Re: Best practive for TLS/DNS Setup for exim
Rainer Dorsch wrote: > Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter: > > Rainer Dorsch wrote: > > I think you're overcomplicating it. > > > > Your domain can and should have two or more MX records, with > > different priority levels. The MX records don't even have to > > point to names in your domain. > > > > Since you're using Let's Encrypt, certificates are free. So, > > for each mail server, set up an A and/or record. Add those > > to the MX records for your domain. Have LE produce certificates > > for the mail servers under the names they have assigned. > > > > Any mail sender will try each of your MX records, stopping when > > it gets to a working entry. Some spammers will try in reverse > > order, hoping that you don't have anti-spam measures on your > > secondary mail server. > > > > Just curious, if I have multiple MX records, how would you sync the incoming > emails (*) ? I can see with an NFS mounted home directory with Maildir > mailboxes that could work and dovecot could probably run on multiple hosts > (or > at least it would be possible to switch the imap DNS entry if needed). But > then the NFS server is the single point of failure. Are there better ways to > sync the mail servers behind the MX records than NFS? Yes. dovecot-sync is quite fast relative to most mailservers. -dsr-
Re: Best practive for TLS/DNS Setup for exim
On Tue, May 19, 2020 at 05:10:33PM +0200, Rainer Dorsch wrote: > Just curious, if I have multiple MX records, how would you sync the incoming > emails (*) ? I can see with an NFS mounted home directory with Maildir > mailboxes that could work and dovecot could probably run on multiple hosts > (or > at least it would be possible to switch the imap DNS entry if needed). But > then the NFS server is the single point of failure. Are there better ways to > sync the mail servers behind the MX records than NFS? You're assuming the secondary MX performs actual local deliveries. That's not normally the case. A secondary MX usually just queues up the messages for SMTP delivery to the primary MX.
Re: Best practive for TLS/DNS Setup for exim
Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter: > Rainer Dorsch wrote: > > Hi, > > > > I am just wondering how a efficient setup for TLS/DNS for exim looks like: > > > > Right now I have an A entry in the DNS server for smtp. and a > > letsencrypt certificate as well. > > > > If I setup a new server and call it SMTP2, I need to reconfigure this in > > all my email clients. If I install the SMTP certificates, testing is > > somewhat limited, since the DNS entry still points to another server and > > I would need to fake this. > > > > Does anybody know if I can have a certificate for . > > and use for smtp a CNAME? > > > > The advantage I would see is that I can have a fully functional config and > > with disabling the SMTP name on the old system and changing the CNAME in > > the DNS system, I could be done. > > > > Does anybody now if the standard email clients can handle the situation in > > which them get as SMTP server a cname and as certificate the > > the > > SMTP cname points to? > > I think you're overcomplicating it. > > Your domain can and should have two or more MX records, with > different priority levels. The MX records don't even have to > point to names in your domain. > > Since you're using Let's Encrypt, certificates are free. So, > for each mail server, set up an A and/or record. Add those > to the MX records for your domain. Have LE produce certificates > for the mail servers under the names they have assigned. > > Any mail sender will try each of your MX records, stopping when > it gets to a working entry. Some spammers will try in reverse > order, hoping that you don't have anti-spam measures on your > secondary mail server. > Just curious, if I have multiple MX records, how would you sync the incoming emails (*) ? I can see with an NFS mounted home directory with Maildir mailboxes that could work and dovecot could probably run on multiple hosts (or at least it would be possible to switch the imap DNS entry if needed). But then the NFS server is the single point of failure. Are there better ways to sync the mail servers behind the MX records than NFS? Thanks Rainer (*) it would be some fun to present to the user multiple mail boxes and emails are "randomly" distributed into them :-D -- Rainer Dorsch http://bokomoko.de/
Re: Best practive for TLS/DNS Setup for exim
