If users are added in main MX, how can they be synchronized to backup MX
for relay access?
Thanks
On 2024-10-29 23:11, Viktor Dukhovni via Postfix-users wrote:
On Tue, Oct 29, 2024 at 09:44:16PM +0800, Adriel via Postfix-users
wrote:
I would like to set up two MX servers with equal priority, both using
Postfix as the MTA software. One MX server resides on the same
physical
machine as the Dovecot service, and I am familiar with their
configuration.
However, the other MX server is located in a remote data center
separate
from Dovecot. Could you advise on how to properly configure these two
MX
servers to ensure they work correctly together?
It is unclear why you want the distant MX to have equal priority, and
not just be a backup. An sketch of a configuration is:
example.net. IN MX 0 primary.example.net.
example.net. IN MX 10 backup.example.net.
backup.example.net:
main.cf:
relay_domains = example.net
relay_recipient_maps = ... some complete table of valid
recipients ...
relay_transport = relay:[primary.example.net]
smtpd_relay_restrictions = reject_unauth_destination
smtpd_recipient_restrictions =
... various anti-spam measures ...
master.cf:
relay unix ... smtp
# Assumes relay nexthop appears in peer certificate,
# which can be verified.
#
# You could also go with "dane-only" instead, if you have
# DNSSEC and DANE TLSA records for the primary, and have
# working monitoring and robust cert rollover process that
# does not invalidate the TLSA records as keys/certs roll
# over.
#
-o { smtp_tls_security_level = secure }
-o { smtp_tls_CAfile = ... file with just expected root CAs
... }
primary.example.net:
main.cf:
mynetworks = ... IP address of backup MX ...
virtual_mailbox_domains = example.net
virtual_mailbox_maps = ... some complete table of valid
recipients ...
smtpd_relay_restrictions = reject_unauth_destination
smtpd_recipient_restrictions =
permit_mynetworks,
... various anti-spam measures ...
# Nexthop may be an LMTP unix-domain socket or [127.0.0.1]
#
# With a pipe(8) transport you probably want a recipient limit
# of 1 since there's no way to indicate which recipients
# failed.
#
virtual_transport = dovecot:...
You could perhaps go to the trouble of delivering from the remote
system
to Dovecot via LMTP over a TLS encrypted and authenticated connection,
but that requires some skill to set up, easier to just relay the mail
to the primay via SMTP which requires a better MX priority on the
primary.
Probably also enable TLS on both ends, and require TLS from secondary
to primary via:
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
