# FreeBSD as a secondary (Backup) MX



## albsallu (Oct 7, 2009)

I need help setting up my freebsd postfix as a secondary email server while another postfix is already a primary MX email server. I have done all the configuration I believe should be done on the primary server. This is what I have done and what I am experiencing:

On the primary server, I setup a relay host to my secondary server smtp:my.account.com:25. The name of my primary sever is this.my.account.com. All mails coming from the cloud (internet) goes through my primary server first before being forwarded to my secondary server.

I am currently migrating users to my primary server from my secondary server one at a time. When the mails get to my primary server and looks for the account and couldn't find it, it sends it directly to the secondary server.

The issue now is, when accounts on the secondary server send mails to account that are now active on the primary server, it does not come through. Instead it stays on the local machine of the secondary server.

I want postfix to know that all emails being sent from the secondary server should look for the primary server first before looping back to itself.

Someone suggested looking at postfix transport (5). But frankly enough, I am not sure how it works even though I have read it couple of times.

Note* I will still want users that are still in the secondary (old email) server still receives email from outside while they are still able to send emails to account that now resides on the primary (new email) server.

I want the secondary to act as a backup should incase something goes wrong with the primary.

Thanks


----------



## tingo (Oct 7, 2009)

Wow...
First of all - try to learn something about how internet mail works.
You are mixing some key concepts here - it is understandable that you are confused.
Concepts:
MTA (mail transfer agent) - this is the postmen, the ones who deliver mail, but do not hold mail (other than during transport)
Mailbox (Email mailbox) - this is the users mailbox mail gets delivered here
MX (MX record) - this tells everybody where mail to a certain domain should be delivered (it. it tells where the local postaman can be found so you can deliver mail to him)

Now - MTA and mailboxes doesn't have to be on the same server. And MX records only have an effect on the MTA, not on the mailbox server(s). (In fact, in an advanced setup, other server(s) than the ones listed in MX records could deliver outgoing mail - not that it would work very well nowadays).

A backup MX
The only thing you do in MX records is to setup one or more servers that will receive mail for your domain. These can have different priorities, but if one of them doesn't answer, somebody who is trying to deliver mail will try the next one. This is all that happens with the MX records.

Now, if mail gets delivered to a backup MX server, you might want this server to deliver the mail to the primary MX server when it gets online again. Ths setup is managed entirely within your MTA software (postfix in your case). Here is a pointer:
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

Mailboxes
Well, this is a totally different beast. You want to have a backup mailbox server, that much I understand.
However, I don't think you can easily use Postfix (or any other MTA) to synchronize a set of users mailboxes to a backup server - I think you need a different tool for that.


----------



## dennylin93 (Oct 9, 2009)

In short, add a new MX record to your DNS settings (make the number higher than the original one since a lower number means higher priority). Then configure your backup mail server to send the mails to the primary one.


----------



## fbroce (Oct 9, 2009)

I have a backup mx setup like this to receive mymail.com:

10 my.mailserver.com
20 my.backupmailerver.com

Then you configure your MTA on both servers to receive mymail.com. To test it stop the primary mail server and send a message to yourself from gmail or yahoo. It should arrive on the secondary mail server's account for you.

fbroce


----------



## albsallu (Oct 11, 2009)

Hmmmm.
I agree with you all. I did setup the MX records like you guys suggested, which was already being done before posting here. My dilemma now is, where do you setup the MTA on the secondary to send email to users on the primary from local users currently residing on the secondary mail even though the same account on the primary is still on the secondary because the secondary is a backup mail server.
Also, after doing the setup, emails that use to come to the secondary email server when it was originally the only email server are now being rejected with a No QUEUE Reject RCPT. From....mail loops back to myself.
This error message is being seen on the log of the primary email server.

Note*
I have to make it known to the secondary server that certain emails that use to receive emails on the server should now receive emails on the primary server. I want to be able to migrate users to the primary email server one at a time without disrupting any email communication from outside to inside and vice versa.


----------



## dennylin93 (Oct 11, 2009)

Take a look at Configuring Postfix as primary or backup MX host for a remote site.