Am Dienstag, 19. Mai 2020, 16:15:36 CEST schrieb Dan Ritter: > Rainer Dorsch wrote: > > Am Montag, 18. Mai 2020, 20:50:49 CEST schrieb Dan Ritter: > > > Rainer Dorsch wrote: > > > > I was more concerned about the outgoing server configured in the email > > > > clients and used to send main from my domain (at least so far I did > > > > not > > > > understand that they can make use of the MX record). > > > > > > It depends on the MTA you choose for your email clients, but > > > unless you choose the very simplest systems, they can be > > > configured to look up the MX record and use that. (Postfix has a > > > fallback_relay option, Exim can accept multiple hosts in a > > > route_list statement, and so forth.) > > > > Thanks again for your reply. > > > > But what about a client like Thunderbird, kmail or Android mail clients. > > They need an *outgoing* server. > > > > Do they handle MX records? > > No, if you need high availability for those, you need load > balancing. DNS is not a good way of doing that; consider > ldirectord or haproxy or pound, and remember that you will need > at least two of those machines in a STONITH configuration. > > In any of these cases, you'll configure all your mail servers to > answer as smtp.domain with the same TLS certificate. Many thanks, again. No HA was here not my primary motivation here. It seems I have to 1. Setup exim (done by now) 2. copy TLS certificates for smtp. to new server 3. for testing tweak dns for a client to resolve smtp. to the new server 4. changing the smtp. entry to new server 5. setup certbot to update the copied smtp TLS certificates I hoped I get around copying the TLS certificates and then get certbot running an tweaking DNS of the client by 1. get TLS certificate for smtp2. 2. Setup exim 3. test with smtp2. 4. change DNS entry to e.g. make smtp CNAME smtp2 I see the last step does not work, but it is not a big hassle overall to follow the first procedure (I hope :-) ) Rainer -- Rainer Dorsch http://bokomoko.de/
Re: Best practive for TLS/DNS Setup for exim
Rainer Dorsch wrote: > Am Montag, 18. Mai 2020, 20:50:49 CEST schrieb Dan Ritter: > > Rainer Dorsch wrote: > > > I was more concerned about the outgoing server configured in the email > > > clients and used to send main from my domain (at least so far I did not > > > understand that they can make use of the MX record). > > > > It depends on the MTA you choose for your email clients, but > > unless you choose the very simplest systems, they can be > > configured to look up the MX record and use that. (Postfix has a > > fallback_relay option, Exim can accept multiple hosts in a > > route_list statement, and so forth.) > > Thanks again for your reply. > > But what about a client like Thunderbird, kmail or Android mail clients. They > need an *outgoing* server. > > Do they handle MX records? No, if you need high availability for those, you need load balancing. DNS is not a good way of doing that; consider ldirectord or haproxy or pound, and remember that you will need at least two of those machines in a STONITH configuration. In any of these cases, you'll configure all your mail servers to answer as smtp.domain with the same TLS certificate. -dsr-
Re: Best practive for TLS/DNS Setup for exim
Am Montag, 18. Mai 2020, 20:50:49 CEST schrieb Dan Ritter: > Rainer Dorsch wrote: > > Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter: > > > I think you're overcomplicating it. > > > > > > Your domain can and should have two or more MX records, with > > > different priority levels. The MX records don't even have to > > > point to names in your domain. > > > > > > Since you're using Let's Encrypt, certificates are free. So, > > > for each mail server, set up an A and/or record. Add those > > > to the MX records for your domain. Have LE produce certificates > > > for the mail servers under the names they have assigned. > > > > > > Any mail sender will try each of your MX records, stopping when > > > it gets to a working entry. Some spammers will try in reverse > > > order, hoping that you don't have anti-spam measures on your > > > secondary mail server. > > > > Thanks, Dan, for your quick reply. I was not concerned about incoming mail > > to my domain using the MX record. > > > > I was more concerned about the outgoing server configured in the email > > clients and used to send main from my domain (at least so far I did not > > understand that they can make use of the MX record). > > It depends on the MTA you choose for your email clients, but > unless you choose the very simplest systems, they can be > configured to look up the MX record and use that. (Postfix has a > fallback_relay option, Exim can accept multiple hosts in a > route_list statement, and so forth.) Thanks again for your reply. But what about a client like Thunderbird, kmail or Android mail clients. They need an *outgoing* server. Do they handle MX records? Thanks Rainer -- Rainer Dorsch http://bokomoko.de/
Re: Best practive for TLS/DNS Setup for exim
Rainer Dorsch wrote: > Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter: > > I think you're overcomplicating it. > > > > Your domain can and should have two or more MX records, with > > different priority levels. The MX records don't even have to > > point to names in your domain. > > > > Since you're using Let's Encrypt, certificates are free. So, > > for each mail server, set up an A and/or record. Add those > > to the MX records for your domain. Have LE produce certificates > > for the mail servers under the names they have assigned. > > > > Any mail sender will try each of your MX records, stopping when > > it gets to a working entry. Some spammers will try in reverse > > order, hoping that you don't have anti-spam measures on your > > secondary mail server. > > Thanks, Dan, for your quick reply. I was not concerned about incoming mail to > my domain using the MX record. > > I was more concerned about the outgoing server configured in the email > clients > and used to send main from my domain (at least so far I did not understand > that they can make use of the MX record). It depends on the MTA you choose for your email clients, but unless you choose the very simplest systems, they can be configured to look up the MX record and use that. (Postfix has a fallback_relay option, Exim can accept multiple hosts in a route_list statement, and so forth.) Finally, you could set up each of your mail servers to call themselves smtp.domain, and use any number of failover mechanisms to get a single IP to whichever one is live. In practice, you probably should not bother with that. -dsr-
