efa-project.org

Sorry to double post, but the other thread has a wrong title (was initially posted because of another problem).

I would like to use EFA as MX1 and MX2 for different domains and then in EFA reroute traffic to the appropriate mailserver. What would be the recommended setup if I would want two EFA mailfilters, one maybe the backup of the other? Is there some sort of fallback configuration possible or should I just configure them the exact same way?

Well… good question. As far as the backup-setup goes, this is usually configured by setting the MX priority for the resp. MX servers in your DNS. The MX with the lower priority will be your primary MX and the one with the higher priority will be your backup MX. However, when I had two MX records, spammer used to choose the backup MX one - probably hoping that the backup MX would have a less rigorous configuration (which of course it hadn't ).

If one eFA can handle all the traffic for your domains, just setup another using the same settings/konfig and have your MX records set to different priorities. If you want your eFas to primarily accept messages for one domain, have the MX settings in a way, where the other eFa has a higher priority for that domain you don't want it to server primarily.

Thank you budy, very happy with an answer.

I guess I'll just configure two EFA just identically and make the one MX1 and the second MX2 as a backup.

Also, as some kind of load balancing I can for instance make:

for domain A the MX1 the high priority MX record and MX2 the low priority MX record
for domain B the MX2 the high priority MX record and MX1 the low priority MX record

So avoiding that in normal circumstances MX2 is just sitting there idle while MX1 is working his butt off

Exactly.

Keep in mind that in some cases your 'backup' MX might even get a higher load than your primary.

We sometimes see domains that receive 80% of their spam on the secondary MX.
Some tricks spammers sometimes use is to send mail only to the secondary MX as some domains just have a 'relay' for the secondary without scanning.

Although most domains get this shorted out lately and use two spam filter methodes, you might see a higher load on your secondary node than on your primary node because of this.

OK great, thanks for the input!

For load balancing I would use round-robin and just one mx record.
But I use also a primary and a secondary mailserver. The adds an extra point to the spamassassin score just because it's the secondary and mostly used by spammers.

Hi Woger, how would you configure that? Round robin and one MX record?

I'd rather have the extra score for spammers using the backup mx…

I understand why you are marking up the backup MX record, but I personally wouldn't do that. What if your main mail server is down, and your legitimate mail goes to the secondary MX? You may have legitimate mail now being marked as spam, possibly even training the system to recognize it as spam.

If you know ahead of time that your primary is down (maintenance, upgrade, etc) you could undo that extra score, of course, but that's just one extra thing to have to remember.

That's of course a valid point to consider.

disciple wrote: ↑04 Oct 2017 10:44 Hi Woger, how would you configure that? Round robin and one MX record?

Something like this:

mailserver.domain.com. A IN 1.2.3.4
mailserver.domain.com. A IN 1.2.3.5

domain.com. 10 MX mailserver.domain.com.

I think that should work, but haven't tried it

Thanks Woger, seems interesting.

But since you haven't tested it, question to others: does anybody else have this live in this way?

It'll work, although I wouldn't recommend it unless those two IPs are highly available IPs.

Why? If I make a requests to .4, and .4 is down, the system will delay the second mail attempt - resulting in slower mail delivery. The next request may get .5 depending on how the DNS resolver handles hosts with multiple A records.

If I have two mx records, one for .4 and one for .5, then, depending on the mail processor, it make make an attempt immediately to the secondary mx record before delaying the mail to try again, thus over all faster mail delivery.

Round Robin is useful as a cheap way of load balancing assuming both machines are running. (It'll be even more useful if/when EFA supports clustering). It's not so good for redundancy when one hosts isn't responding, like I've described above.

Go with the secondary mx record if you have two IPs and two machines.

Also, it's better if your secondary mx host is not on your network and can store/forward mail to your primary mx host when it is available, in my opinion.

Thanks all, great points to consider. I'll think about it some more and make a final decision.

this is very intersecting idea,
has anybody got it working ?

If you want to load balance your servers then rather than DNS round robin use two MX records but have the same weight for them. Sending servers are supposed to randomise equal weight records.

Addendum: To clarify - With equal weight MX records sending SMTP servers will use a random record and if that fails then they'll use any other equal weight records. This avoids the issue with DNS RR whereas a server can latch onto an A record and will keep on trying that failed server. With equal weight MX the sending server will immediately try the other record(s).

Good morning

I have this working. My MX records are not evenly weighted but it does cycle to the other one if i restart the main server for example.

I implemented this last night so will give another update on how things are going over the weekend.

Both eFa servers are setup the same, i just created a new VM and changed the name and IP.

Kind Regards
Edward