61
21.1 Legacy Series / Re: Redelivey of spam by backup email servers
« on: April 20, 2021, 09:47:04 pm »
don't use a backup MX unless you can manage and secure it identically to your primary one, otherwise you can and will end up with unintended avenues for spammers, and other funny side effects.
that means yes, either make sure both MXes have identical firewall rules to drop traffic in front of them, or have none at all and do the IP blocking via the mailer daemon's configuration instead.
while it seems counterintuitive, in most cases i'd say a backup MX is worse for your overall email robustness and reliability. there are so many things to consider, and it's easier than one would think to end up in a situation where some emails are delivered to your backup MX during an outage of your primary one, but from that backup MX they never actually make it to your inbox. the sender doesn't know that though, because the email was successfully delivered to a valid MX of your domain, so it's considered OK.
what would happen in an identical scenario if there was no backup MX? the sender's server would simply keep retrying delivery until it either succeeds or gives up. if a retry succeeds: great, nothing to worry about. if it fails: at least the sender knows, because their mail server will tell them it was unable to deliver the message. then they can still seek to contact you via another means, or simply try sending the email again. at that point we're usually talking about >48h of downtime. if you're actually ever in that scenario, you can still go and spin up another MX as an interims solution when you actually need it.
i've been a postmaster for almost 8 years now and have not once had to deal with an MX downtime that was so long that an email was actually not delivered.
bottom line? email is more robust than you think. it will handle intermittent outages just fine. you most likely don't need a backup MX, and the additional complexity is usually not worth the effort. if you want to be on the safe side, prepare a fallback plan but only activate it when you really, really need it.
... and when you only have one MX you can focus on securing that properly, for example using the firewall rules you've already mentioned - without all the headache of dealing with the backup MX.
that means yes, either make sure both MXes have identical firewall rules to drop traffic in front of them, or have none at all and do the IP blocking via the mailer daemon's configuration instead.
while it seems counterintuitive, in most cases i'd say a backup MX is worse for your overall email robustness and reliability. there are so many things to consider, and it's easier than one would think to end up in a situation where some emails are delivered to your backup MX during an outage of your primary one, but from that backup MX they never actually make it to your inbox. the sender doesn't know that though, because the email was successfully delivered to a valid MX of your domain, so it's considered OK.
what would happen in an identical scenario if there was no backup MX? the sender's server would simply keep retrying delivery until it either succeeds or gives up. if a retry succeeds: great, nothing to worry about. if it fails: at least the sender knows, because their mail server will tell them it was unable to deliver the message. then they can still seek to contact you via another means, or simply try sending the email again. at that point we're usually talking about >48h of downtime. if you're actually ever in that scenario, you can still go and spin up another MX as an interims solution when you actually need it.
i've been a postmaster for almost 8 years now and have not once had to deal with an MX downtime that was so long that an email was actually not delivered.
bottom line? email is more robust than you think. it will handle intermittent outages just fine. you most likely don't need a backup MX, and the additional complexity is usually not worth the effort. if you want to be on the safe side, prepare a fallback plan but only activate it when you really, really need it.
... and when you only have one MX you can focus on securing that properly, for example using the firewall rules you've already mentioned - without all the headache of dealing with the backup MX.