Primary and secondary sendmail servers
Chris Adams
cmadams at hiwaay.net
Fri Jul 29 13:31:16 UTC 2011
Once upon a time, Steve Searle <steve at stevesearle.co.uk> said:
> When configuring a primary and secondary sendmail server, how does the
> secondary mail server know it should relay anythign to the primary one?
>
> Is it just by the mailserver examining the DNS mx records, or is there
> something else in either of the sendmail configurations?
Basically, you configure the secondary to relay (but not deliver) mail
for the domain(s). For sendmail, this would mean putting a line like:
To:example.com RELAY
in /etc/mail/access (and running "make" in /etc/mail to update the db).
When mail for that domain comes in, sendmail will see the MX record and
attempt to pass mail on to a higher-preference (lower number) MX.
However, there's a big problem with doing this (not a sendmail specific
problem): the secondary doesn't know which @example.com addresses are
valid and invalid. By default, it will accept email for all such
addresses and try to forward them. When somebody sends an email to an
invalid @example.com address via the secondary, the primary will reject
the message and the secondary will generate a bounce message back to the
apparent sender.
This is a problem because spammers know about this loophole and will try
to dump spam (to massive numbers of invalid addresses) on your secondary
server (usually with forged sender addresses). The secondary will then
bounce the spam to people that didn't actually send the messages; this
is called "blowback" and will get your secondary server on spam
blocklists in short order.
You really need the secondary to have some way of knowing all the valid
recipient addresses at the domain (and have any spam filtering
configured to match), so it doesn't accept mail that the primary
wouldn't.
This is more complicated; for sendmail, you have to write a few custom
rulesets (not really very much). The bigger issue is that you need some
way for the secondary to know the valid addresses on the primary; the
usual way is to have all users, aliases, etc. in LDAP (and replicate the
LDAP to the secondary).
--
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
More information about the users
mailing list