> > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Paul Cocker > > Sent: Wednesday, 8 October 2008 6:00 PM > > To: postfix-users@postfix.org > > Subject: RE: [SPAM?] Re: My first config - unable to telnet to port > > 25, virtual.db missing > > > > The primary passes to an internal mail server, but performs > recipient > > validation before doing so. This is why I don't believe it's worth > > doing on the secondary because it means genuine recipients will be > > checked with the internal server twice (should they be > received by the > > secondary, not primary MX). > > > > Apologies if my terminology is off here. I always think of > MX servers > > as gateways, though I realise in some companies the gateway > server and > > the internal mail server will be one and the same. > > > > From reading further into your response, perhaps I > misunderstanding MX > > records. So far as I know, if the secondary MX server receives the > > e-mail, it shouldn't pass it inside but rather should pass > it to the > > primary MX server, which should be the single point of contact with > > the internal mail server. Is this incorrect? > > > > Paul Cocker > > > > > > As has been mentioned a number of times, please don't top post. >
Apologies for that, but the prefix scheme isn't as professional and Outlook 2003 doesn't provide a good method for switching between the two. Still, I'll stop being so lazy ;) > MX records do not work in the way you think. Any MX server - > unless configured to do otherwise - will relay mail directly > to the recipients. > The MX priorities are so that you can direct the bulk of mail > (which should look at the lowest-numbered MX, although > spammers don't care about such niceties) to your most > specced-up server or best Internet link, or whatever, while > your secondary MX might have a lesser hardware configuration > or be sitting on a smaller pipe. But they still can accept > mail (and will). > > We have a primary and secondary Postfix MX on our DMZ, with > the primary sitting next to our fattest Internet pipe. Both > servers will deliver mail to the Exchange servers on the > internal network; both servers do AD lookups using a perl > script to build valid relay_recipient and transport tables > every hour. We have no problem permitting a service account a > one-way lookup through the firewall to the LDAP port for the > domain controllers. > > Plenty of people use Mxes at the same priority level as a > load-balancing mechanism. It doesn't matter - even the > primary/secondary model should validate all mail coming > through as rigorously on each server. The whole point of the > redundancy and using MX records is that if one server dies, > you don't need to do *anything* for mail services to keep running. > Thank you for the clear explanation, it's a great help and certainly corrects some misconceptions I had. I suspect we'll end up using the backup only as a method for picking up mail the primary is too busy to take (especially as some mail servers seem to give up on the first try!), otherwise we'll have to maintain two spam filters on two separate systems (one postfix w/ addon such as SpamAssassin and one Barracuda). It opens the option to allow internal delivery on the secondary temporarily should the primary fail. I have setup recipient validation, thanks to these discussions, as even if we don't end up needing it it's an interesting learning exercise. I have run into a hurdle however which is that the validation check fails because Active Directory is setup to use LDAP signing (or LDAP_STRONG_AUTH_REQUIRED as the error states) and I haven't had any luck thus far in finding how to modify the script to accommodate this. TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897), TNT Post North Ltd (05701709), TNT Post South West Ltd (05983401), TNT Post Midlands Limited (6458167)and TNT Post London Limited (6493826). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
