniformly random, previous versions of Postfix
exhibit a bias in the first selected host when shuffling more than
2 records.  There was a noticeable bias to choose the second element
more frequently than the rest and the last element less frequently
than the rest.  The Perl code below computes the relative frequencies
for 3 to 7 address records and the ratio of least to most frequent:

    $ perl -e '
        for ($n = 3; $n < 8; ++$n) {
            $N = $n**$n;
            my %c;
            for ($i = 0; $i < $N; ++$i) {
                    @x = (1 .. $n);
                    $k = $i;
                    for ($j = 0; $j < $n; ++$j) {
                            $m = $k % $n; $k = ($k - $m) / $n;
                            ($x[$j], $x[$m]) = ($x[$m], $x[$j]);
                    }
                    ++$c{$x[0]};
            }
            for (sort {$c{$b}<=>$c{$a}} keys %c) {printf "%d:%d ", $_, $c{$_}}
            printf "%4.2f\n", $c{$n}/$c{2};
        }'
    2:10 1:9 3:8 0.80
    2:75 1:64 3:63 4:54 0.72
    2:756 3:656 1:625 4:576 5:512 0.68
    2:9605 3:8525 1:7776 4:7625 5:6875 6:6250 0.65
    2:147498 3:133092 4:120744 1:117649 5:110160 6:101088 7:93312 0.63

The more mathematically astute among you might guess that "0.63"
is close to the limiting ratio, and that the limit is the ever
common "1 - 1/e".  So the least frequent host is used at least 63%
as often as the most frequent.

If your DNS server returns address RRs in a fixed order, and you
want Postfix SMTP clients to impose a more uniform load on a pool
of hosts specified via a "round-robin" A record, upgrade to 2.11.0
which will be released this month!  Alternatively, configure your
DNS nameserver to shuffle A records.

As noted by others, various SMTP implementations will process
multi-homed (aka round-robin) relay hosts and MX hosts as they see
fit.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Tobias Groß




Viktor Dukhovni <[hidden email]> schrieb:

>On Mon, Jan 13, 2014 at 03:18:12PM +0100, Peer Heinlein wrote:
>
>> > We want to load balance mails from the intranet to the
>> > postfix-relayserver-farm for outgoing traffic.
>> > Can we abuse A-records to load-balance in the same way MX-records
>> > have been designed?
>>
>> No, because in that case MX-Records would be useless.
>
>MX records can redirect mail delivery across organizational
>boundaries, where using A records that track the IP addresses of
>remote hosts would be impractical and allow for backup-MX hosts,
>which round-robin A records cannot.  When all MX preferences are
>equal one may be able to achieve a similar effect with "round-robin"
>DNS A records, provided the DNS server or client actually randomizes
>the address list.
>
>Unfortunately, as Wietse notes, the text in RFC 5321, Section 5.1:
>
>  The destination host (perhaps taken from the preferred MX record) may
>   be multihomed, in which case the domain name resolver will return a
>   list of alternative IP addresses.  It is the responsibility of the
>   domain name resolver interface to have ordered this list by
>  decreasing preference if necessary, and the SMTP sender MUST try them
>   in the order presented.
>
>(incorrectly) discourages address randomization by the SMTP client.
>What kind of address RRset ordering, if any, is performed by
>nameservres is configuration and implementation dependent.
>
>When the client is Postfix, it sensibly ignores the advice in RFC
>5321 and randomizes the addresses.  The randomization algorithm
>was made more uniform in Postfix 2.11-20130513.  When the reply
>order from DNS is not uniformly random, previous versions of Postfix
>exhibit a bias in the first selected host when shuffling more than
>2 records.  There was a noticeable bias to choose the second element
>more frequently than the rest and the last element less frequently
>than the rest.  The Perl code below computes the relative frequencies
>for 3 to 7 address records and the ratio of least to most frequent:
>
>    $ perl -e '
> for ($n = 3; $n < 8; ++$n) {
>    $N = $n**$n;
>    my %c;
>    for ($i = 0; $i < $N; ++$i) {
>    @x = (1 .. $n);
>    $k = $i;
>    for ($j = 0; $j < $n; ++$j) {
>    $m = $k % $n; $k = ($k - $m) / $n;
>    ($x[$j], $x[$m]) = ($x[$m], $x[$j]);
>    }
>    ++$c{$x[0]};
>    }
>    for (sort {$c{$b}<=>$c{$a}} keys %c) {printf "%d:%d ", $_, $c{$_}}
>    printf "%4.2f\n", $c{$n}/$c{2};
> }'
>    2:10 1:9 3:8 0.80
>    2:75 1:64 3:63 4:54 0.72
>    2:756 3:656 1:625 4:576 5:512 0.68
>    2:9605 3:8525 1:7776 4:7625 5:6875 6:6250 0.65
>    2:147498 3:133092 4:120744 1:117649 5:110160 6:101088 7:93312 0.63
>
>The more mathematically astute among you might guess that "0.63"
>is close to the limiting ratio, and that the limit is the ever
>common "1 - 1/e".  So the least frequent host is used at least 63%
>as often as the most frequent.
>
>If your DNS server returns address RRs in a fixed order, and you
>want Postfix SMTP clients to impose a more uniform load on a pool
>of hosts specified via a "round-robin" A record, upgrade to 2.11.0
>which will be released this month!  Alternatively, configure your
>DNS nameserver to shuffle A records.
>
>As noted by others, various SMTP implementations will process
>multi-homed (aka round-robin) relay hosts and MX hosts as they see
>fit.

