"In this scenario you are protected against overload" Not hardly. In this case you will have TWO servers that accept ALL mail and then pass them on to Imail, which now has to put up with TWICE the junk. A single backup server that cannot do invalid recip rejections is enough to bring Imail to its knees in many cases, your config multiplies this by 2.
If BOTH of those gateway servers did invalid recip rejections (using, for instance, Sandy's scripts), then you've got a good configuration. But Imail does not do this itself in a gateway/backup situation, and that is the problem. It MUST be done using third-party tools. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MIS Dept Sent: Thursday, May 05, 2005 3:22 PM To: [email protected] Subject: [IMail Forum] One or two or three backup MX servers At 11:42 AM 5/5/2005, you wrote: >Case resolved. > >And actually this is a MAJOR drawback to ever use the Max invalid rcpt >at the SMTP connection registry fix, when you have a secondary MX. > >What was happening is that since my Primary MX was closing connection >on invalid addresses, all the attacks where reverting to the "friendlier" >secondary MX that wasn't closing connections. Add all the closed >connections (after 2 invalid) attacks redirected to the secondary MX >and the secondary MX trying to resend the undeliverable every 3 hours, >failing after >2 invalids, re-queuing, trying again in 3 hours, failing after 2 >invalids, re-queuing, etc, etc, etc.... > >Results: 5000++ emails queued and constantly growing on the secondary MX. > >Resolution: Undo the reg fix and let my server being attack like usual > >Does anyone have some suggestions on how to prevent those dictionary >attacks? I think the solution depends on if you own or manage the secondary/backup MX server or you don't. If it is managed by your ISP, I think it would be ideal to have the secondary MX server disabled while your primary server is up and running. But that secondary MX server should have a proven method of checking the status of your primary server 24/7 and as soon it notices that your primary is down, then AND ONLY THEN enables your secondary MX server. I don't have a clue if this method exist and used widely by ISPs for their clients, I haven't had time to dig into this subject in more depth. If you operate your own backup MX server, then I think the best scenario is to have 3 computers with Imail installed on them: 1. Main Imail server, primary email server, fully hidden from the outside world. 2. MX gateway with Imail on it, Primary 3. MX gateway with Imail on it, Backup In this scenario you are protected against overload, AND Main Imail server failure, but you are not protected against problems of power outage at your location or if your Internet connection is down for hours or days. To have a protection/backup solution for that, you would still need an external MX server off site, but then we are already talking about 4 mail servers altogether 3 on site, 1 off site and there comes the question: Who controls the 4th MX gateway? How do they know when to kick that puppy in? Here I got to the end of the chain of my thoughts, anyone would like to finish it or scrap the whole thing and suggest an ideal solution if any? (After all, once you own one license of Imail server, you can install it on more than one servers at the same site for MX gateway purposes, they don't even need to be a Pentium 4 machine.) Geza To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
