Russell Nelson wrote:
> David Dyer-Bennet writes:
[snip]
> > It doesn't work fine in the scenario I outlined at the beginning of my
> > message. In that situation, the mail will sit on the qmail system
> > until it expires, when there's a perfectly good secondary MX system
> > sitting there waiting to accept it. This is not my definition of
> > "works fine".
>
> Right, but you're suggesting that nobody will notice the lack of
> reception of email for seven days. If they make configuration changes
> without testing them (and I count leaving a down machine down as
> such), and then don't notice that something is broken for a week, then
> I'll wager that they'll be suited just as well without email.
You're suggesting that all incoming mail reaches them by means of qmail
and that sendmail doesn't exist?
If the 1st MX host is down (any scenario, including dying in the middle
of receing SMTP DATA) and the 2nd MX host is up, they may well not notice
anything because there isn't enough problem to notice. And if they do
notice that some mail isn't arriving as expected, they could very easily
be misled to not blame the 1st MX host because most mail is arriving
just fine (via sendmail falling back to the 2nd MX host).
I'm sure the system administrator will notice something wrong when he
gets back from his vacation in Kuala Lampur.
> You're also presuming that they have the ability to read email off the
> "secondary" host. It would be very unusual for a host which functions
> identically to another to be given a lower priority. Much more often,
> the secondary host is one which is configured only to relay mail to
> the primary.
You're presuming that they read email off of either host. They may be
reading it off of an internal mail server on a private address LAN that
only hosts in the DMZ, acting as mail gateways, can reach.
And there is also a valid reason to prefer one server over another to
gateway the mail. If there are 2 servers in the DMZ, functionality may
be split by having one act as the web server and the other act as the
mail server, with failover being the other server. The 2nd MX host
would then be the web server. It would be undesired to put half of
the mail through it when the 1st is running fine and is dedicated to
the purpose.
> > The secondary MX exists to cover cases when the primary is down. It's
> > not an "incorrectly configured" DNS to have a primary MX listed that
> > happens to be down at the moment!
>
> And a firewall which accepts connections for a down host is not
> misconfigured or broken by design??
Such a firewall is broken.
Such a firewall is not the only scenario impacted by not falling back to
the 2nd MX.
Is it more important to punish broken configurations at the expense of
missing an opportunity to work around a problem in a valid configuration?
I know we hate misconfiguration, but is it necessary to be so obsessed
with it?
I'm arguing for the valid configurations, not that broken firewall
scenario. I've pointed out how without such a firewall you can still
have the same exact symptoms and many others like it.
--
Phil Howard | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
phil | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
at | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
ipal | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
dot | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
net | [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
