Situation: We have 3 separate SMTP servers on 3 unique public static ip addresses [rovided by ISP. We have a new mobile 4g connection with a single static public ip as a possible failover connection. We have a Draytek 2860 ADSL router to handle the incoming main adsl connection where the 3 public static ip's reside. The Draytek can handle failover between WAN1(ADSL) and WAN2(4G Mobile). Question: During failover we would like the 3 SMTP servers to be able to send and recieved email throug the single ip 4g mobile connection 1) Does this need to be done through an SMTP gateway say like Postfix ..or 2) Can we have our mx records point to the single 4g mobile ip and the SMTP servers pick this up on the local lan?
Asked
Active
Viewed 214 times
1
-
is the 4g static, always on or only in an outage, do you pay for bw costs or care – Jacob Evans Mar 16 '17 at 11:07
-
4G is always on , and yes it is static but nat'd - ie, we have a public static ip nat'd to and internal ISP private ip to which we connect to – Squid_Vicious Mar 16 '17 at 11:13
-
do you care about usage – Jacob Evans Mar 16 '17 at 11:19
-
yes, 4g mobile limited the other no limit. Failover will only be applicable to SMTP, SSH . No general web traffic will be routed through the failover – Squid_Vicious Mar 16 '17 at 12:13
-
do you need to receive email during an outage, or only send...be aware that remote mail servers will queue email if no mx servers are reachable – Jacob Evans Mar 16 '17 at 12:19
1 Answers
1
Yes this is possible, not recommended without considerations
Outbound: It is best practice to use all sending IPs always to build a good reputation, in your scenario this may be costly as you will want to send on all 4 IPs, paying a bandwidth fee to emails sent over the 4G connection. You may want to consider using a smarthost that will handle your reputation, which you could roll your own on something as cheap as few containers (I pay like $90 a year for my 3 VPSs) but in the situation of an outage you will be able to retain your reputation and source IPs.
To send from your new IP, you simply need to list it in your SPF Record, and ensure FCrDNS (PTR Record matches A record)
Inbound: You can absolutely add this server to your MX list with a higher priority, however this does not mean it will not receive emails while the other 3 mx servers are online, it is common for spammers to favor higher-cost servers as they are typically running less resources and less anti-spam protection. If you are able to deny traffic on the highest MX AND NAT to a load balance to spread your load (must support proxy protocol to retain RBL checking), this would be fine. I would suggest only in a longer outage (telephone pole + car) type incident to use this. Remember it is typical for remote servers to queue email to you for up to 48 hours, assuming they use an MTA** and have not changed the defaults.
To receive on your new IP, just add an MX record, no reputation required.
**many web forms use mx records to send mail and do not have an MTA or a way to queue email, this is terrible and shouldn't be your problem.
Jacob Evans
- 7,886
- 3
- 29
- 57
-
Legitimate serves generally follow the RFCs and retry so an outage of less than a day or two should not be an issue. Spambots frequently don't retry, so an outage should reduce the backlog of spam. – BillThor Mar 16 '17 at 13:40
-
look at greylist statistics if you want to see how many spambots do queue. – Jacob Evans Mar 16 '17 at 13:48
-
Jacob, thank-you. I was thinking of possibly setting up a smarthost/smtp gateway possibly using postfix. Putting all existing SMTP servers on the internal lan and using only the postfix gateway on both 4g and adsl. I suppose this will make a DNS setup a lot simpler and easier for failover? The Draytek allows for load balancing and I could allow only SMTP traffic through the 4g on normal days and all other traffic just on failover to save on 4g costs.... – Squid_Vicious Mar 22 '17 at 09:29
-
if you have smart hosts you don't need to warm up the 4g ip, your sources no longer matter – Jacob Evans Mar 22 '17 at 11:35