I have another issue that has arisen since i setup this “host2” secondary mail server with virtualmin gpl (remembering host1 is virtualmin pro)
no dns is sent through either virtualmin server.
dns is controlled via my domain registrars (including client domains on my system)
i have no nameserver glue records configured at registrar for my host1.domain.com (or host2.domain.com)
dns domain is not enabled in virtualmin for any virtual server
After running through the tutorial on setting up secondary mail servers, i wake up the next morning to find clients getting duplicate emails! Every virtual server domain on the system where mail is enabled had the same problem.
I turned off the secondary server…immediately any email sent from hotmail to my server was rejected!
I turned the secondary back on, disabled webmin Server index > webmin servers (host2)…emails from hotmail rejected!
I added host2.domain.com back into webmin servers index > webmin server (host2)…now the double emails have stopped!
I dont understand, when there are no glue records, no secondary mxrecords…how can server2 even have anything to do with this?
How do i even check what host2 is actually doing with regards to email at present? Why are emails on host1 being immediately rejected if host2 is turned off?
Where you host DNS doesn’t change anything in the guide except how you create MX records. A hold-and-forward backup server needs an MX record with lower priority than the primary (and an A record for the server that the MX record points to). That’s it.
Finally, at client registrar dns, do i need a second spf record for server2 or can i combine the two servers into a single spf record? (the original client spf is below)
spf txt v=spf1 mx a ip4:12.34.56.78 a:server1.clientdomain.com ~all
Do i just add a second spf like…
spf txt v=spf1 mx a ip4:12.34.56.789 a:server2.clientdomain.com ~all
An MX record points to a name. An A (name) record points to an IP. The MX record should point to the A record for your secondary server.
What? The registrar is not involved at all, unless you mean you’re using your registrar’s DNS servers to host your zones. The registrar just sets up a glue record in the root name servers for you to point to whatever DNS servers you choose (which may be your own, a service like AWS, or most registrars also provide DNS for free or a small additional charge…but that’s a different service).
Add the A record and the MX record to whatever DNS servers are hosting your zone. SPF/DKIM is a separate problem, and you only need SPF if you will also be sending mail through your secondary server (rather than just receiving in a hold-and-forward configuration).
No. Networks is networks. But, they do need to be able to reach each other on port 10000-10010. So, make sure that works. Webmin just makes web requests to the other Webmin server. If it can’t connect, you’ve got a network problem, maybe firewall.
i use the same network firewall for both systems. maybe its the firewall on the server itself? I havent configured anything on the server myself though, its just a stock virtualmin install. I dont understand why the two wont talk to each other…i have had this problem in the past and never did find a solution to it.
If i didnt know better i would say its because the default install requires dns to be managed by the systems themselves. Because i am not doing it that way, something isnt right because it is not resolving the second server ipaddress in webmin. This cannot be, if i go to a web browser and enter either the ipaddress or the url for the second server, i can bring it up easily. Its just that webmin server registration is unable to do this on the primary server (i have altered my actual domain below)
this has to be something wrong in webmin…i mean all that is required are the ip address (or host.domain.com), a user, and a password yes?
the second i change the webmin setting to “normal link to server” it brings up webmin login screen. I change it back to username: root password: , it times out.
Is root not allowed to access the secondary via this method?
Hi Joe,
yes web min is accessible no problems on both servers (virtulamin pro and virtualmin gpl).
I can perform mxtoolbox checks on the dns and both are resolving.
when I say I feel there is something wrong in webmin, I don’t mean its a flaw exactly, maybe something I need to do that I haven’t done correctly.
Having said that, I doubt that mxtoolbox is going to successfully check the smtp, I don’t have any domains on the second system (ie no virtual servers). Am I supposed to? My domains are all on the primary system.
does the second system at least need a single apache virtual host on it? (say for the host itself…eg host2.domain.com with a web directory)
I am new to the idea of using backup mail servers, and relatively new to mail servers in general…so you have to treat me as a newbie on this.
Also,
if I go to second server…webmin>Webmin servers index> and add the primary server to the servers list on the backup mail server…and I choose SSL option…
the status of the primary server when looking at it from the second is as follows
Because something is preventing it. Firewall, routing issue, who knows? If you can reach both Webmin instances, then you know they’re up. This isn’t a complicated thing to configure, and you clearly have a network problem not a problem with password or whatever. It says “Timeout connecting”, which is a network problem. No connection. Make sure both servers can reach ports 10000-10100 (I said 10010 above, but I think fast RPC can theoretically use more). Try disabling Fast RPC just to see if maybe your firewall isn’t allowing the other ports…10000 is sufficient for your browser, but not sufficient for Fast RPC API mode.
wohoo i have figured out the problem and made some progress.
when i installed the virtualmin gpl system, without realising that a particular safety habit i have would cause communication issues between two webmin systems, i had automatically restricted Webmin control panel access to only my home static ipaddress by adding the following:
Webmin>Webmin Configuration>IP Access Control>Allow only from listed ipaddresses
12.34.56.78 (my home static ipaddress)
I did not realise that this had anything to do with webmin to webmin calls between two systems that have been added in the webmin servers index!
clearly it does because as soon as i made this file look like the following:
12.34.56.78 (my home static ipaddress)
13.65.86.92 (host2 static ipaddress)
voila, now in Webmin server index i get the following:
Normally i would have restricted my Virtualmin Professional ipaccess to my home static ipaddress but i had disabled this recently due to a power failure on my office and was relying on using mobile connection for all internet for almost 7 days and had to remove this restriction in order to access virtualmin pro system. That is why my host2.domain.com was working with this but not host1.domain.com! (host2.domain.com was installed recently and was restricting webmin ipaccess, and so it could access host1.domain.com but not the other way around!)
agh…how do i now logout of the second server after accessing it via webmin>webmin servers index on the primary server?
the logout button is not visible?
So Joe can i just clarify…
as you know my primary server is having a problem with Dovecot in the system monitor (it is not recognising that dovecot is running and keeps saying its offline, even though dovecot is delivering emails).
Will that affect my secondary mail server at all?
Ie i dont want my clients getting mail errors…for example duplicate emails being delivered etc.
If your secondary is correctly configured for hold and forward it should never see mail unless the primary is unreachable. And, Dovecot on the secondary is never involved, as your users will never be connecting to the secondary to retrieve mail. Secondary just makes sure mail is never lost.
I don’t know why you had duplicates before…mail from outside servers should only ever reach one of your two servers. Primary if it is available, secondary if primary is not. Secondary accepts mail on behalf of your users and then sends it along to primary when primary comes back up.
ok great. Now that both systems are talking to each other, and i have the entries in registrar dns hosting for both mail servers, i expect that it will now work.
My assumption is that the only real way to check this is to shut down the primary system host1.domain.com?
I will pick a time when its not busy and shut one of the primaries down and see if the backup shows an email qued.
to think that all of my heartache could have been avoided if somewhere in that tutorial it said "make sure that one addresses the issue of IP Access Control! The opposite server ipaddress has to be whitelisted for each other to communicate!
Isnt there some kind of an API workaround for this such that, when two of my own servers are indexed in webmin so they communicate with each other, they bypass this issue?