Re: [Exim] backup MX setup...

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Leonardo Boselli
CC: exim-users
Subject: Re: [Exim] backup MX setup...
On 2000-08-19 at 23:07 +0200, Leonardo Boselli gifted us with:
> Is there a way to trigger the delivery of mail from the third backup
> server, to a lower relay


Within Exim - ETRN.

Alternatively, if you want to avoid ETRN, perhaps set up a
passphraseless SSH key. Whilst the principles below are some that I use
regularly, I've never used this with Exim - no need to, for me.

Eg, we have two machines accepting mail for example.org.

example.org MX 10 fred.example.org
example.org MX 20 gladys.example.net

fred.example.org has IP address 192.168.42.1, gladys runs sshd. Please,
you are using ssh and not telnet/rlogin for logging in remotely, aren't
you?

On 'fred', you need a usercode, preferably without any other
privileges, which can detect when the link is up. Let's say the
usercode is 'linkup'.

linkup@fred$ ssh-keygen -f /home/linkup/.ssh/up-key -N '' \
    -C 'linkup@??? (net connection up)' 


This generates a private key keyfile 'up-key' and a public key keyfile
'up-key.pub'. The file 'up-key.pub' will be in plain text. There will
be two short numbers, then a very long number, then the string which you
passed with -C (the key comment option). The contents form _one_ very
long line.

On gladys, you have an account 'fredmach' specially for this. Or, if
you're confident, perhaps use account 'exim' directly. Whatever, the
account will (AIUI) need to be an admin_user of Exim.

Then you have a script on fred which is run whenever the link comes up,
and basically does:
 ssh -i /home/linkup/.ssh/up-key -l fredmach gladys.example.net \
     /home/fredmach/forcedeliver_fred


On gladys, you have the following two files:

/home/fredmach/forcedeliver_fred:
#!/bin/sh
exec /path/to/exim -Rff example.org

/home/fredmach/.ssh/authorized_keys

The file authorized_keys contains one line. It's the contents of
up-key.pub WITH RESTRICTIVE OPTIONS before it:
from="192.168.42.1",command="/home/fredmach/forcedeliver_fred",
no-port-forwarding,no-X11-forwarding,no-agent-forwarding

where that is all one long line, with one space, then the up-key.pub
contents. Those options are important - they minimise the risk of this
becoming a security hole.

See: "authorized_keys file format" in sshd(8)
     the command-line options bit of the Exim docs


Question for Philip Hazel: is it better to use "-Rff" or just "-R" for
forcing the delivers?
--
"We've got a patent on the conquering of a country through the use of force.
We believe in world peace through extortionate license fees." -Bluemeat