{"id":3582,"date":"2014-09-21T23:51:46","date_gmt":"2014-09-21T15:51:46","guid":{"rendered":"http:\/\/rmohan.com\/?p=3582"},"modified":"2014-09-21T23:51:46","modified_gmt":"2014-09-21T15:51:46","slug":"backup-mx-server-with-rhel","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=3582","title":{"rendered":"Backup MX Server with RHEL"},"content":{"rendered":"<p>This post will explain how to configure a backup MX server for queuing mail for two (or more) domains if the primary mail server of those domains become unreachable.<br \/>\nI\u2019ve tested this configuration for relaying mail to Microsoft Exchange, Postfix, QMail, Sendmail, Lotus Domino, Merak and other less common mail server without any kind of problems.<\/p>\n<p>You could use Red Hat Enterprise Linux (RHEL) or CentOS without change an line of the following configuration, but with small adjustement you can use this how to to any linux distribution.<\/p>\n<p>I\u2019ve used Postfix as mail server, because for me it\u2019s the best, and Amavisd-New, Clamd and SpamAssassin for checking Virus and Spam on relaying mail.<\/p>\n<p>This post assume you have two queuing for two domains \u201cyourdomain.com\u201d and \u201cyourdomain.net\u201d.<br \/>\nThis post assume that you have a primary mail server (MX with preference 10) for \u201cyourdomain.com\u201d with IP 111.111.111.111 and a primary mail server (MX with preference 10) for \u201cyourdomain.com\u201d with IP 111.222.222.222 and you want to use a server with IP 222.222.222.222 for queuing mail of both domains.<\/p>\n<p>According to the assumption above you must have your DNS configured as follow :<\/p>\n<blockquote><p>root@linux:~# dig MX yourdomain.com @your.dns.server<\/p>\n<p>yourdomain.com. 86400 IN MX 10 mail.yourdomain.com.<br \/>\nyourdomain.com. 86400 IN MX 20 mx2.yourdomain.com.<\/p>\n<p>mail.yourdomain.com. 86400 IN A 111.111.111.111<br \/>\nmx2.yourdomain.com. 86400 IN A 222.222.222.222<\/p><\/blockquote>\n<blockquote><p>root@linux:~# dig MX yourdomain.net @your.dns.server<\/p>\n<p>yourdomain.com. 86400 IN MX 10 mail.yourdomain.net.<br \/>\nyourdomain.com. 86400 IN MX 20 mx2.yourdomain.com.<\/p>\n<p>mail.yourdomain.net. 86400 IN A 111.222.222.222<br \/>\nmx2.yourdomain.com. 86400 IN A 222.222.222.222<\/p><\/blockquote>\n<p>The backup MX host must accept and queue mails, if the primary mailhost is down for a certain domain. To have a high degree of availability the backup MX host must be located outside the backed up domain. You can setup the backup MX host as a primary or secondary mx for a remote site, but in this example we have primary and backup MX on different networks for both domains.<\/p>\n<p>The scenario will be the following :<\/p>\n<p>The primary mailhost is down \u2026 Email is delivered to the backup MX host and queued there \u2026. After the primary mailhost is up and running again, email is delivered from the backup MX host to the primary mailhost and stored in the local mailboxes.<\/p>\n<p>After a standard Linux installation without any customization and a registration with a demo license key (only if you use RHEL), you must install the RPMFORGE packages from apt.sw.be to use some packages needed in the following steps.<\/p>\n<p>For doing so you must use the following command :<\/p>\n<blockquote><p>rpm -Uhv http:\/\/apt.sw.be\/redhat\/el5\/en\/i386\/rpmforge\/RPMS\/rpmforge-release-0.3.6-1.el5.rf.i386.rpm<\/p><\/blockquote>\n<p>You could see http:\/\/dag.wieers.com for details about the package and the repository. If the installation gave you no problem, you can update your YUM database repository packages by running :<\/p>\n<blockquote><p>yum update -y<\/p><\/blockquote>\n<p>Running the above command will cause the complete update of your system.<\/p>\n<p>After the upgrade, it will be better if you reboot your system, because it\u2019s possible that you\u2019ve updated some packages which need a reboot (i.e. Kernel) to work correctly.<br \/>\nAfter the reboot, you can proceed to install all the packages needed for our setup, by running the following command :<\/p>\n<blockquote><p>yum install -y postfix spamassassin clamd clamav-db amavisd-new<\/p><\/blockquote>\n<p>By default RHEL (and CentOS) use sendmail as default MTA, I\u2019ve just said that for me postfix it the best, so run alternatives to choose postfix as the default MTA and after this operation you culd definetely remove sendmail.