On Thu, Feb 24, 2011 at 06:02:42PM +0100, Matthias Egger wrote:
>> Listening on primary and backup MX addresses
>> ============================================
>> This week I was doing some expiriments: I configured Postfix to
>> make postscreen listen on both primary AND backup MX addresses.
>> This was a matter of adding a second IP address to the ethernet
>> interface of my mail server, then adding a backup DNS MX record
>> that resolves to that second IP address.
>
> Does this solution also work when you use two different machines (One for
> the primary MX and one for the backup MX)?
>
> Or do i need 3 MX Records then? One for the primary (on machine one) one
> for the backup (also on machine one but on another interface) and one for
> the "real-"backup on a third machine?
For this solution to extend to an environment with multiple primary
MX hosts the multiple servers would need to share the "postscreen"
state database. This requires a highly-available database, perhaps
multi-master replication.
If one wants to avoid whitelisting bots that only connect to backup MX
hosts, appropriate configuration in the backup MX postscreen. I am not
sure how this part of the design works, is that we expect that bot to
fail the test via the backup IP, or are we trying to not whitelist
clients that never try the primary IP?
--
Viktor.