----------



## albsallu (Oct 11, 2009)

Dennylin93:
I have a copy of the link that you posted handy. I have followed the same proceedure. This is my configuration for my primary MX:

```
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
command_directory = /opt/zimbra/postfix/sbin
config_directory = /opt/zimbra/postfix-2.6.2.2z/conf
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /opt/zimbra/postfix/libexec
disable_dns_lookups = no
header_checks =
in_flow_delay = 1s
lmtp_connection_cache_destinations =
lmtp_connection_cache_time_limit = 4s
lmtp_host_lookup = dns
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /opt/zimbra/postfix/sbin/mailq
manpage_directory = /opt/zimbra/postfix/man
maximal_backoff_time = 4000s
message_size_limit = 50000000
minimal_backoff_time = 300s
mydestination = localhost
myhostname = zimbra.my.aacount.com
mynetworks = 127.0.0.0/8 192.168.1.0/24
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
propagate_unmatched_extensions = canonical
queue_directory = /opt/zimbra/data/postfix/spool
queue_run_delay = 300s
recipient_delimiter =
relayhost = my.aacount.com:25
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
setgid_group = postdrop
smtp_sasl_mechanism_filter = plain,login
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, 
reject_unlisted_recipient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_rbl_client zen.spamhaus.org, reject_rbl_client 
bl.spamcop.net, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client dyna.spamrats.com, 
reject_rbl_client noptr.spamrats.com, reject_rbl_client all.rbl.jp, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client 
b.barracudacentral.org, reject_rbl_client psb.surriel.com, reject_rbl_client dnsbl.ahbl.org, reject_rbl_client dnsbl.njabl.org, 
reject_rbl_client bhnc.njabl.org, reject_rbl_client dnsbl.dronebl.org, reject_rbl_client rabl.nuclearelephant.com, reject_rbl_client 
multi.uribl.com, reject_rbl_client 0spam.fusionzero.com, reject_rbl_client 0spam-killlist.fusionzero.com, permit
smtpd_reject_unlisted_recipient = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
virtual_transport = error
```

Also, this is my current configuration for the server that I want to make the secondary MX:

```
body_checks = regexp:/usr/local/etc/postfix/body_checks
bounce_queue_lifetime = 2d
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/usr/local/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_queue_lifetime = 2d
message_size_limit = 15360000
mydestination = $myhostname
mydomain = account.com
myhostname = my.account.com
mynetworks = 192.168.1.0/24, 192.168.134.0/24
myorigin = $myhostname
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,   check_helo_access hash:/usr/local/etc/postfix/helo_access,   reject_invalid_helo_hostname,   reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,   check_sender_access hash:/usr/local/etc/postfix/sender_access,   check_recipient_access 
hash:/usr/local/etc/postfix/recipient_access,   reject_unauth_destination,   reject_non_fqdn_recipient,   reject_unknown_recipient_domain,   
reject_unlisted_sender,   reject_rbl_client bl.spamcop.net,   reject_rbl_client cbl.abuseat.org,   reject_rbl_client combined.njabl.org,   
reject_rbl_client l2.spews.dnsbl.sorbs.net,   reject_rbl_client list.dsbl.org,   reject_rbl_client sbl-xbl.spamhaus.org,   
check_policy_service inet:127.0.0.1:10023
smtpd_sender_restrictions = permit_mynetworks,   reject_non_fqdn_sender,   reject_unknown_sender_domain
unknown_local_recipient_reject_code = 550
```

Now:
what extra changes do I have to make on the last configuration to make it the secondary MX?

How do I make it known to the secondary MX that some accounts now resides on the primary MX and those accounts should receive emails from accounts in the secondary MX?

How to let all valid domain emails coming from the outside are being accepted instead of being rejected when I make the MX records changes?

Note*
I want to be able to migrate users one at a time from accounts currently on my email server to the primary email server that I just created. The domain that will be the primary email server is zimbra.my.account.com and in it, I will have the my.account.com domain.

Also, the domain for my current email server is my.account.com, which I am trying to make the secondary email server after configuring the MX records.

Remember, I still want to be able to use my same domain name (my.account.com) in both servers.

I did a relayhost on the primary MX zimbra.my.account.com that seems to be relaying some emails and rejecting most valid emails.

When I try to send emails from account on the primary server to accounts on the secondary server, it loops back to itself even though i did not tell the primary server that those accounts now resides on it. And the command for that will be:

```
$ zmprov ma [email]bar@my.account.com[/email] zimbraMailTransport lmtp:zimbra.my.account.com:7025
```

The above command tells the primary MX that mails for the bar account now receive emails on the primary MX

The command below adds that account to the primary MX zimbra.my.account.com but transport emails to my.account.com

```
$ zmprov ma [email]bar@my.account.com[/email] zimbraMailTransport smtp:my.account.com:25
```


----------



## albsallu (Oct 14, 2009)

This problem has been resolved. I did the reverse of creating the MX priority and after migrating all account, I switch the preferences to what I want and it works fine.
Thanks for your effort


----------



## mike19 (Oct 27, 2009)

*Simpler Solution*

It amazes me the pains people go through to run their own backup mx.  Why not just pay a small amount per month for an enterprise level backup mx service that is already outside of your network?  I have used mxsave for years and it does the job without any headaches.


----------



## dennylin93 (Oct 27, 2009)

Sure, it sometimes is easier to pay. However, not everyone can afford services like that. Some people also like to use their own servers.


----------



## brd@ (Nov 1, 2009)

I also wonder why people bother with backup MXs? Is mail really that important to you? Sure it can be good practice and a good learning experience. But it is also how most SPAM gets in. Improperly configured backup MXs are the number one target of spammers. You have to make sure your backup MX is configured with the same list of users and the same anti-spam configuration as the primary.


----------

