5

I know that one technique spammers may use is to send spam to a secondary mail server, since those servers tend to be less powerful and may not have all the spam filtering that the primary has.

Can I set up my backup mail servers to reject any incoming mail if the primary server is still up and accessible? I imagine secondary servers doing a quick ping to the primary as soon as an smtp session is begun on the secondary (even before a helo/ehlo), and rejecting if the primary responds. If the primary is still online, there should be no valid reason to be sending any email to a lower-priority mailserver.

Is this possible with postfix? Are there pitfalls I'm not seeing to this approach?

Stephen S
  • 180
  • 8
  • 8
    This sounds like a bad idea to me. Just because your secondary mail server can reach the primary doesn't mean the entire internet can. –  May 14 '15 at 19:35

1 Answers1

12

That would be highly inadvisable, or, to put it simply, just plain wrong. Just because the secondary server can connect to the primary doesn't mean one or more legitimate SMTP clients can connect to the primary.

Multiple MX servers are primarily designed to handle routing and connectivity issues (and the weighting parameter is there to help hint at the preferred server(s), i.e. the one(s) which will do final local delivery). The SMTP protocol itself is designed to handle short outages (up to a few days) without any loss of email. Do not use multiple MX servers to try to deal with server outages, or even necessarily last-mile connectivity outages.

These days you would do better just to put your primary at a reliable well-connected colo/cloud provider and get rid of any and all other MX servers.

If you really have to handle a lot of incoming connections, more than one server you can afford to provision can handle, then use multiple servers and add multiple A records to the MX hostname, one for each parallel MX host. (In the past, and probably still today, multiple A records for the MX target get more even distribution than multiple equal-weight MX records for different target hosts.) However any configuration of multiple hosts increases your costs, your maintenance headaches, and your security risks.

Summary: Do not advertise additional MX records if normally those additional MX servers will reject all connections. The result will be an invitation to loosing mail on several fronts.

Greg A. Woods
  • 244
  • 4
  • 10
  • 3
    I agree. I'm not a fan of backup MX records as a mechanism to deal with transient, short term issues. Originating SMTP servers will queue the message and retry delivery later at regular intervals upon transient failures. Having a backup MX for this purpose seems to me to just be a good way of winding up with a bunch of spam on your backup MX. – joeqwerty May 14 '15 at 20:07
  • 3
    a "backup" MX server doesn't just invite spam -- it invites loss of legitimate mail too! It is far too easy to underestimate the problems and risks of doubling the maintenance and monitoring overhead, and even the tiniest cost in overhead would vastly outweigh any possible advantage except for the most exceptionally odd configuration requirements (which would of course require their own exceptional justification) – Greg A. Woods May 14 '15 at 20:14
  • Very good point. Another good and valid reason not to implement a backup MX. – joeqwerty May 14 '15 at 20:15
  • I might just rethink the purpose of my backup mx after reading this and the comments. Thanks ;) – Daniel May 14 '15 at 20:30