This is quite simple, and with a very simple setup, and does not require that much, since we do not need to send out e-mails from clients from this server, or use ASMTP. I find that MySQL is not needed here, but could be used. I will use normal flat files, since the number of domains to run a backup for is most likely a rather small number.
This setup can be editet to run all times of different checks, antivirus etc. Normally you would make sure that the setup is exactly the same on both the primary MTA, and the backup. It hardenens the systems, and should reduce spam, and unwanted traffic. Create public DNS entries. Remember to create an MX record with an lower priority than the primary mail server, or else this will not work!
Example:example.com. 43200 IN MX 10 mail.example.com. example.com. 43200 IN MX 20 backup.example.com.
After this these two records are created with A records pointing to different IPs (different servers).
Example:mail.example.com. 343 IN A 123.456.789.123 backup.example.com. 343 IN A 987.654.321.987
First install postfix if it is not installedaptitude install postfix
Next we will configure postfix to accept e-mails from only trusted domains, and define where want to send the e-mails to.
Please note that I have set the queue lifetime to 30 days, in case a mailserver breaks down when a person is on vacation. Default for this is 5 days, which is some cases is just not enough.
Of course in a serious production environment these 5 days should be sufficient! 🙂
Now to main.cf file, which is very simple here.
Make sure that “relay_recipient_maps = ” is not defined with parameters, it must be defined as “empty”, since we will then automatically accept all e-mail addresses. If not we might have a huge amount of work to create all the users, which is a critical bad idea on a backup MX. Remember that the original mailserver, still “sorts” the emails at arrival.
Actually it is (empty) as default, but for a visual view it could be added.
Finding the PTR entry which we should use as hostname. We will use this output later on!dig -x example.com
#ptrentry.example.com /etc/postfix/main.cf myhostname = ptrentry.example.com smtpd_banner = $myhostname ESMTP mynetworks = 127.0.0.0/24 maximal_queue_lifetime = 30d relay_recipient_maps = relay_domains = hash:/etc/postfix/relaydomains transport_maps = hash:/etc/postfix/transportmaps smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
Time to configure the relay domains.
This is the domains that we trust, and we want to act as backup for.
Add the domains you want in this file.
Actually it is possible to add them directly in postfix instead of this flat file and then seperate the domains with commas. But as you can see later on, it is still required to run postmap, so since we have to do this anyway, I find it easier just to create both of these files, and I personally have a better overview./etc/postfix/relaydomains
example.com OK example1.com OK example2.com OK
In the transportmaps file we will define where we want our e-mails to go when the host is up again.
It is possible to add an internal host inside the network, or just another external host.
For internal hosts a smart trick is to use brackets ( [ ] ), to avoid DNS lookup.
Below have I specified example2.com to an internal host. Also another port can be used, if SMTP is blocked from the ISP. In this example I have used port 587.
First goes the domain, and next we define the original mailserver, where we want to have our mail delivered when the host is up again.
/etc/postfix/transportmaps example.com smtp:mail.example.com:25 example1.com smtp:mail.example1.com:587 example2.com smtp:[192.168.10.20]:25
Updating postfix’s lookup table
Everytime a change have been made to either the transportmaps, or relaydomains files it is needed to run postmap to create/update the lookup tables for postfix!
postmap /etc/postfix/relaydomains postmap /etc/postfix/transportmaps /etc/init.d/postfix restart
Below is a little very simple and basic script I have created, that updates the tables, and restarts postfix after changes.
updateRelayDomains.sh #!/bin/sh echo "running postmap" postmap /etc/postfix/relaydomains postmap /etc/postfix/transportmaps echo "restarting postfix, to accept changes" /etc/init.d/postfix restart echo "done"
Adding TLS Support – Optional
postconf -e 'smtp_tls_security_level = may' postconf -e 'smtpd_tls_security_level = may' postconf -e 'smtpd_tls_key_file = /etc/postfix/tls/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem'
SPF Whitelist – Optional
This is only important if your have configured SPF, else skip it!
On your primary mailserver, NOT this backup mx host, you can and should most likely add the(se) MX backup server(s), to avoid blocking valid emails.
apt-get install spfmilter
Configure spfmilter with whitelists.
add –whitelist to DAEMON_OPTS
The the IPs of your backup MX servers.
/etc/postfix/spfwhitelist 123.456.789.123 321.987.654.321
Restart spfmilter./etc/init.d/spfmilter restart
Time to test
Time to test if everything is working. Unplug the cable from the original MTA.
If everything goes well, mails should start comming in, in the mailqueue on the backup MX server.
Follow the process in the mail.log. Also if something is wrong, it should show in the same place.tail -f /var/log/mail.log
Take a look at the mail queue, it should start to grow, since e-mails cannot be delivered since the original host defined in the transportmaps file is still down.postqueue -p
When the host is up again, mails should automatically be removed from the backup server, again you can follow this in the mail.log or with postqueue as shown above.
If you are impatience, and just want the e-mails to be delivered at the remote host immediately, you can force/flush the delivery with postqueue.postqueue -f