Atomicorp

Hello,

I just acquired a second server, My intention is to use it as secondary dns, but have just been thinking about maybe using one as my outgoing server, and the other as my incoming, therefore allowing me to properly implement spf records, get around my spam filtering issues etc.

I am running 7.5 reloaded on my primary (valueweb) and have the option of having plesk 8, currently just root access / vcp on the as yet untouched secondary virtual server (1and1)

Is there any recommended way to do what I want to do securely? If it could also serve the web content in the event of a failure then all the better, but definitely not a necessity.

Thanks for your input!

- John

You could run PG on it, although if its a VPS you'll have to do some hacking to get it to work correctly. Secondary dns is doable too, check out the Auto-Secondary DNS project. Clustering would be a bit more work, path of least resistance would be to set it up as a hot-spare.

I saw the secondary dns project, seemed like a vey easy way to acomplish that.

I guess what I'm hung up on is that I would very much like to be able to split up inoming and outgoing servers, but have no idea how you would deal with authenticating everyone without manually duplicating every change that is made on the primarys side.

Is this something that PG could help with?

Hello,

Got secondary dns up and running, pondering what to do about my other desire for the server, I think I finally got what you were trying to say Scott.

By not running any qmail scanner on the primary, and having the secondary as the only mx and the only one doing scanning and filtering ,local to local would no longer be falsely tagged.

Now would spf records tell external clients that they were sent from a legitimate mailer, or would it still at their end fall back to saying it originated at a non-authorized dynamic ip?


Also, would it then be possible to allow mail to pass through the primary qmail server only if it either a. originated from an authenticated sender, or after pop lock, or b. it was received and passed by my mx, the secondary server?

Spamassassin's SPF checks look at all the headers, so it doesnt matter where the smarthost is. The psa thing, I have no idea. I dont use it, since its already in spamassassin.

You'd have to modify qmail to do what you want on your last question, I recall having a discussion with someone in the plesk forums about this a while back. I don't remember if we came up with a solution or not, but some ideas off the top of my head, you could run your own RBL and populate it with pop locking. Or use firewall rules, with some kind of script looking at the logs, run it on a different port, etc.

How about shifting qmail port on primary system, and tarpitting port 25?

Can you tell the secondary qmail what port to pass things to?

Not internally no, but you could do that with firewall rules. I do that all the time with things like openvpn / httpd both "listening" on port 443 to get through firewalls (nobody blocks port 443). You could also just turn port 25 off, and use 465 (SSL smtp). A PG box will automatically use that first, if its detected, and then fall back on port 25.