Stuff on setup secondary MX server
For a mail service, generally we have two MX servers, one is for primary MX, another is for secondary MX.
For instance, we see these MX records in a domain:
mailbox.net. 300 IN MX 5 mail.mailbox.net.
mailbox.net. 300 IN MX 10 mail2.mailbox.net.
The first one (with lower priority) is primary MX server, the second one is secondary MX server.
When primary MX is down, second MX will accept incoming messages and forward them to primary MX after which is up.
How to setup secondary MX server? It's quite simple. Just open /etc/postfix/main.cf and make sure you have these two lines:
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
relay_domains = mailbox.net
The first line is for auth purpose. The second line should hold your mail domain.
Please make sure you have correct hostname in seondary MX server. For instance, the following lines in main.cf,
myhostname = mail2.mailbox.net
mydestination = $myhostname, mail2.mailbox.net, localhost.mailbox.net, , localhost
should setup correctly. They must be the specified hostname, not the mail domain, otherwise you will have delivery issues.
And, in primary MX server we want to change just one line in configuration file /etc/postfix/main.cf.
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 xx.xx.xx.xx
Put your secondary MX server's IP in mynetworks option.
This is because, if you don't do this, the forwarded messages which always have SPF broken, will be rejected by primary MX server, if which has SPF check enabled.
For example, my primary MX server has this policy,
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
...
If it see messages from secondary MX have broken SPF, it will reject them. So you have to put the IP of secondary MX into mynetworks as trust source.
Now restart postfix in both primary and secondary MX servers, they just work.
The final step is to make sure you have the same antispam policies for secondary MX as the primary one. Otherwise spammers will send messages to your secondary MX, and those spam messages are forwarded by secondary MX to primary mail server bypass the detection of primary server.
How to setup antispam policies on mail server? It's quite complicated a topic, for which I will discuss in a separate article.