Hi There, Recently I heard about separating the mail gateway from the MTA and installing two different mail servers for security and performance issues. Can anyone give me some perspective about why and how we may do that?! With Regards,
We used to do this at a large company I worked at. We had quite a few mail servers. On the incoming side, we had a server at multiple geographic locations. That gave us some ability to both deliver mail closer to users in those areas, cutting down on internal traffic, and give us some redundancy in case of failures. We'd balance the traffic to preferred sites using MX records. For example, if the servers that hosted user accounts for particular domains were located in one city, we'd give those domains an MX preference of 10, and the servers in other locations MX 20, and so on. On the outbound side, you can do some interesting things to help deal with load. One of the things to keep your primary outbound gateway snappy is to keep your queue processing quickly. The last thing you need is mail that has a very low probability of being delivered hanging around and being processed over and over. We used to use sendmail's FallbackMX feature to deal with this. It basically works by adding a fake MX record of your own choosing to all mail. What happens is, the gateway does an MX lookup when trying to deliver mail. If it fails (incorrectly addressed mail, for example), or can't deliver to the listed preferences, it will "fallback" and deliver to the server you chose. That has the effect of being able to push your "slow queue" to another gateway, and the primary machine can deal with the fast queue. Don't forget that for most of us in hosting environments, we may use a "smart host" gateway. If on your other servers you use the name of the smarthost rather than an IP, you should be able to benefit from using MX records against the smart host, just like a normal domain. That means if the highest preference gateway is down, your server can try a different gateway. Or, you may use multiple gateways with the same MX preference to create a cheap fault tolerant, load balanced solution. There's more, but hopefully that will give you some ideas.
Thank you very much matty for quick and neat answer, but I want to analyze such system: incoming mails --> | MAIL GATEWAY | --> |MTA (1, 2 or ... qmail)| | (Postfix for instance) | | (spam filter, secure gards and ...) | what you think about jointing these two or more servers to make "Gateway" as a protective queue? the matter is not how to balance the MTAs traffic here, matter is how and why we may separate filtering as a queue in front of the main server? Thank you again,
Sorry about the delay in answering. I've been doing a bit of work on the road lately. If you get plenty of traffic and it suits your environment, I think it's a great idea. Filtering email can be high load, so it removes it from your application servers, such as your web/mysql/email hosting boxes. Using two or more filtering boxes lets you split the load, and gives you some redundancy, which will allow you to keep mail flowing in while you perform maintenance on one. It's not all smiles and rainbows, however. You'll find that you need some way to test if mailboxes exist if you don't want to accept all mail addressed to domains you host, including that for non-existant addresses. Otherwise you'll find you're bouncing junk mail back to probably faked sender addresses, causing backscatter issues.
