Re: [Hampshire] Mail routing with secondary MX

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPaul Tansom at <-
M 
Author: Andy Smith
Date:  
To: hampshire
Subject: Re: [Hampshire] Mail routing with secondary MX

Reply to this message
gpg: failed to create temporary file '/var/lib/lurker/.#lk0x585fc100.hantslug.org.uk.730': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Tue Dec 12 17:49:56 2006 GMT
gpg: using DSA key 2099B64CBF15490B
gpg: Can't check signature: No public key
On Tue, Dec 12, 2006 at 05:34:40PM +0000, Paul Tansom wrote:
> ** Andy Smith <andy@???> [2006-12-12 17:18]:
> > On Tue, Dec 12, 2006 at 04:36:30PM +0000, Paul Tansom wrote:
> > > Primary MX - my local server on ADSL
> > > Secondary MX - my external server
> >
> > I would not do it this way around. If a server is not online all
> > the time and reliable then it isn't suitable for use as an MX.
> > Your call however..
>
> Well, as I said, this is experimental at the moment with the motivation
> of increasing security be reducing the number of machines that can talk
> inwardly to my local network. This config looked the simplest way to
> configure things to allow the server to collect mail and forward it in.
> I'm looking for a nicer way though, and the longer term plan is a DMZ
> based relay server on my internal network.

In your situation I would set the external server as the only MX and
then I would configure it to relay mail on to the internal one. In
Debian's Exim package this is what is known as a hubbed host
configuration, just needs a key/value line in
/etc/exim4/hubbed_hosts e.g.: 

my.external.domain:     mailserver.my.internal.lan


There is no point to an MX that the world cannot get to, it is only
generating mail delays. Some misconfigured mailers do not even
retry, ever.

> > If that is unacceptable then you'll need to distribute your valid
> > recipient list to all MXes. I can point to resources of how to do
> > this in Exim if you really want to go that way.
>
> That is the way I've run this before, but this was done using an LDAP
> server to manage the accounts - well, several LDAP servers that mirrored
> their local databases around. A nice setup actually, and possibly a
> solution to this if the external server could check the local LDAP or a
> mirror of it maybe.

Yes, one approach would be to replicate LDAP out to the external
server and then have Exim talk directly to an LDAP server on
localhost.

You can just rsync about recipient lists as well though. Exim is
lovely and configurable.

--
http://strugglers.net/wiki/Xen_hosting -- A Xen VPS hosting hobby
Encrypted mail welcome - keyid 0x604DE5DB
This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] Mail routing with secondary MXRe: [Hampshire] Etch freeze->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)