Hi Todd-
I actually have .NET executables that do the work, but it can be done with
scritps as well. If you don't have a lot of changes, then once a day or less
would be fine.
You are correct that you are an open relay for your domains. That means you
accept all kinds of junk into your backup server that generates NDRs - a
very bad thing.
Using an aliasing system allows you to accept mail only for known-good
addresses on your main mail server and kick out anything that doesn't match
before your backup accepts it. Saves bandwidth, disk space, and keeps you
from generating those NDRs.
The aliasing works as follows:
Presumably, email is not sent to [EMAIL PROTECTED], but simply to
[EMAIL PROTECTED]
IMail servers always follow a hierarchy in routing mail. First they look
inside to see if the domain is local. If not, then they consult the HOSTS
file, then DNS.
Your main server is local for its domains, in a simplified version of your
example, mail.ourdomain.com and ourdomain.com. This means it accepts mail
for both domains.
The trick is that your backup server also needs to think ourdomain.com is
local to it, in order to accept mail for that domain. Therefore, you need to
forward the mail to another domain - mail.ourdomain.com - which is not
local, but is in the HOSTS file.
You need to set up a domain on your backup server for ourdomain.com, and an
alias for [EMAIL PROTECTED] that forwards the mail to
[EMAIL PROTECTED] Your HOSTS file will then inform the server that
mail for that address is to be delivered to your main server.
Once all that is set up, your backup will accept mail for your qualified
addresses at ourdomain.com and push it out to those addresses at your main
server, delivering them to mail.ourdomain.com.
-d
----- Original Message -----
From: "Todd Richards" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, December 20, 2006 10:31 AM
Subject: RE: [IMail Forum] Backup Mail Server
Hi Dave -
That is the feeling that I got, that our backup mail server was actually
being "used", rather than waiting quietly. At the same time, I have been
unsure lately how effective it is when it really needs to be used (which
hasn't been much - knock on wood).
I sort of follow what you are talking about, but I'm not quite clear on
how
it all works. I'm guessing the volume of your traffic / users is far more
than mine, so I don't know that I would need to do anything 4 times per
day.
By setting up the aliases, you are only relaying mail for those aliases,
and
nobody else, whereas I'm still kind of an open relay. Correct?
On my primary mail server, I have one "host" (mail.ourdomain.com)
configured
on Imail and a bunch of virtual hosts (eg, hisdomain.com, yourdomain.com,
etc). On the backup mail server, I have one "host" (mail2.ourdomain.com)
configured in Imail, and no virtual hosts.
It sounds like I may have the hosts file part set up correctly as follows
(where 123.45.67.890 is the primary server):
127.0.0.1 localhost
123.45.67.890 mail.ourdomain.com
123.45.67.890 ourdomain.com
123.45.67.890 mail.hisdomain.com
123.45.67.890 hisdomain.com
123.45.67.890 mail.yourdomain.com
123.45.67.890 yourdomain.com
However, I'm still confused on the alias part. Maybe it's just the part
of
using the registry, versus actually going into Imail and entering a
person.
Also, I'm guessing you have scripts that do this for you the 4 times per
day?
Todd
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Doherty
Sent: Tuesday, December 19, 2006 6:13 PM
To: [email protected]
Subject: Re: [IMail Forum] Backup Mail Server
Hi Todd-
The way you are set up, it seems you will accept all mail, including
dictionary attacks, for your domains. Then your backup MX tries to send
out
NDRs when the primary rejects the addresses. That is very bad, as it
effectively doubles the volume of the original dictionary attack and
creates
spam itself since dictionary attackers seldom use their own "from"
addresses.
We have a backup MX that uses aliases. Four times a day, we download the
user list from the primary server's registry, convert all the users and
aliases to aliases for mail.domainname.tld, and install that into the
registry. We also rewrite the HOSTS file each time with entires for the IP
of the primary sevrer and mail.domainname.tld for each domain. On the
primary server you need to have domain aliases for mail.domainname.tld so
that it will accept the mail. So incoming mail received at the cache
addressed to, say [EMAIL PROTECTED] is forwarded through the alias process
to
[EMAIL PROTECTED] and sent along to the primary server. This allows us
to reject dictionary attacks with a 550 error rather than a nondelivery
message.
Sandy's LDAP2Aliases script works roughly the same way, except that he
uses
LDAP rather than reading the registry.
-Dave Doherty
Skywaves, Inc.
97 Wenster Street
Worcester, MA 01603
508-425-7176
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
