SUMMARY
-------
I want to thank everyone for their responses. While everyone's
situation will be different, I think this sums up the answer to my own
question:
Yes. A secondary MX is worth the added maintenance and configuration
headache if the costs of doing so make sense. Obviously various risk
management and business requirements are factored into that equation
which only you [or your business] can answer. All things being equal,
however, the ability to take control away from the sending mail server
and place it in your hands is worth the effort.
Now there were implementation questions/opinions posed by several
responders which I feel should be commented on. I'll assume that
everyone knows not to setup a "dumb" secondary MX which doesn't do any
validation and encourages backscatter/UCE of it's own.
So, either a "smart" secondary or a deferring 4xx secondary?
Sticking to the nature of this post, a defer-only 4xx secondary is
just about useless. Sure, you can use it in a SPAM honeypot fashion
to help reduce load on your primary, but I see *ZERO* value when the
primary is down. An intelligent secondary is the only way to go if
you determine a secondary MX is required.
In my situation, I have a pre-configured "Disaster Recovery" server
which already has a real-time, fully replicated [via VPN] copy of my
production MySQL server - so I already have all the domain/user data I
need to do email validation. It's practically sitting idle and would
make a wonderful secondary MX. Since Exim is already configured on
that box to take over primary MTA responsibilities, I'll be using
Postfix instead of going through the hassle of running multiple Exim
instances, but all MX functionality will be identical.
Thanks again to everyone!!
-Ken
> In a world where most MTA's will retry a message up to 5-7 days, is a
> secondary MX worth the added maintenance and configuration headache?
>
> I have a primary datacenter in Atlanta where I have a small load
> balanced cluster of MTA's. I also have a disaster recovery site
> located in Dallas which can be used should Georgia fall into the
> Atlantic. Theoretically, a cheap secondary MX located in - say
> Seattle - would ensure that any email sent during major outages which
> are less than catastrophic (5 minutes - 5 days) would be spooled and
> delivered once the primary comes back up. I say "less than
> catastrophic" meaning that my data center and core infrastructure
> still exist, but maybe all my hard drives in all my mail servers
> decide to spontaneously fail.
>
> I understand that all anti-spam measures (spamassassin, greylisting,
> etc) would have to be duplicated on the secondary MX to keep it from
> becoming a SPAM relay for my domains.
>
> I find myself completely torn. Can anyone give me their reasons for
> using a secondary ... or not using?
>
> Oh, btw. This is a small hosting provider setup with ~2000 domains
> and ~100,000 msgs/day.