** Andy Smith <andy@???> [2006-12-12 17:18]:
> On Tue, Dec 12, 2006 at 04:36:30PM +0000, Paul Tansom wrote:
> > I'm playing a bit with my mail routing at the moment and wondered if
> > anyone had any suggestions. My current setup for a couple of spare
> > domains I have is this:
> >
> > Primary MX - my local server on ADSL
> > Secondary MX - my external server
>
> I would not do it this way around. If a server is not online all
> the time and reliable then it isn't suitable for use as an MX.
> Your call however..
Well, as I said, this is experimental at the moment with the motivation
of increasing security be reducing the number of machines that can talk
inwardly to my local network. This config looked the simplest way to
configure things to allow the server to collect mail and forward it in.
I'm looking for a nicer way though, and the longer term plan is a DMZ
based relay server on my internal network.
> > Does anyone have a better suggestion as to a solution? This looks to be
> > a standard problem on a secondary MX server, but since this is being
> > used all the time it is more of an issue.
>
> Use Exim and recipient callouts - Your secondary MX will contact the
> primary MX during SMTP conversation whenever someone tries to relay
> an email through it, and issue the RCPT cvommand to check the
> recipient is valid.
>
> If it is not valid then your secondary rejects the mail without
> generating a DSN. If it is valid then your secondary accepts the
> mail (relaying on) and caches this fact.
>
> If the secondary can't get through (like if your primary is dead)
> then it tempfails and the secondary accepts and queues the mail.
> Thus you only have the "accept everything, bounce later" problem
> when your primary is down.
That sounds interesting, I'll have to look into the configuration for
that. It would certainly reduce the amount of accepted mail that isn't
valid :)
> If that is unacceptable then you'll need to distribute your valid
> recipient list to all MXes. I can point to resources of how to do
> this in Exim if you really want to go that way.
That is the way I've run this before, but this was done using an LDAP
server to manage the accounts - well, several LDAP servers that mirrored
their local databases around. A nice setup actually, and possibly a
solution to this if the external server could check the local LDAP or a
mirror of it maybe.
** end quote [Andy Smith]
--
Paul Tansom | Aptanet Ltd. |
http://www.aptanet.com/
