Folks,
I maintain a Postfix/Amavisd/Clamav front-end mail server for a customer
with a time-criticial business that heavily relies on email for incoming
orders.
This MX itself is secured by running on redundant VMware hosts, the
internet access lines are redundant, but still the MX may not be
available at all times.
Sure, a sending MTA would try again a bit later, but I don't have any
means to influence the length of the delay and one or two hours could
already render the email order useless.
I thought of running another MX server at a different location, but I'd
like to avoid the hassle configuring recipient verification and spam
checking once more -- despite LDAP recipient verification against
Exchange is also very hard when the customer's site is completely offline.
So I thought I'd plug a policyd into the backup MX that checks if the
primary MX is available, and if it is, rejects all mail with a 4xx
temporary failure. It the primary is down, it will accept without any
recipient or spam checks and queue all mail until the primary recovers.
Since the queue on the backup can also be flushed by hand, the average
delay should be way shorter than relying on the sending MTAs to retry at
their descretion.
What do you think? Is there already someone using a setup like this
(with which policyd implementation)?
Thank you for any insights,
best regards
-hannes
