-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua, C.S. Chen wrote: > Looks like I have to enable SA in the 2nd server. It might be a spam > hole if the spam sent to 2nd first, then forcily relayed to the primary. > > Sorry for the late response, I'm just catching up on some backlog.
Here's my personal opinion: your secondary mail server should have stronger restrictions on it than your primary mail server. The reason I say this is because for some time now it has been a common spammer practice to hit your secondary, terciary, etc. MX servers first with the assumption that they are typically configured with fewer restrictions or merely, as yours is, as a store-and-forward. For specific reasons I'm unable to implement greylisting on my primary MX server however, it's perfectly acceptable for me to enable it on my secondary MX server. On top of that, I have value user checks, antivirus checks and share the bayes database (using MySQL) with the primary MX server for spamassassin checks. Because your secondary MX is in place for "in case the primary mail server fails" you should have to have the same kind of horsepower. my secondary server is significantly lower powered than my primary MX server. in the case that the primary server is still running, the secondary will most likely only be dealing with SPAM anyways, and it won't matter if it takes awhile to process those messages. in the case that the primary server is down, well, your users aren't going to be getting their email anytime soon anyways so it shouldn't matter if it takes a bit more time to process those incoming mails. if the mail coming into the 2nd MX server is SPAM, it should reject it (not bounce) properly either way, if it's not SPAM, it should accept it and then pass it off to the primary MX server once it's back up and running. this scenario has been working well for us here for the past 2 years or so. Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFENj0vE2gsBSKjZHQRArxzAJwIZ3zyz00psNgFWTkgMqhua9fqDACg2ecD R/So24Tv3qHBAjOI/Aqymxk= =rZvg -----END PGP SIGNATURE-----
