[ On Sunday, June 29, 2003 at 18:27:31 (+0100), Giuliano Gavazzi wrote: ]
> Subject: Re: [Exim] mirror MX
>
> that is the question. The mailboxes are not going to be in sync, and
> this is because users are going to access only one of the two servers
> to retrieve their email. Sync-ing could only be done safely at a time
> when no mail is waiting to be transferred from one server to the
> other. So the sync-ing should first stop the mail servers, then check
> the queues and finally synchronise the secondary server to the main
> one (that also offers pop/imap)
I would suggest to you then that e-mail is one of those transitive data
transfer applications where high-availability end-points are almost
infinitely more valuable and infnitely easier to manage than trying to
implement redundancy across the board.
I.e. spend your money on a high-availability server and mirror your
incoming e-mail to removable media that can be taken off-site for
archival. Do regular backups of your IMAP mail store and teach your
users to use IMAP-capable mail readers and to leave any e-mail they wish
to archive on the server in sub-folders so that the regular backups
preserve their mail folders in off-site copies.
> My main concern is to be able to keep all incoming mail in duplicate,
> so that if a server has a hard failure new mail is not lost (except
> for what was being delivered at the time of failure) or even if the
> main server goes off-line for several hours, one could still access
> email logging in the other one.
Use RAID 1 or RAID 1+0 or RAID 5 for your IMAP store.
Do regular full backups of your IMAP store and keep a recent copy
off-site at all times. Note that backups can often be done effectively
and more efficiently, and more economically to rotating disks these days
than it can be to disk. Build a storage server with RAID 1+0 on
low-cost ATA drives in hot-swap bays with one controller for each drive.
Keep three or more sets of drives for each mirror, each already in its
hot-swap carrier. Use hard-shell carrying cases with that can safely
hold a complete mirror set in shock-proof static-proof foam. Break the
mirror and swap the drives out with the offiste copy and then re-mirror.
Four sets let you keep one set off-site and one set in transit while two
sets live in the backup machine. Use a continually restarting rsync to
backup the IMAP mail store and all system configuration files, etc. to
the backup server. Keep spare backup disks on-site and off-site and be
prepared to replace dying backup disks from your mirror sets. Remember
that 500GB ATA drives at less than $1/GB are nearly here and 1TB drives
are probably just on the horizon.
For added availability build a second identical high-availability server
and use a continually restarting rsync to mirror your configurations and
IMAP mail store to it. Do not mirror your MTA mail queue(s) though and
do not run a mailer on this hot standby server. Be prepared to quickly
rename and re-number the mirror server so that it takes over as the MTA
and IMAP box should the primary fail. You could keep it at a second
location provided you have enough private bandwidth between the two to
keep its IMAP store in synchronisation (regardless use a separate
network interface and separate physical network connectivity on each
server to support this rsync traffic). Make sure you have a second
identical backup device on the second server. If you really need to you
can have the second server automatically reconfigure itself when the
primary goes down (assuming it can prove categorically that the primary
is really down).
(you probably still want a full backup scheme unless your hot standby
server is in a different part of the country or a different country)
Test your backups regularly (monthly or even weekly) by restoring them
to a test server (or the hot backup server).
You do not have to worry about incoming e-mail. It's stored on the
sender's server until your server is able to accept it. If you want
high-availability e-mail reception then make sure you have a full set of
replacement parts on-site along with 4-hour on-site maintenance
contracts for all your networking gear and your high-availability
server(s) and make sure you have a strong SLA on your network
connectivity. Advertise one MX with one A RR for the target host. Use
a one-week or longer TTL on these records -- your hot-standby will use
the same address if it ever takes over.
If that's still not enough reliability then CC all e-mail so that it's
appended regularly rotating mailbox that's automatically appended to
removable media every time it rotates. Take the media off-site for
archiving every time it fills up and start a new tape or whatever. Do
not try to share the backup device with the incoming archive device.
I.e. use two separate tape drives or whatever.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>