<\/p>\n<p>Configure your default MTA by running :<\/p>\n<blockquote><p>alternatives \u2013config mta<\/p><\/blockquote>\n<p>and choose postfix (usually must type \u201c2\u201d).<\/p>\n<p>Remove sendmail by running :<\/p>\n<blockquote><p>yum remove -y sendmail<\/p><\/blockquote>\n<p>The following is the configuration for postfix on mx2.yourdomain.com<\/p>\n<p>\/etc\/postfix\/main.cf:<\/p>\n<blockquote><p>myhostname = mx2.yourdomain.com<br \/>\nmydomain = yourdomain.com<br \/>\nmyorigin = $mydomain<br \/>\nmynetworks = 127.0.0.0\/8 222.222.222.222\/255.255.255.255<br \/>\ninet_interfaces = all<br \/>\nrelay_domains = yourdomain.com, yourdomain.net<br \/>\nmydestination = $myhostname, localhost.$mydomain<br \/>\nsmtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination<br \/>\nrelay_recipient_maps =<br \/>\nmessage_size_limit = 0<br \/>\nmailbox_size_limit = 0<br \/>\nmaximal_queue_lifetime = 5d<\/p><\/blockquote>\n<p>There\u2019s one important thing I have to add: You must NOT list yourdomain.com and\/or yourdomain.net in the following parameters in \/etc\/postfix\/main.cf:<\/p>\n<p>* mydestination<br \/>\n* virtual_alias_domains<br \/>\n* virtual_mailbox_domains<\/p>\n<p>Take care of spam!<\/p>\n<p>If you compare the configuration above with a typical modern anti-spam configuration almost everything is missing. This is what spammers like to see and that is the reason they like to send mail to lower priority MX servers, as they are more often than not not so well configured.<br \/>\nSo, if you indeed intend to set up a backup mx, make sure it runs the same config in terms of spam rejection as your primary server. Otherwise you will notice an almost instant rise in spam mails that come through (relayed by your backup MX).<\/p>\n<p>For doing so, you should add :<\/p>\n<p>\/etc\/postfix\/main.cf:<\/p>\n<blockquote><p>#AMAVIS-D NEW<br \/>\ncontent_filter=amavisfeed:[127.0.0.1]:10024<\/p><\/blockquote>\n<p>\/etc\/postfix\/master.cf<\/p>\n<blockquote><p># AMAVISD-NEW<br \/>\namavisfeed unix \u2013 \u2013 n \u2013 2 smtp<br \/>\n-o smtp_data_done_timeout=1200<br \/>\n-o smtp_send_xforward_command=yes<br \/>\n-o smtp_tls_note_starttls_offer=no<\/p>\n<p>127.0.0.1:10025 inet n \u2013 n \u2013 \u2013 smtpd<br \/>\n-o content_filter=<br \/>\n-o smtpd_delay_reject=no<br \/>\n-o smtpd_client_restrictions=permit_mynetworks,reject<br \/>\n-o smtpd_helo_restrictions=<br \/>\n-o smtpd_sender_restrictions=<br \/>\n-o smtpd_recipient_restrictions=permit_mynetworks,reject<br \/>\n-o smtpd_data_restrictions=reject_unauth_pipelining<br \/>\n-o smtpd_end_of_data_restrictions=<br \/>\n-o smtpd_restriction_classes=<br \/>\n-o mynetworks=127.0.0.0\/8<br \/>\n-o smtpd_error_sleep_time=0<br \/>\n-o smtpd_soft_error_limit=1001<br \/>\n-o smtpd_hard_error_limit=1000<br \/>\n-o smtpd_client_connection_count_limit=0<br \/>\n-o smtpd_client_connection_rate_limit=0<br \/>\n-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters<br \/>\n-o local_header_rewrite_clients=<br \/>\n-o smtpd_milters=<br \/>\n-o local_recipient_maps=<br \/>\n-o relay_recipient_maps=<\/p><\/blockquote>\n<p>Then you must configure Amavisd-new according to your antiSPAM policy.<\/p>\n<blockquote><p>&#8211; Enable all services needed.<br \/>\nchkconfig postfix on<br \/>\nchkconfig amavisd on<br \/>\nchkconfig clamd on<br \/>\nchkconfig spamassassin on<\/p><\/blockquote>\n<blockquote><p>&#8211; Restart all services in the following order :<br \/>\nservice spamd restart<br \/>\nservice clamd restart<br \/>\nservice amavisd restart<br \/>\nservice postfix restart<\/p><\/blockquote>\n<p>Reboot your server to check if all services works correctly and try to send some mail to yourdomain.com and yourdomain.net using your brand new server as relay to see if mail tranport works fine.<\/p>\n<p>You\u2019ve done !<\/p>\n<p>Hope this help<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post will explain how to configure a backup MX server for queuing mail for two (or more) domains if the primary mail server of those domains become unreachable. I\u2019ve tested this configuration for relaying mail to Microsoft Exchange, Postfix, QMail, Sendmail, Lotus Domino, Merak and other less common mail server without any kind of [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3582"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3582"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3582\/revisions"}],"predecessor-version":[{"id":3583,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3582\/revisions\/3583"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}