VM Pro secondary email server

My company (RJR Solutions) just upgraded to virtualmin Pro. They asked me to set up VM GPL on a different server to act as a secondary MX server. I followed the directions here:
http://www.virtualmin.com/documentation/email/hold-and-forward

I logged into the secondary server, and did not see anything created in /var/mail

I performed the following test:

telnet xxx.xxx.xxx.xxx 25

Trying xxx.xxx.xxx.xxx…

Connected to xxx.xxx.xxx.xxx.

Escape character is ‘^]’.

220 mailrelay.com ESMTP Postfix (Ubuntu)

HELO example.com

250 mailrelay.com

MAIL FROM: user@example.com

250 2.1.0 Ok

RCPT TO: user@example.com

554 5.7.1 user@example.com: Relay access denied

How do I know that the backup mail relay is working? It appears that it is not.

Nothing should ever appear in /var/mail. That’s the old mbox mail spool location.

On the forward and hold server, the mail would be held in the Postfix queue until it could be delivered.

The fact that you get a relay access denied means that it’s not working. We’ll need to see the maillog to know more about why. And I think there’s also one option in main.cf that is adjusted on the backup mail server…relay_domains, I think. So, make sure that’s being updated. The log and that directive will tell us more about where to look for trouble.

From mail.log:

Jun 29 11:28:03 rjrmailrelay1 postfix/smtpd[6163]: NOQUEUE: reject: RCPT from sendingserver.net[xxx.xxx.xxx.xxx]: 554 5. 7.1 <user@example.com>: Relay access denied; from=<user@example.com> to=<user@example.com> proto=SMTP helo=<example .com>

I could not find relay_domains in main.cf. I found:

relayhost =

and it is empty. The variable is not assigned a value.

relayhost is not related, and should be disabled in the vast majority of cases. You can/should ignore it.

So, the backup MX stuff isn’t working in Virtualmin.

Did you remember to check the ‘Add all existing mail domains to secondary MX servers?’ box? Not doing so would lead to the secondary not knowing about any of your existing domains. You’d need to disable the secondary and re-enable it to trigger this again.

and you want this in the config file:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination permit_mx_backup

I disabled the secondary server in the webmin console, and re-added it using the really wide button that says “Save, and add existing domains to new secondaries”. I remember hitting this button the first time after I had hit the small one that says “Save”, and nothing happened. This time the output told me that it was copying the domains over to the secondary server. The HELO test worked fine this time. Thanks Joe.

About Ronald’s comment, is this still necessary? which config file? the primary or the secondary?

Yeah that should be necessary on the secondary server so it knows it is allowed to act as a secondary server.

main.cf of secondary postfix is where you add it.

I enabled the secondary server last night by pointing the secondary mx record to the server. HELP!!! I had to switch the pointer back to the primary. The secondary server is generating backscatter like crazy. I need to disable bounce notification on the secondary server, or address it to a drop-dead catch-all, and drop bounced messages from the mail queue (I think.)

I added permit_mx_backup to the config file on the secondary server, as per above. But I can’t reenable the server till I deal with the backscatter. Any ideas?

i used to get a lot of spam on my secondary mailserver, … until I installed postgrey. This may be an option for you too.

There may be settings you have to check on in the webmin’s module for postfix, mainly SMTP Client Options and SMTP Client Restrictions

For the company, you may be interested in Transparent SMTP proxies, see the Wiki: http://en.wikipedia.org/wiki/Transparent_SMTP_proxy

A proxy would open a connection to the destination MTA. Great for some things, but our secondary MX server is only needed when the primary is down, which is the destination MTA. I agree that greylisting on the secondary server will reduce the backscatter, but what is really needed is to keep the primary and secondary MX in sync somehow, using relay_recipient_maps. Then the email would be immediately rejected. Perhaps there is a documented procedure that I can follow? Perhaps a script that copies /etc/postfix/virtual.db from the primary to the secondary whenever email addresses are changed on the primary?

Somehow, I thought this had been implemented a couple of versions back in Virtualmin, though the docs don’t cover it. I’ll have to poke around a bit.

It took very few lines of code to end the backscatter problem on a relay MX server running Virtualmin GPL for a primary MX server using Virtualmin Pro. My fix seems to be working fine. For Joe and/or Jaime to review (make sure I didn’t compromise anything):

All of this was done to the relay server, not the primary!!!

First: install expect on relay server: On a debian system, just ‘apt-get install expect’
Next: Add to /etc/postfix/main.cf of relay server:
relay_recipient_maps = hash:/etc/postfix/relay_recipients

From a script I called ‘importMap.sh’ (using your own login info):
#!/usr/bin/expect -f
spawn scp “admin@domain.tld:/etc/postfix/virtual” /etc/postfix/relay_recipients
expect {
-re “.*es.*o.*” {
exp_send “yes\n”
exp_continue
}
-re “.*sword.*” {
exp_send “PASSWORD\n”
}
}
interact

From a script I called ‘loadEmailMap.sh’:

#!/bin/sh
/usr/sbin/postmap /etc/postfix/relay_recipients

From /etc/crontab:

*/10 * * * * root /path-to-program/importMap.sh; /path-to-program/loadEmailMap.sh

Thanks, that gave me a great idea, simply use the ‘Cluster copy files’ on the master server to copy the /etc/postfix/virtual file across to your child webmin server, then select the option to run this script after the copy completes:

#!/bin/bash sed -e 's/\t.*/\tOK/g' -e '/#.*/d' /tmp/virtual | grep -v '^@' | grep '.*@.*' > /etc/postfix/relay_recipients

sed -e ‘s/\t.//g’ -e '/#./d’ -e ‘/@/d’ /tmp/virtual > /etc/postfix/relay_domains

rm -f /tmp/virtual

postmap hash:/etc/postfix/relay_domains
postmap hash:/etc/postfix/relay_recipients

Simples.

We have similar config, and our secondary mailservers are now also listed on backsquater, because they accept mail for any user on the secondary domains, then send back mail that use doesn’t exist, and it would be really good to have this properly solved in such a virtualmin config, that when email users get modified on main mail server, that this gets reflected and taken in account on secondary mail servers too.

Any hint ?