Re: Primary and secondary sendmail servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Once upon a time, Steve Searle <steve@xxxxxxxxxxxxxxxxx> said:
> When configuring a primary and secondary sendmail server, how does the
> secondary mail server know it should relay anythign to the primary one?
> 
> Is it just by the mailserver examining the DNS mx records, or is there
> something else in either of the sendmail configurations?

Basically, you configure the secondary to relay (but not deliver) mail
for the domain(s).  For sendmail, this would mean putting a line like:

To:example.com RELAY

in /etc/mail/access (and running "make" in /etc/mail to update the db).
When mail for that domain comes in, sendmail will see the MX record and
attempt to pass mail on to a higher-preference (lower number) MX.

However, there's a big problem with doing this (not a sendmail specific
problem): the secondary doesn't know which @example.com addresses are
valid and invalid.  By default, it will accept email for all such
addresses and try to forward them.  When somebody sends an email to an
invalid @example.com address via the secondary, the primary will reject
the message and the secondary will generate a bounce message back to the
apparent sender.

This is a problem because spammers know about this loophole and will try
to dump spam (to massive numbers of invalid addresses) on your secondary
server (usually with forged sender addresses).  The secondary will then
bounce the spam to people that didn't actually send the messages; this
is called "blowback" and will get your secondary server on spam
blocklists in short order.

You really need the secondary to have some way of knowing all the valid
recipient addresses at the domain (and have any spam filtering
configured to match), so it doesn't accept mail that the primary
wouldn't.

This is more complicated; for sendmail, you have to write a few custom
rulesets (not really very much).  The bigger issue is that you need some
way for the secondary to know the valid addresses on the primary; the
usual way is to have all users, aliases, etc. in LDAP (and replicate the
LDAP to the secondary).

-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux