> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker > Sent: Wednesday, 8 October 2008 6:00 PM > To: postfix-users@postfix.org > Subject: RE: [SPAM?] Re: My first config - unable to telnet > to port 25, virtual.db missing > > The primary passes to an internal mail server, but performs > recipient validation before doing so. This is why I don't > believe it's worth doing on the secondary because it means > genuine recipients will be checked with the internal server > twice (should they be received by the secondary, not primary MX). > > Apologies if my terminology is off here. I always think of MX > servers as gateways, though I realise in some companies the > gateway server and the internal mail server will be one and the same. > > From reading further into your response, perhaps I > misunderstanding MX records. So far as I know, if the > secondary MX server receives the e-mail, it shouldn't pass it > inside but rather should pass it to the primary MX server, > which should be the single point of contact with the internal > mail server. Is this incorrect? > > Paul Cocker > >
As has been mentioned a number of times, please don't top post. MX records do not work in the way you think. Any MX server - unless configured to do otherwise - will relay mail directly to the recipients. The MX priorities are so that you can direct the bulk of mail (which should look at the lowest-numbered MX, although spammers don't care about such niceties) to your most specced-up server or best Internet link, or whatever, while your secondary MX might have a lesser hardware configuration or be sitting on a smaller pipe. But they still can accept mail (and will). We have a primary and secondary Postfix MX on our DMZ, with the primary sitting next to our fattest Internet pipe. Both servers will deliver mail to the Exchange servers on the internal network; both servers do AD lookups using a perl script to build valid relay_recipient and transport tables every hour. We have no problem permitting a service account a one-way lookup through the firewall to the LDAP port for the domain controllers. Plenty of people use Mxes at the same priority level as a load-balancing mechanism. It doesn't matter - even the primary/secondary model should validate all mail coming through as rigorously on each server. The whole point of the redundancy and using MX records is that if one server dies, you don't need to do *anything* for mail services to keep running.
