On Tue, Oct 29, 2024 at 09:44:16PM +0800, Adriel via Postfix-users wrote:
> I would like to set up two MX servers with equal priority, both using
> Postfix as the MTA software. One MX server resides on the same physical
> machine as the Dovecot service, and I am familiar with their configuration.
> However, the other MX server is located in a remote data center separate
> from Dovecot. Could you advise on how to properly configure these two MX
> servers to ensure they work correctly together?
It is unclear why you want the distant MX to have equal priority, and
not just be a backup. An sketch of a configuration is:
example.net. IN MX 0 primary.example.net.
example.net. IN MX 10 backup.example.net.
backup.example.net:
main.cf:
relay_domains = example.net
relay_recipient_maps = ... some complete table of valid recipients ...
relay_transport = relay:[primary.example.net]
smtpd_relay_restrictions = reject_unauth_destination
smtpd_recipient_restrictions =
... various anti-spam measures ...
master.cf:
relay unix ... smtp
# Assumes relay nexthop appears in peer certificate,
# which can be verified.
#
# You could also go with "dane-only" instead, if you have
# DNSSEC and DANE TLSA records for the primary, and have
# working monitoring and robust cert rollover process that
# does not invalidate the TLSA records as keys/certs roll
# over.
#
-o { smtp_tls_security_level = secure }
-o { smtp_tls_CAfile = ... file with just expected root CAs ... }
primary.example.net:
main.cf:
mynetworks = ... IP address of backup MX ...
virtual_mailbox_domains = example.net
virtual_mailbox_maps = ... some complete table of valid recipients ...
smtpd_relay_restrictions = reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
... various anti-spam measures ...
# Nexthop may be an LMTP unix-domain socket or [127.0.0.1]
#
# With a pipe(8) transport you probably want a recipient limit
# of 1 since there's no way to indicate which recipients
# failed.
#
virtual_transport = dovecot:...
You could perhaps go to the trouble of delivering from the remote system
to Dovecot via LMTP over a TLS encrypted and authenticated connection,
but that requires some skill to set up, easier to just relay the mail
to the primay via SMTP which requires a better MX priority on the
primary.
Probably also enable TLS on both ends, and require TLS from secondary
to primary via:
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
