Integrating MailScanner, SpamAssasin and Exchange {Scanned by HJMS}

Furnish, Trever G TGFurnish at HERFF-JONES.COM
Wed Oct 22 16:55:27 IST 2003

> -----Original Message-----
> From: Hirsh, Joshua [mailto:joshua.hirsh at PARTNERSOLUTIONS.CA]
> Sent: Wednesday, October 22, 2003 7:16 AM
> Subject: Re: Integrating MailScanner, SpamAssasin and
> Exchange {Scanned
> by HJMS}
> > Anway, I have my Linux box set as secondary MX and my
> > Exchange server as
> > primary MX. Both are behind the firewall. I have primary MX
> > inaccessible to
> > Internet, that way all mail falls to the secondary MX.
>  IMHO, this is probably not a very good way to go about doing
> this. In the
> majority of cases, each email that's sent to one of your
> users will first
> try to reach the unreachable primary MX and then fail to the
> secondary. The
> best way this should be done is to leave the Linux box as
> your primary (and
> in this case, only) MX. On the Linux box you would have your
> domains set to
> relay, and use transport maps to redirect them to your
> Internal server.

Hmmm.  IMHO what you're suggesting is not a worthwhile trade-off - at least
in my case it's much better to leave both MXes in public DNS and then
restrict connections on the non-mailscanner system.

Yes, this means that most message deliveries from outside will include a
useless attempt to connect to the primary system, but that's a very small
price to pay for being able to immediately get mail flowing again if your
secondary system fails.

Scenario 1: Only one MX (the secondary, mailscanner system) in public DNS.
Scenario 2: Both secondary and primary MXes listed in public DNS, but
primary rejects connections from everyone except the secondary (and any
other trusted networks).

In scenario 1, if the secondary system goes down then in order to get mail
flowing again we either have to update DNS and w...a...i...t or we have to
move the secondary's ip address over to the primary.

In scenario 2, if the secondary system goes down, then all we have to do is
remove our restriction from the primary, allowing it to accept inbound

At least in my situation, it's worth having a ton of rejected connections
(which are tiny - just a couple of packets per connection) to avoid ever
having to wait on DNS to time out.


More information about the MailScanner mailing list