Hi all,
Here is my conclusion:
Many experts seem to have this same opinion: To enable 2nd, 3rd,,,etc
mail server the same defence (antivir, antispam) as the primary one.
Because the spamer knows the weak point/path to spam.
So I decide to 'join' all the experts that post the above idea.
Thanks for your comments and help
Cheers
Joshua
Alan Premselaar wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua, C.S. Chen wrote:
Looks like I have to enable SA in the 2nd server. It might be a spam
hole if the spam sent to 2nd first, then forcily relayed to the primary.
Sorry for the late response, I'm just catching up on some backlog.
Here's my personal opinion: your secondary mail server should have
stronger restrictions on it than your primary mail server.
The reason I say this is because for some time now it has been a common
spammer practice to hit your secondary, terciary, etc. MX servers first
with the assumption that they are typically configured with fewer
restrictions or merely, as yours is, as a store-and-forward.
For specific reasons I'm unable to implement greylisting on my primary
MX server however, it's perfectly acceptable for me to enable it on my
secondary MX server.
On top of that, I have value user checks, antivirus checks and share the
bayes database (using MySQL) with the primary MX server for
spamassassin checks.
Because your secondary MX is in place for "in case the primary mail
server fails" you should have to have the same kind of horsepower. my
secondary server is significantly lower powered than my primary MX server.
in the case that the primary server is still running, the secondary will
most likely only be dealing with SPAM anyways, and it won't matter if it
takes awhile to process those messages. in the case that the primary
server is down, well, your users aren't going to be getting their email
anytime soon anyways so it shouldn't matter if it takes a bit more time
to process those incoming mails.
if the mail coming into the 2nd MX server is SPAM, it should reject it
(not bounce) properly either way, if it's not SPAM, it should accept it
and then pass it off to the primary MX server once it's back up and running.
this scenario has been working well for us here for the past 2 years or so.
Alan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFENj0vE2gsBSKjZHQRArxzAJwIZ3zyz00psNgFWTkgMqhua9fqDACg2ecD
R/So24Tv3qHBAjOI/Aqymxk=
=rZvg
-----END PGP SIGNATURE-----
|
