[Rspamd-Users] Backup MX?

Tim Harman tim at muppetz.com
Sun May 9 22:53:39 UTC 2021


On 08/05/2021 1:29 am, Tomek Kołosowski wrote:
> Hello,
> 
> I'd like to ask about best practices revolving around setting up
> backup MX server with rspamd. Mainly, how complex this setup should
> be?
> 
> I'll describe my specific use case here, though I'm sure this can be
> generalized to a more broad use-case range. But without further due:
> 
> I have a personal self-hosted at home mailserver and I'm planning on
> setting up a proper backup MX in OVH. The stack is composed of
> postfix/dovecot/rspamd/clamav/roundcube, put together manually from
> distribution's packages (in this case, gentoo).
> 
> I'm planning on setting up a backup in OVH and was wondering if simple
> plain postfix with proper backup mx transport configuration would do,
> or do I also have to setup rspamd there as well? As far as I noticed,
> rspamd only checks direct sender against spam lists so I guess with
> such simple setup those checks would effectively stop working, as most
> email senders would try backup after noticing that primary server
> rejected their email?
> 
> On the other hand, if I were to setup rspamd there, how complex the
> deployment has to be as to not degrade protection measures? Do I have
> to cluster/synchronize bayes/neural/other storages? Or is there a
> simpler setup that I can get up to speed on backup MX that would not
> degrade my spam protection?
> 
> Any input is highly appreciated guys :)
> 
> Thanks,
> Tomasz Kołosowski

I'm the same, a small personalal mailserver. I used to have a backup MX, 
speaking back to rspamd over a OpenVPN connection.  Then after a 
discussion with a workmate one day, I turned off my backup MX.

The reasons were because:
a) The backup MX gets more spam attempts.
b) Email servers these days will keep retrying if the primary MX is 
offline. Almost every mailserver out there will properly queue mail.
c) Email is pretty short-term these days, if your mailserver was down 
for say, longer than 7 days, would it really have been worthwhile having 
your backup MX accept all that mail anyway? (Some will argue YES to 
this, which is understandable)

My workmate made me realise the effort and bother of running a backup MX 
is basically pointless, because remote servers will enqueue mail they 
can't send. They act as a backup MX for you!

Anyway, to answer your question assuming you do want to run a backup MX:

It's very important the backup MX speaks to your rspamd instance.  
Otherwise things like greylisting don't work, nor proper spam filtering. 
  If you don't, you'll find spammers very happily sending your backup MX 
a lot of mail which it'll happily accept.  You really want rspamd to 
have a "whole" view of your email, that is all points in your network 
where mail can "get in" should be filtered by rspamd.  Running multiple 
rpsmads is also possible instead of both mailservers speaking to a 
single instance but you probably want to talk back to a single redis 
instance so they have the same view of things.  Otherwise you'll end up 
greylisting mail twice, or your primary mailserver won't learn as much 
spam via Bayes because a lot of spam will be send your backup MX which 
will filter it, so your primary mailserver's rspamd won't ever "see" it.

Again, for a small mailserver, I think it's more trouble than it's worth 
to do properly.  But if you do, you need to get the sync of the state 
correct.

Tim


More information about the Users mailing list