Re: [Clamav-users] AV relay + MX backup question

Sun, 28 Aug 2005 20:53:56 -0700 

Roger E. Rustad, Jr. said:
>  I have a ASSP antivirus relay setup
> (assp.sourceforge.net<http://assp.sourceforge.net>)
> that's currently filtering spam and viruses for one domain. I'd like for
> it
> to do the same for other domains, but would like to make sure if (for
> whatever reason) the relay is down, mail still gets through. I am also
> setting up an MX backup through DNS Made Easy for like $8/year.
>
> My question: what would my DNS would look like? Something like this, I
> suppose:
>
> primary: mail relay (which forwards to my MTA)
> secondary: directly to the MTA
> tertiary: to the MX backup

If your systems are both healthy and well maintained then create DNS
records that give both of them equal MX costs, say 10. You can also create
A records that have the IP of both systems for the same host name. Use a
short TTL of say 30 to 60 minutes - shorter the better if your DNS server
is fast and can handle the load. This sets up a rather clean psuedo load
balanced system that is quite fault tolerant with no human intervention.
If either system dies the other will take the load for the duration. Any
systems that have cached the IP of the dead system will refresh in TTL
minutes with a 50 50 chance of getting the good one, but by then the dead
one should be fixed :)

MX record:
        IN  MX 10     mx1.somedomain.edu
        IN  MX 10     mx2.somedomain.edu
        IN  MX  5      mx.somedomain.edu

mx1.somedomain.com.     IN   A   10.1.1.1
mx2.somedomain.com.     IN   A   10.1.1.2
mx.somedomain.com.  30  IN   A   10.1.1.1
                    30  IN   A   10.1.1.2

Mail goes to mx because of the lower cost (5) not that spammers give a rip
- they'll send it where ever you have a server listening. You can also
leave out the MX 10 records entirely and rely only on round robin - just
use the A records for mx somedomain.com or use only the MX records for mx1
and mx2 and ignore mx.

Here's a URL with some useful info:

http://www.zytrax.com/books/dns/ch9/rr.html

If you do something like this be sure your filters are the same on both
systems or one will bounce mail from the other and you'll wind up NDR'ing
innocent bystanders.

dp

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to