Re: Best practive for TLS/DNS Setup for exim
Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter: > Rainer Dorsch wrote: > > Hi, > > > > I am just wondering how a efficient setup for TLS/DNS for exim looks like: > > > > Right now I have an A entry in the DNS server for smtp. and a > > letsencrypt certificate as well. > > > > If I setup a new server and call it SMTP2, I need to reconfigure this in > > all my email clients. If I install the SMTP certificates, testing is > > somewhat limited, since the DNS entry still points to another server and > > I would need to fake this. > > > > Does anybody know if I can have a certificate for . > > and use for smtp a CNAME? > > > > The advantage I would see is that I can have a fully functional config and > > with disabling the SMTP name on the old system and changing the CNAME in > > the DNS system, I could be done. > > > > Does anybody now if the standard email clients can handle the situation in > > which them get as SMTP server a cname and as certificate the > > the > > SMTP cname points to? > > I think you're overcomplicating it. > > Your domain can and should have two or more MX records, with > different priority levels. The MX records don't even have to > point to names in your domain. > > Since you're using Let's Encrypt, certificates are free. So, > for each mail server, set up an A and/or record. Add those > to the MX records for your domain. Have LE produce certificates > for the mail servers under the names they have assigned. > > Any mail sender will try each of your MX records, stopping when > it gets to a working entry. Some spammers will try in reverse > order, hoping that you don't have anti-spam measures on your > secondary mail server. Thanks, Dan, for your quick reply. I was not concerned about incoming mail to my domain using the MX record. I was more concerned about the outgoing server configured in the email clients and used to send main from my domain (at least so far I did not understand that they can make use of the MX record). Thanks Rainer -- Rainer Dorsch http://bokomoko.de/
Re: Best practive for TLS/DNS Setup for exim
Rainer Dorsch wrote: > Hi, > > I am just wondering how a efficient setup for TLS/DNS for exim looks like: > > Right now I have an A entry in the DNS server for smtp. and a > letsencrypt certificate as well. > > If I setup a new server and call it SMTP2, I need to reconfigure this in all > my > email clients. If I install the SMTP certificates, testing is somewhat > limited, > since the DNS entry still points to another server and I would need to fake > this. > > Does anybody know if I can have a certificate for . and > use for smtp a CNAME? > > The advantage I would see is that I can have a fully functional config and > with > disabling the SMTP name on the old system and changing the CNAME in the DNS > system, I could be done. > > Does anybody now if the standard email clients can handle the situation in > which them get as SMTP server a cname and as certificate the the > SMTP cname points to? I think you're overcomplicating it. Your domain can and should have two or more MX records, with different priority levels. The MX records don't even have to point to names in your domain. Since you're using Let's Encrypt, certificates are free. So, for each mail server, set up an A and/or record. Add those to the MX records for your domain. Have LE produce certificates for the mail servers under the names they have assigned. Any mail sender will try each of your MX records, stopping when it gets to a working entry. Some spammers will try in reverse order, hoping that you don't have anti-spam measures on your secondary mail server. -dsr-
Best practive for TLS/DNS Setup for exim
Hi, I am just wondering how a efficient setup for TLS/DNS for exim looks like: Right now I have an A entry in the DNS server for smtp. and a letsencrypt certificate as well. If I setup a new server and call it SMTP2, I need to reconfigure this in all my email clients. If I install the SMTP certificates, testing is somewhat limited, since the DNS entry still points to another server and I would need to fake this. Does anybody know if I can have a certificate for . and use for smtp a CNAME? The advantage I would see is that I can have a fully functional config and with disabling the SMTP name on the old system and changing the CNAME in the DNS system, I could be done. Does anybody now if the standard email clients can handle the situation in which them get as SMTP server a cname and as certificate the the SMTP cname points to? Many thanks Rainer -- Rainer Dorsch http://bokomoko.de/
