Re: [exim] Proxy smtp connections to multiple Exim servers b…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Andrew C Aitchison
Date:  
À: Sebastian Arcus
CC: exim-users
Sujet: Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote:

>
> On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote:
>> On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users
>> wrote:
>>> These are all separate servers belonging to different organisations. They
>>> each host their own mail domain and users. This can't be changed. I am not
>>> looking to do load balancing. I am looking to share the public IP address
>>> and PTR record these servers use for incoming and outgoing smtp
>>> connections.
>>
>> This formulation is significantly different from the original one, which
>> was about SNI and all that. This task has no relation to SNI, TLS, etc.
>> With wrong questions you have minimal chances to get relevant answers.
>
> You are correct - thinking some more about it, all outside connections would
> be connecting to the same FQDN. SNI would play no part in it. Sorry for the
> confusion. It seems that using Exim as a front end relaying to back-end
> servers seems to be the right solution.


I see this front-end machine as a backup MX server. That way the real
machines will get the mail most of the time, but if/when the real machine
has a new ip address that doesn't match the MX, the front-end machine will
receive the mail and pass it on to the corrected IP.

>> BTW, using single public IP/gateway you create a single point of failure
>> for all domains/organizations.
>
> That is also very true, and I have considered it. On balancing the advantages
> and disadvantages of the setup, it will be a risk I will have to accept. Or
> possibly end up with two of these cloud / front-end servers setup as the 2
> MX's for all domains.


If the real server and the front-end machine are both in the MX records,
provided that you still control the IP addresses, losing either machine
wont stop the mail from getting through.

I don't know what sort of latency there will be between these machines,
but you might be able to use cutthrough delivery from the front-end to the
real server, which might allow you to reject rather than bounce some of
the time; it might even help with your SPF dilemma ?


-- 
Andrew C. Aitchison                      Kendal, UK
                    andrew@???