Second Server

[John Rudd]

On May 25, 2004, at 1:39 AM, Michele Neylon :: Blacknight Solutions
wrote:

>>       We have put together a new mail system using MailScanner
>> however we
> would like to change the setup so that we can
>> have two servers sharing the load (equal MX priority) however we only
>> want
> our users to connect to one machine to collect
>> pop mail what is the best way of doing this ?
>
> If you have the resources you would be best advised to use 3 machines:
> 2 gateways relaying to a third with pop
> There may be some other way of doing it, but I can't see how....
>

That's what we've been doing here at UCSC for several years.  It mostly
works, except that if you're running near capacity, then you'll get
lots of delivery delays as the POP server will be (and should be)
giving priority to POP, and thus its load will cause it to refuse SMTP
deliveries from the MX hosts, causing their queue's to fill up until
the POP server's load goes down.


You'll also want to make sure that your POP server's SMTP server is
using something like tcpwrappers to restrict connections: only your MX
hosts should have the ability to send it messages (that way your users
wont end up accidently bypassing your scanning infrastructure.  Oh,
and, you'll want the MX hosts to be more than just MX records.  They'll
need to have a name that has 2 IP addresses, like:

mx1.ucsc.edu   IN  A  128.114.129.35
mx2.ucsc.edu   IN  A  128.114.129.36
smtp.ucsc.edu  IN  A  128.114.129.35
smtp.ucsc.edu  IN  A  128.114.129.36
pop.ucsc.edu   IN  A  128.114.129.22
pop.ucsc.edu   IN  MX 10 mx1.ucsc.edu
pop.ucsc.edu   IN  MX 10 mx2.ucsc.edu
ucsc.edu       IN  MX 10 mx1.ucsc.edu
ucsc.edu       IN  MX 10 mx2.ucsc.edu

That's VERY close to our old config.  You'll then advertise to your
users that their POP server should be "pop.ucsc.edu" and their SMTP
server should be "smtp.ucsc.edu".  Another downside here will be the
fact that if one of the mx hosts goes down, you'll still get regular
email flow from your internet mail (since that will use the MX
records), but your users will sometimes get refused connections when
they hit "send" on their email clients (because their email clients
will use the dual- A records).
It's better to use a load balancer instead of dual A/MX records.

With a load balancer, you can have the load balancer's address be
"mail.ucsc.edu", and have its port 25 distribute load to mx1 and mx2,
while having its port 110 traffic go to pop.ucsc.edu.  You should find
that to be MUCH better than the dual DNS record approach (it's just a
little more expensive, unfortunately).  Just be careful your load
balancer is configured in a way that doesn't make the IP connections to
the MX hosts look like they come FROM the load balancer, otherwise
you'll have trouble keeping yourself from becoming an open relay.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html