[Rspamd-Users] Backup MX?

Tomek Kołosowski tomek at kolosowscy.pl
Tue May 11 10:22:33 UTC 2021


Hi,

I was thinking that perhaps I'd still try to set up a backup just for 
the sake of an educational value I might get out of it, but given it'd 
have to essentially be a 2-node master-master cluster and as far as I 
know these should come in sizes of minimum three to work, I think I'll 
just back off and abandon it entirely.

Thanks for the input, you certainly got me convinced.

Tomek

W dniu 10.05.2021 o 00:53, Tim Harman via Users pisze:
> On 08/05/2021 1:29 am, Tomek Kołosowski wrote:
>> Hello,
>>
>> I'd like to ask about best practices revolving around setting up
>> backup MX server with rspamd. Mainly, how complex this setup should
>> be?
>>
>> I'll describe my specific use case here, though I'm sure this can be
>> generalized to a more broad use-case range. But without further due:
>>
>> I have a personal self-hosted at home mailserver and I'm planning on
>> setting up a proper backup MX in OVH. The stack is composed of
>> postfix/dovecot/rspamd/clamav/roundcube, put together manually from
>> distribution's packages (in this case, gentoo).
>>
>> I'm planning on setting up a backup in OVH and was wondering if simple
>> plain postfix with proper backup mx transport configuration would do,
>> or do I also have to setup rspamd there as well? As far as I noticed,
>> rspamd only checks direct sender against spam lists so I guess with
>> such simple setup those checks would effectively stop working, as most
>> email senders would try backup after noticing that primary server
>> rejected their email?
>>
>> On the other hand, if I were to setup rspamd there, how complex the
>> deployment has to be as to not degrade protection measures? Do I have
>> to cluster/synchronize bayes/neural/other storages? Or is there a
>> simpler setup that I can get up to speed on backup MX that would not
>> degrade my spam protection?
>>
>> Any input is highly appreciated guys :)
>>
>> Thanks,
>> Tomasz Kołosowski
>
> I'm the same, a small personalal mailserver. I used to have a backup 
> MX, speaking back to rspamd over a OpenVPN connection. Then after a 
> discussion with a workmate one day, I turned off my backup MX.
>
> The reasons were because:
> a) The backup MX gets more spam attempts.
> b) Email servers these days will keep retrying if the primary MX is 
> offline. Almost every mailserver out there will properly queue mail.
> c) Email is pretty short-term these days, if your mailserver was down 
> for say, longer than 7 days, would it really have been worthwhile 
> having your backup MX accept all that mail anyway? (Some will argue 
> YES to this, which is understandable)
>
> My workmate made me realise the effort and bother of running a backup 
> MX is basically pointless, because remote servers will enqueue mail 
> they can't send. They act as a backup MX for you!
>
> Anyway, to answer your question assuming you do want to run a backup MX:
>
> It's very important the backup MX speaks to your rspamd instance. 
> Otherwise things like greylisting don't work, nor proper spam 
> filtering.  If you don't, you'll find spammers very happily sending 
> your backup MX a lot of mail which it'll happily accept. You really 
> want rspamd to have a "whole" view of your email, that is all points 
> in your network where mail can "get in" should be filtered by rspamd.  
> Running multiple rpsmads is also possible instead of both mailservers 
> speaking to a single instance but you probably want to talk back to a 
> single redis instance so they have the same view of things.  Otherwise 
> you'll end up greylisting mail twice, or your primary mailserver won't 
> learn as much spam via Bayes because a lot of spam will be send your 
> backup MX which will filter it, so your primary mailserver's rspamd 
> won't ever "see" it.
>
> Again, for a small mailserver, I think it's more trouble than it's 
> worth to do properly.  But if you do, you need to get the sync of the 
> state correct.
>
> Tim


More information about the Users mailing list