<cut>
> Yes but....
>
> As soon as your secondary appears in the DNS, the spammers will
> rush to it. They prefer 2MX's since they often aren't as picky
> about usernames actually matching real users, and about running
> any real antispam checks. After all, it's "too hard" to keep
> the configurations in-sync, right?
>
> Wrong.
>
> The only way to survive, say I, is to ensure that your primary
> and secondary(s) are working from the same information.
> (Actually, my 2MX is *more* nasty than my primary; the delays
> are bigger when someone annoys me). So my user and domain
> config lives in a database on a seperate machine, and both
> my MX's access it. For extra resilience I'd replicate that
> database server, and split machines geographically - but I'm
> not that well organised yet.
>
> Cheers,
> Jeremy
>
>
I personally was thinking about this:
The systems automatically sync DNS data every 15 minutes or so, so why not
use that domain list.
Than accept all mail to *@<those domains>.ext, but deny all other relaying,
and run a spamcheck & virusscan with Exiscan & SpamAssassin. If a users
account doesn't exist on the target server, the mail will be bounced back a
few hours/days (or whatever the downtime of the primary is) later, as catch
all is turned off by standard.
Running it from a database would be a bit difficult if I don't want to break
support for the control panel I use (Direct Admin).
Currently the test server is shut down, but this part of the configuration i
got finished today. Wasn't really that hard to let the BIND transfered
domains list work with Exim.
Although I don't know if just allowing relay for those domains would be a
good solution...
With regards,
Sebastian Berm
