Friday, February 19, 2010

Postfix as a backup MX host

SkyHi @ Friday, February 19, 2010

I've had Postfix/amavisd-new/SpamAssassin/ClamAV/Courier running smoothly on my toaster for a while, thanks to Christoph Haas. Paranoid thoughts have since crept in; what would happen if my toaster were to stop working?

Luckily, I'm the kind of guy who has an old laptop many miles away, quietly humming away under my parents' desk. (No, I don't live in my parents' basement) This would do nicely as a backup MX!

My victim in this case is a Toshiba PIII 700 with a dizzying 64MB RAM, on which I've installed Ubuntu breezy. My parents have a dynamic IP address, which seldom changes in practice. Usually, it's not practical operate a mail server on a dynamic IP because many major ISPs like Yahoo and AOL block any mail from such IP ranges. In this case I'm not concerned, the purpose of a backup MX is to hold on to mail until the primary MX becomes available again, so it is only delivering mail to servers under my control (I will not block my own mail!).

I need to give the backup MX a hostname, I've chosen - I'm so creative. Fortunately, is hosted by, so I will set the laptop to update it's ip address with ddclient.

# apt-get install ddclient

ddclient works with other services like Hammernode, Zoneedit and EasyDNS. It is very easy to set up.

Lets get on with it and install postfix:

# apt-get install postfix

I chose 'no configuration', because I wanted complete control. Once Postfix is installed, cd to /etc/postfix and sudo vi

Here's my with comments to explain what's going on:

#This is the default and will do for me<br /><br />smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)<br /><br />#Notifies users of new mail using comsat.  Since I have no local users or comsat, seems sensible to turn it off<br /><br />biff = no<br /><br /># appending .domain is the MUA's job. - disable rewriting of user@host to user@host.domain<br /><br />append_dot_mydomain = no<br /><br /><br /><br />#Trust no-one except yourself.  IP addresses in mynetworks can relay mail to any address<br /><br />mynetworks =<br /><br /><br /><br />#Listen on all ip addresses<br /><br />inet_interfaces = all<br /><br /><br /><br />#Who we will accept mail for<br /><br />relay_domains = hash:/etc/postfix/relays<br /><br />#Where it will be sent<br /><br />transport_maps = hash:/etc/postfix/transport<br /><br /><br /><br />smtpd_recipient_restrictions = permit_mynetworks, check_relay_domains<br />

Here is /etc/postfix/transport:<br /><br /><br /><br />#...etc<br />

and /etc/postfix/relays OK<br /><br /> OK<br /><br />#...etc<br />

It's necessary to run # postmap /etc/postfix/transport and # postmap /etc/postfix/relays so that Postfix can read the files.

Restart Postfix:

/etc/init.d/postfix restart

Check that it actually works (from another host!):

$ telnet 25<br /><br />Trying<br /><br />Connected to<br /><br />Escape character is '^]'.<br /><br />Postfix: 220 ESMTP Postfix (Ubuntu)<br /><br />You: ehlo<br /><br />Postfix:<br /><br />Postfix: 250-PIPELINING<br /><br />Postfix: 250-SIZE 10240000<br /><br />Postfix: 250-VRFY<br /><br />Postfix: 250-ETRN<br /><br />Postfix: 250 8BITMIME<br /><br />You: mail from:<><br /><br />Postfix: 250 Ok<br /><br />You: rcpt to:<><br /><br />Postfix: 250 Ok<br /><br />You: data<br /><br />Postfix: 354 End data with <CR><LF>.<CR><LF%gt;<br /><br />You: Subject: Test message to test backup MX<br /><br />You: This is the message body.<br /><br />You: .<br /><br />Postfix: 250 Ok: queued as 47EDE57B81<br /><br />You: quit<br /><br />Postfix: 221 Bye<br /><br />Connection closed by foreign host.<br />

If you receive the email, good! If not, tail -f /var/log/mail.log should tell you why.

Check that you are not an open relay!

$ telnet<br />

With this in place, I needed to update the MX records for my domain. This differs from provider to provider, but you must set your primary MX's priority lower than the backup, e.g:

$ dig mx<br /><br /><br /><br />; <<>> DiG 9.2.2 <<>> mx<br /><br />;; global options:  printcmd<br /><br />;; Got answer:<br /><br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14586<br /><br />;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2<br /><br /><br /><br />;; QUESTION SECTION:<br /><br />;                 IN      MX<br /><br /><br /><br />;; ANSWER SECTION:<br /><br />          7190    IN      MX      5<br /><br />          7190    IN      MX      0<br /><br /><br /><br />;; AUTHORITY SECTION:<br /><br />          7190    IN      NS<br /><br />          7190    IN      NS<br /><br /><br /><br />;; ADDITIONAL SECTION:<br /><br />       172790  IN      A<br /><br />      172790  IN      A<br /><br /><br /><br />;; Query time: 3 msec<br /><br />;; SERVER:<br /><br />;; WHEN: Sun Nov 27 18:43:02 2005<br /><br />;; MSG SIZE  rcvd: 169<br />

Test it. Stop the MTA on your primary MX and send yourself some email from gmail (or something). If you $ tail -f /var/log/mail.log on your backup MX, you'll see the mail queuing up. Start your MTA again and it'll get delivered to you. Use # postqueue -f if you are impatient.