Ctrl+K

21 July 2023

Recent Posts

Setting up a backup MX host with Postfix#

Running a backup MX host is a good idea if you want to ensure that e-mails are not lost if your primary MX host is down. With Postfix, this is easy to set up on a Debian or Ubuntu system as both are shipped with Postfix.

Warning

Mail servers that are misconfigured can be used to send spam. Therefore, you should closely monitor your mail server and make sure that it is not misused by spammers. In case of any doubt, you should shut down your mail server immediately.

Introduction to MX hosts#

Mail servers use the MX record of a domain to determine the mail servers that are responsible for receiving e-mails for a domain. The MX record of a domain can be checked with the dig command:

Check the MX records of a domain#
$ dig example.com MX
example.com.               86400   IN      MX      10 mx1.example.com.
example.com.               86400   IN      MX      20 mx2.example.com.

In the example above, the domain example.com has two MX records. The first MX record has a priority of 10 and points to the mail server mx1.example.com. The second MX record has a priority of 20 and points to the mail server mx2.example.com. The mail server mx1.example.com is the primary MX host and the mail server mx2.example.com is the backup MX host.

Installing Postfix on the backup MX host#

The first step is to install Postfix on the backup MX host. This can be done with the following command on Debian or Ubuntu:

Install Postfix on Debian or Ubuntu#
$ sudo apt install postfix

The installation will ask you to select the type of mail configuration. Select Internet Site and enter the name of the backup MX host when asked for the system mail name. After this the mail server should be up and running.

Configure to relay e-mails by domains#

By default Postfix will only accept e-mails for the domains that are listed in the mydestination parameter in /etc/postfix/main.cf. To relay e-mails for other domains, you must add the domains to the relay_domains parameter in /etc/postfix/main.cf. The following command can be used to add the domain example.com to the relay_domains parameter:

Set the domains to relay#
$ sudo postconf -e 'relay_domains=$mydestination,example.com'

The second step is to configure the restrictions for the SMTP daemon. The following command can be used to define the restrictions to allow

Define restrictions for the SMTP daemon#
$ sudo postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

Warning

You must not list example.com in the following parameters in /etc/postfix/main.cf:

  • mydestination

  • virtual_alias_domains

  • virtual_mailbox_domains

The third step is to configure the recipient maps for the relay domains. The following command can be used to set the recipient maps for the relay domains and defines the recipient maps as empty:

Set the recipient maps for the relay domains#
$ sudo postconf -e 'relay_recipient_maps='

The final step is to restart the Postfix service:

Restart the Postfix service#
$ sudo systemctl restart postfix

Note

Postfix keeps track which configuration items have been set by the user. The following command can be used to check the Postfix configuration changed by the user:

Check the Postfix configuration changes#
$ sudo postconf -n

The following command can be used to check the default Postfix configuration:

Check the default Postfix configuration#
$ sudo postconf -d

Configure to relay e-mails by target IP addresses#

In the previous section we configured Postfix to relay e-mails by domains. In this section we will configure Postfix to relay e-mails by target IP addresses. With the permit_mx_backup option, Postfix will relay e-mails to the target IP addresses of the MX records of the relay domains. This can be useful for mail servers that are used as backup MX hosts for multiple domains and do not want to configure the domain manually for every domain.

The following command can be used to set the target IP addresses for the relay domains:

Define the networks that are allowed to relay e-mails#
$ sudo postconf -e 'permit_mx_backup_networks=10.0.0.1'

Warning

Postfix verifies the MX records to determine the target IP addresses. Therefore, you must make sure that the MX records are correct. Otherwise, Postfix will not relay e-mails to the target IP addresses. This also allows for abuse of the backup MX host by spammers. Therefore, you should closely monitor your mail server and make sure that it is not misused by spammers. In case of any doubt, you should shut down your mail server immediately.

The second step is to configure the restrictions for the SMTP daemon. The following command can be used to define the restrictions to relay e-mails by target IP addresses using the permit_mx_backup option:

Define restrictions for the SMTP daemon#
$ sudo postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,permit_mx_backup,reject_unauth_destination'

The final step is to restart the Postfix service:

Restart the Postfix service#
$ sudo systemctl restart postfix

Testing the configuration#

To test the configuration, you can send an e-mail to the backup MX host. We first stop the primary mail server before the following command can be run on an outside server with Postfix to send an e-mail to the backup MX host:

Send an e-mail to test the backup MX host#
$ echo "Test mail" | mail -s "Test subject"  -r "[email protected]"

As the primary MX host is down, the e-mail should be delivered to the backup MX host. The following command can be used to check the Postfix logs on the host we have sent the e-mail on:

Check the Postfix configuration#
$ sudo journalctl -u postfix
Jul 22 13:37:16 mail postfix/smtp[17746]: 9205D60077: to=<[email protected]>, relay=mx2.example.com[10.0.0.2], delay=1, status=sent (250 2.0.0 Ok: queued as B421D60077)

If we check the Postfix logs on the backup MX host, we should see that the e-mail has been received and is hold in the queue for delivery when the primary MX host is up again:

Check the Postfix configuration#
$ sudo journalctl -u postfix
Jul 22 13:37:16 mx2 postfix/qmgr[3049]: B421D60077: from=<[email protected]>, size=892, nrcpt=1 (queue active)
Jul 22 13:37:16 mx2 postfix/smtpd[3051]: disconnect from mail.example.org[10.1.0.1]
Jul 22 13:37:16 mx2 postfix/smtp[3057]: connect to mx.example.com[10.0.0.1]: Connection refused (port 25)
Jul 22 13:37:16 mx2 postfix/smtp[3057]: B421D60077: to=<[email protected]>, relay=none, delay=0.07, delays=0.03/0.02/0.01/0, dsn=4.4.1, status=deferred (connect to mx1.example.com[10.0.0.1]]: Connection refused)

When the primary MX host is up again, the e-mail should be delivered to the primary MX host. The following command can be used to check the Postfix logs:

Check the Postfix configuration#
$ sudo journalctl -u postfix
Jul 22 14:37:44 mx2 postfix/qmgr[3080]: B421D60077: from=<[email protected]>, size=892, nrcpt=1 (queue active)
Jul 22 14:37:45 mx2 postfix/smtp[3083]: B421D60077: to=<[email protected]>, relay=mx1.example.com[10.0.0.1]:25, delay=1648, delays=1648/0.09/0.4/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9290A60077)

When we check the Postfix logs on the primary MX host, we should see that the e-mail has been received and delivered to the local mailbox:

Check the Postfix configuration#
Jul 22 14:37:45 mx1 postfix/local[4963]: 9290A60077: to=<[email protected]>, orig_to=<[email protected]>, relay=local, delay=0.54, delays=0.08/0.02/0/0.43, dsn=2.0.0, status=sent (delivered to command: /usr/bin/dovecot-lda)

Now we have a working backup MX host that will receive e-mails when the primary MX host is down or unreachable for some reason.

Use removeprefix instead of lstrip to remove a prefix from a string   Use systemd timers to make MariaDB backups
On this page