Re: how to tell qmail to relay to secondary MX
Markus Stumpf <lists-qmail <at> maexotic.de>
2008-09-01 17:07:06 GMT
On Sun, Aug 31, 2008 at 06:00:39PM -0500, Josh Wall wrote:
> I think this is the way some of the mail filtering services (like Postini)
> work. You (controller of the domain) setup MX records to point to their
> servers. They do the dirty work, and then relay what is left back to you.
Yes, but they don't say your mailserver should be a backup MX. As soon
there is a little error in your configuration you have a mail loop and
Suppose you have Mailserver DEST, which is the destination mailserver.
Suppose you have Mailserver WASH, which does the dirty work.
You have to secure DEST so that it only accepts connections from WASH.
If you don't do that the spammers' port scan will find it and inject messages.
Do not put DEST in the MX list, this makes it really easy for spammers.
Making it a wider distance MX fails, as a lot of spammers deliberately use
a "reverse MX distance" approach, as backup MX servers in most cases can not
decide if a user exists and accept everything.
Put the name/IP address of DEST in control/smtproutes. This will cause
qmail to deliver to that host. Do it like
If you can afford some delay but have more then one host capable of
playing DEST, you can deliver locally to a Maildir and make a setup
with "maildirsmtp" and some failover strategy. Be sure to block the
execution of the script against parallel runs if you are using cron
or maybe use daemontools and a script with a endless loop.