[Mimedefang] What is the order of things that occur

[Jan-Pieter Cornet]

On Tue, Jul 11, 2006 at 04:00:05PM -0400, Steve Campbell wrote:
> >In the current internet, there isn't any point in having a secondary
> >MX just for the purpose of fallback, if your primary server is mostly
> >up.
> 
> My boss is afraid of losing the secondaries. He feels that if these 
> tempfail due to the primary being down, the secondary would hold them and 
> we could flush the queue to deliver them faster and with control of it in 
> our hands.

No, the secondary would tempfail too, so you end up NOT accepting the
email on the secondary. Try it.

I feared the need for a secondary would be boss-induced :) It's now
your job to educate the boss.

The options are simple: fallback MX, as you described, is practically
useless, especially in the "tempfail when primary is down" scenario.
Legitimate senders will retry anyway, within a reasonable amount
of time, and really crappy "legitimate" bulk senders won't retry
even after a proper 4xx tempfail (like yahoogroups, or so I'm told).

If you really want to build a redundant mail server, there is a lot
more to it than just slapping a secondary MX in your DNS.

You can either buy a box that's redundant all the way, for example
one of the SUN or HP boxes - multiple CPUs, multiple powersupplies,
built in RAID or connect it to a SAN.

Or you buy (or build - with Linux and LVM and redundant PC style
hardware - if you're feeling adventurous and cheap) an NFS device
that has enough redundancy itself (at least RAID, preferably RAID 6),
maybe with a SAN-backend, dual powersupply and the works.

Then add a cluster (at least 2, 3 is better) identical machines
that share the same configuration, and that mount the NFS device
for storage. Add another cluster for IMAP or POP servers if you
like (or simply add the IMAP/POP servers to the sendmail cluster
if you don't have a high load).

That way, when a piece of hardware fails, the users don't notice
anything (maybe some connection timeouts unless you also add some
form of dynamic loadbalancing. DNS loadbalancing is good enough
for a few incoming mail servers). And you don't need to rush
to get the faulty hardware replaced.

Make sure you add redundant cross-connected routers, and most
important: a redundant internet connection, or host the setup
at a bigger colocate farm.

If you do all that, you're really making a difference, reliability
wise. Now go calculate the required hardware and present your
boss with a cost estimate, and preferably also estimate
which components are most likely to fail (usually disks and
internet connectivity), and as a result which cost savings
would have the least impact on reliability.

You'll find out that just adding a backup MX adds practically zero
to your reliability :)

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disc lamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please  !!
!! archive this message indefinitely to allow verification of the logs.   !!