Besides the lack of randomization in the mail client, there is another question:
Should the mail client implement support for multiple MX or implicit MX (A when no MX is given) records when sending all traffic to smarthosts which are loadbalanced by DNS regarding to the rfc 5321?

Example: client sends mail to the internet. It relays to the smarthost with the fqdn smart.example.com. smart.example.com has 3 A records. How does the client treat the A records and what does he, if one is done?

--
toerb
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Wietse Venema
Tobias Gro?:
> Besides the lack of randomization in the mail client, there is
> another question: Should the mail client implement support for
> multiple MX or implicit MX (A when no MX is given) records when
> sending all traffic to smarthosts which are loadbalanced by DNS
> regarding to the rfc 5321?

If a Postfix destination domain (relayhost, smtp_fallback_relay,
or transport_maps) is specified inside [] then Postfix makes no MX
lookup for that name.  Otherwise, Postfix uses the same procedure
to choose the IP address, to limit the number of IP addresses, and
to limit the number of SMTP sessions as described before.

        Wietser
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Wietse Venema
Wietse Venema:

> Tobias Gro?:
> > Besides the lack of randomization in the mail client, there is
> > another question: Should the mail client implement support for
> > multiple MX or implicit MX (A when no MX is given) records when
> > sending all traffic to smarthosts which are loadbalanced by DNS
> > regarding to the rfc 5321?
>
> If a Postfix destination domain (relayhost, smtp_fallback_relay,
> or transport_maps) is specified inside [] then Postfix makes no MX
> lookup for that name.  Otherwise, Postfix uses the same procedure
> to choose the IP address, to limit the number of IP addresses, and
> to limit the number of SMTP sessions as described before.

s/Otherwise/Apart from that/

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: basic understanding AA/MX-record load-balancing

Viktor Dukhovni
In reply to this post by Viktor Dukhovni
On Mon, Jan 13, 2014 at 05:16:00PM +0000, Viktor Dukhovni wrote:

> The more mathematically astute among you might guess that "0.63"
> is close to the limiting ratio, and that the limit is the ever
> common "1 - 1/e".  So the least frequent host is used at least 63%
> as often as the most frequent.

I was a bit hasty, the limiting ratio is 2/(1+e) or ~0.538.
Convergence is rather slow, so in practice, when the DNS server
does not randomize MX and A records, you're far more likely to run
into load ratios (least loaded/most loaded) between 0.6 and 1.0:

    Address count         Load ratio
    -------------         ----------
                2         1.000
                3         0.800
                4         0.720
                5         0.677
                6         0.651
                7         0.633
                8         0.620
                9         0.610
               10         0.602
               11         0.596
               12         0.590
               13         0.586
               14         0.583
               15         0.579
               16         0.577
              ...
              100         0.544
             1000         0.5385
            10000         0.53794
           100000         0.53789
          1000000         0.537883
         infinity         0.5378828427399902414976815163563274512697... :-)

--
        Viktor.