OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: dcol on April 20, 2021, 12:43:15 am
-
Here is an issue I just came across and not sure how to handle.
I have a floating rule that blocks certain countries from sending email on port 25.
The issue is, I use a backup email service which accepts email when my primary MX Record is not available, then forwards the email when it is available.
What I think is happening is by blocking the port it is forcing the email to use the next level MX server. Should I be rejecting these connections instead of blocking? Not sure how to handle this? Maybe I should not be blocking port 25 at all and let the email server handle the spam, which does not have very good GeoIP blocking capabilities.
-
don't use a backup MX unless you can manage and secure it identically to your primary one, otherwise you can and will end up with unintended avenues for spammers, and other funny side effects.
that means yes, either make sure both MXes have identical firewall rules to drop traffic in front of them, or have none at all and do the IP blocking via the mailer daemon's configuration instead.
while it seems counterintuitive, in most cases i'd say a backup MX is worse for your overall email robustness and reliability. there are so many things to consider, and it's easier than one would think to end up in a situation where some emails are delivered to your backup MX during an outage of your primary one, but from that backup MX they never actually make it to your inbox. the sender doesn't know that though, because the email was successfully delivered to a valid MX of your domain, so it's considered OK.
what would happen in an identical scenario if there was no backup MX? the sender's server would simply keep retrying delivery until it either succeeds or gives up. if a retry succeeds: great, nothing to worry about. if it fails: at least the sender knows, because their mail server will tell them it was unable to deliver the message. then they can still seek to contact you via another means, or simply try sending the email again. at that point we're usually talking about >48h of downtime. if you're actually ever in that scenario, you can still go and spin up another MX as an interims solution when you actually need it.
i've been a postmaster for almost 8 years now and have not once had to deal with an MX downtime that was so long that an email was actually not delivered.
bottom line? email is more robust than you think. it will handle intermittent outages just fine. you most likely don't need a backup MX, and the additional complexity is usually not worth the effort. if you want to be on the safe side, prepare a fallback plan but only activate it when you really, really need it.
... and when you only have one MX you can focus on securing that properly, for example using the firewall rules you've already mentioned - without all the headache of dealing with the backup MX.