0

I have an onsite Exchange server.

For the rare cases in which our onsite Internet connection goes down, I want to setup an offsite inbound email relay server (I believe this is the correct terminology).

My expectation is that all inbound email will pass through the offsite email relay first. In the case where the offsite email relay cannot contact our onsite Exchange server, then it will hold onto the email until such time as it can be delivered successfully.

Thus, I imagine the flow of email to be like this:

Cusomter's email client -> Customer's SMTP server -> Internet -> 
-> My offsite email relay -> Internet -> Onsite Exchange server

I found something that I thought would initially serve this purpose at http://emailrelay.sourceforge.net/, however the pictured examples seem to imply that it is only for local outbound email use (Onsite Exchange Server -> emailrelay -> Internet).

Questions:

  1. Given my stated objective, is an "inbound email relay" what I should be looking for? Or is it called something else? Am I missing some keywords?

  2. Can the email relay server I linked above do what I want? Alternatively, can you give me some examples of programs / apps that can do what I want? (hopefully this is not subjective as I am asking for examples of functionality, not asking for what is "best")

  3. In researching this topic, I found that it is considered bad practice, and potentially a security risk, to operate what is called an "Open email relay server". It seems that best practices are to restrict mail relays for use either from / to local clients, or from authenticated / authorized clients. As this would be an inbound mail relay, it seems I must accept email from any source, but I would want to restrict it by only accepting email with a destination matching the specific mail domains that correspond to my business. Is this an acceptable and attainable solution?

Daniel
  • 1,614
  • 9
  • 29
  • 47
  • 1
    Why do you want all email to go through the offsite email relay? – Michael Hampton Sep 21 '15 at 03:21
  • 1
    what you want is called a secondary or backup MX (Mail eXchanger). See http://serverfault.com/questions/47312/mx-backup-service/47325 for reasons why they're not as useful as you might imagine and are a potential source of serious problems. – cas Sep 21 '15 at 04:04
  • Your third question is do-able, and is the right way to do it if you insist on having a backup MX - it should have, at the very least, a list of all valid recipients and if at all possible it should have similar anti-spam / anti-virus rules. – cas Sep 21 '15 at 04:06
  • Some responses and also some follow up questions: Answer 1: Why ALL email? Well I was also thinking of using the relay to do my spam filtering (this is an option in emailrelay for instance). I prefer to keep different server tasks separated both to offload server load, and to make maintenance and performance tracking easier. Followup 1: Let's say I still am interested in running a separate spam filtering server (I might run it local with the Exchange server), would I then be looking at a mail relay? Or is that still a Backup MX? – Daniel Sep 21 '15 at 12:58
  • Followup 2: It seems that I don't really have to worry about my Exchange server going down unless it is for more than 48 hours (unlikely), however I am someone that always like redundancy. One thing I am wondering is if a "Backup MX" is really what I am looking for. If I understand the terminology correctly, a Backup MX would be a full fledged MTA, In other words, it would be concerned with things like recipients and routing. In my mind, a mail relay is a much simpler box that does not concern itself much with anything except getting mail from a static one-to-one route. – Daniel Sep 21 '15 at 13:04
  • @Daniel would this not be my answer? – Jacob Evans Sep 21 '15 at 14:42

2 Answers2

1

Without knowing your email path, you could do this by looking at hosted anti-spam solutions. But in any case it is common practice for emails to reattempt deliver multiple times over a 48 hour period before giving up, the rare cases this does not happen is if something is poorly configured on the sender's end where they directly relay email off the responsible parties MX record instead of using an MTA.

1) If you setup a relay, you will break SPF especially, so whatever you do needs to at least handle that (option 3 is more specific on this).

2) Another option could be Google apps with dual delivery, so if your exchange server is down for an extended period of time you can use gmail, personally not a fan of this but it's there.

3) Create your own with a free/open source solution like mailcleaner.org, I would at the least configure it to retry for 10 days, setup zen.spamhaus.org RBL and honor SPF. For more help I'd look to their forums

4) There are services that do exist to extend this for up to 10 days and support basic filtering (SPF,RBL). http://www.duocircle.com/services/backup-mx

Good Luck

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • I want to set something up myself instead of using a hosted solution. – Daniel Sep 21 '15 at 17:15
  • I can respect that, let me see what I can dig up, I think mailcleaner.org would give you the basis spam protection, just make it a higher cost, like 90, and you can program it to retry for 30 days if you so choose. – Jacob Evans Sep 21 '15 at 17:19
  • MailCleaner wants to charge me per mailbox (which comes out to a silly price per year), and DuoCircle doesn't have clear pricing (starts at $49.95 per year... where does it end?). This is one reason why I'd prefer to have my own solution. If these companies can do offsite relays, why can't I? – Daniel Sep 21 '15 at 17:51
  • http://www.mailcleaner.org, not .net, I'm a reseller and for what you want I don't see the need for their enterprise version. org is their open source-free version that is community supported. I originally maintained my own mailcleaner.org open source smarthost cluster, but wasn't happy with some of the filtering performance on the free edition and didn't have time to continually training bayesian filters – Jacob Evans Sep 21 '15 at 17:53
  • @Daniel update my answer to better suit your needs. – Jacob Evans Sep 21 '15 at 18:00
  • OK, mailcleaner.org was not working yesterday. Seems to be working now. So, how is this different from a BackupMX or a Mail Relay? – Daniel Sep 22 '15 at 21:10
  • I have now installed and configured mailcleaner to work with my Exchange server. It is doing an ok job (still getting some spam and some false positives). Anyway, I was wondering if you could give me a clue as to what I should do to “honor SPF”. I have also posted that question in the mailcleaner forums :p – Daniel May 18 '16 at 09:20
  • Honor spf and dmarc – Jacob Evans May 18 '16 at 10:51
0

Generally, you don't need it and in your case I wouldn't bother unless your internet connection is really that bad. If it is, then fire your provider!

Sending MTA's that want to deliver mail to you will queue mail destined to your domain if it can't be delivered. Usually around 4 hours. And if it fails it'll bounce the mail back to the sender with a DSN report. Basically an email saying that the mail was undelivered due to whatever reason.

How long that is varies. See this answer for more info on that. Do MTAs always queue mails when they can't connect to dest MX server?

In the unlikely event that you are hosting your own DNS on the same network as your exchange servers, then you will want to ensure that those don't go away when your internet line goes down. So set up an offsite dns or use a backup service like backupdns.com or others. That one can also queue mail destined to your domain.

Community
  • 1
hookenz
  • 14,472
  • 23
  • 88
  • 143