[CentOS] Centos 6 Sendmail backup MX Config

Fri Feb 13 17:39:16 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Fri, February 13, 2015 11:04 am, Les Mikesell wrote:
> On Fri, Feb 13, 2015 at 9:57 AM, Ken Smith <kens at kensnet.org> wrote:
>> Hi All,
>>
>> I'm just wanting to check that my understanding of the settings is
>> correct
>> as my web searches are finding a lot of dated information.
>>
>> If I want a Centos 6 sendmail system act as the secondary MX for domain
>> bbbbb.co.uk do I just add a
>>
>> Connect:bbbbb.co.uk               RELAY
>>
>> statement into /etc/mail/access and restart sendmail
>>
>> Obviously I have the DNS MX records for the domain are already
>> established.
>>
>> I've been getting "/config error/: /mail loops back to me/ " errors.
>>
>> I think I may be stumbling into a variant of cname problem where the
>> hostname as far as the sendmail machine is concerned is aaaaa.com but
>> the
>> DNS setting for the secondary MX is smtp1.bbbbb.co.uk.
>>
>> They both resolve to the same IP but when sendmail looks up the MX
>> records
>> for bbbbb.co.uk it will find smtp.bbbbb.co.uk and smtp1.bbbbb.co.uk
>> listed
>> and it may relay the mail off to smtp1.bbbbb.co.uk without recognising
>> that
>> aaaaa.com = smtp1.bbbbb.co.uk. Am I on the right track here, as I then
>> just
>> need to change the secondary MX setting in DNS to aaaaa.com?
>
> I'd recommend not having a secondary MX at all unless it is equipped
> to reject invalid users and spam in all the same ways as your primary.

Agree, but...

>   Otherwise it accept junk that your primary rejects

Not exactly. If greylisting on primary is set, but on backup MX is not,
still what is killed by greylisting by primary MX, almost never will come
through backup MX. This is due to the same reason why greylisting is
efficient: it trows off all that doesn't behave as mail server (thus never
comes for re-delivery, and definitely doesn't try backup MX which real
servers always do even before attempt of re-delivery). Still, it is good
to have the same greylisting on backup MX. And all other blows and
whistles.

> and then you are
> obligated to send a bounce message which is always a bad thing - you
> want the authoritative receiver to reject at the smtp level instead of
> accepting at all.

I agree, it is wrongful behavior to accept something which later you
discover you can not deliver. I would call it bad MX setup, as you are
making yourself potential source of backscatter (which though is not as
much exploited yet as open relays, but still is bad setup).

If you set backup MX based on postfix, there is relay_recipients you have
to specify, which lists all e-mail addresses that are legitimate on
primary MX. Nothing else is being accepted by default, thus secondary MX
does not become a source of backscatter.

<rant>
I've seen at least at some point that google mail accepts everything.
Then, (after they parsed and filed information in that message I would
speculate) they send non-delivery notification. That was a real incident
after which I have a policy on my servers: I do not forward e-mail of
users who left department to their google mail. As I don't want _my_
server to become a source of backscatter as a result of the crap they do.
</rant>

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++