{"id":1779,"date":"2013-02-28T08:22:34","date_gmt":"2013-02-28T08:22:34","guid":{"rendered":"https:\/\/lineo.es\/backup-mx-mailman-exim\/"},"modified":"2026-04-01T07:16:23","modified_gmt":"2026-04-01T07:16:23","slug":"backup-mx","status":"publish","type":"post","link":"https:\/\/lineo.es\/en\/backup-mx\/","title":{"rendered":"Backup MX for Mailman, with Exim"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Backup MX for Mailman, with Exim<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This week a hard disk from one of my servers broke. It has been replaced with just 3 minutes of downtime (kudos to\u00a0OVH<\/a>), and right now the RAID array is being rebuilt.<\/p>

Since this is the first time this happens to me, and the server is running a production mailman service, I decided to take my time and set-up a\u00a0backup MX<\/a>\u00a0server. This is how I did it.<\/p>

Remember that I am using a Gentoo distribution, this may be slightly different in other distro.<\/span><\/p>

rsync<\/h4>

The main problem setting up a backup MX is dealing with Spam. If the backup server accepts a spam message while the main server is down, and then forwards the email to the main server when it is up again, but the main server rejects it because the recipient address does not exist, then what to do? If the backup server bounces to the sending address, and this has been forged, then we are\u00a0backscattering<\/a>\u00a0(forwarding spam), and our server will soon be blacklisted.<\/p>

The point is the backup server should refuse incoming email if the main server would. This means checking the recipient address. What I did is to set-up a cron script to rsync the lists from the main server to the backup server every\u00a0n<\/i>\u00a0minutes.<\/p>

In the main server I open rsync access for the backup server:<\/p>

\/etc\/rsyncd.conf\n[mailman]\ncomment = Mailman sync\npath = \/var\/lib\/mailman\nlist = no\nuid = mailman\ngid = mailman\nhosts allow = IP-ADDRESS-OF-THE-BACKUP-SERVER\nhosts deny = *<\/pre>
This is the script in the backup server:<\/p>
\/etc\/bin\/mm-sync.sh\n#!\/bin\/sh\n\nSTART=`date`\n\n# data\nrsync -avz --delete MAIN-SERVER::mailman\/data \/var\/lib\/mailman\/ > \/tmp\/mm-sync.log\necho >> \/tmp\/mm-sync.log\n\n# lists\nrsync -avz --delete MAIN-SERVER::mailman\/lists \/var\/lib\/mailman\/ >> \/tmp\/mm-sync.log\necho >> \/tmp\/mm-sync.log\n\n# archives\nrsync -avz --delete MAIN-SERVER::mailman\/archives \/var\/lib\/mailman\/ >> \/tmp\/mm-sync.log\necho >> \/tmp\/mm-sync.log\n\nEND=`date`\n\necho $START >> \/tmp\/mm-sync.log\necho $END >> \/tmp\/mm-sync.log\nmail -s 'Mailman sync' root < \/tmp\/mm-sync.log<\/pre>
Note that I am syncing three folders:\u00a0data<\/i>,\u00a0lists<\/i>\u00a0and\u00a0archives<\/i>. Actually you only need to sync the\u00a0lists<\/i>\u00a0folder to set-up a backup mx. I sync everything so the backup server can replace the main server completely, if things go really bad.<\/p>
And this is the cron file:<\/p>
\/etc\/cron.d\/mm-sync\n*\/10 * * * * mailman \/etc\/bin\/mm-sync.sh<\/pre>
Exim<\/h4>
The exim configuration looks a lot like the configuration of the main server (for instance, I set-up the same blacklist checking rules). See my original post on\u00a0setting up a Mailman service with exim<\/a>.<\/p>
First I define the same variables and options as in the main server. Not of them are really needed, but I prefer to keep the configuration in both servers as close possible.<\/p>
\/etc\/exim\/exim.conf\n# Mailman\nMM_HOME=\/usr\/lib\/mailman\nMM_DATA=\/var\/lib\/mailman\nMM_UID=mailman\nMM_GID=mailman\ndomainlist mm_domains=example.com : example2.com\nMM_WRAP=MM_HOME\/mail\/mailman\nMM_LISTCHK=MM_DATA\/lists\/${lc::$local_part}\/config.pck\n\nsmtp_accept_queue_per_connection = 30<\/pre>
Now, these mailman domains (mm_domains<\/i>) are not defined as local domains, like in the main server, but as domains we relay to:<\/p>
domainlist local_domains = @\ndomainlist relay_to_domains = +mm_domains<\/b>\nhostlist   relay_from_hosts = 127.0.0.1 : ::::1<\/pre>
Now comes the router:<\/p>
# Mailman\nmailman_router:\n  driver            = dnslookup<\/b>\n  domains           = +mm_domains\n  require_files     = MM_LISTCHK\n  local_part_suffix_optional\n  local_part_suffix = -admin     : \\\n         -bounces   : -bounces+* : \\\n         -confirm   : -confirm+* : \\\n         -join      : -leave     : \\\n         -owner     : -request   : \\\n         -subscribe : -unsubscribe\n  transport         = remote_smtp<\/b>\nno_more<\/b><\/pre>
This is very much like the router used in the main server. The differences are: use the\u00a0dnslookup\u00a0<\/i>driver instead of\u00a0accept<\/i>\u00a0; use the\u00a0remote_smtp<\/i>\u00a0transport ; and add the\u00a0no_more<\/i>\u00a0option. In other words, configure the router for remote delivery instead of local delivery.<\/p>
Last, we need to modify the\u00a0dnslookup<\/i>\u00a0router to not consider the mailman domains, since we have already handled them in the mailman router:<\/p>
 dnslookup:\n   driver = dnslookup\n   domains = ! +local_domains : ! +mm_domains<\/b>\n   transport = remote_smtp\n   ignore_target_hosts = 0.0.0.0 : 127.0.0.0\/8\n   no_more<\/pre>
You should test the router for both valid and invalid recipient addresses:<\/p>
# exim -bt foobar@example.com\n  router = mailman_router, transport = remote_smtp\n  host example.com [AAA.BBB.CCC.DDD] MX=10\n# exim -bt foobarrr@example.com\nfoobarrr@example.com is undeliverable: Unknown user<\/pre>
The DNS<\/h4>
Now remember to add your backup MX server to the DNS configuration. This is what it looks like mine:<\/p>
$ host example.com\nexample.com has address AAA.BBB.CCC.DDD\nexample.com mail is handled by 10 smtp.example.com.\nexample.com mail is handled by 20 mx.example.com.<\/pre>
Note that the lowest the number, the highest the priority. This is a little confusing at first.<\/p>
Testing<\/h4>
Now, how do you test this? There is a wonderful utility for testing email servers,\u00a0swaks<\/a>. I did the tests from my workstation:<\/p>
localhost ~ $ sudo emerge swaks<\/pre>
While doing the tests, open a console on every server and watch the exim log (tail -f \/var\/log\/exim\/exim_main.log<\/tt>). First test is to check the backup server forwards emails to the main server:<\/p>
localhost ~ $ swaks --to foobar@example.com --from toto@gmail.com --server mx.example.com<\/pre>
Second test. Simulate a downtime of the main server. To do this I use iptables in the main server to block connections from the backup server to the SMTP port:<\/p>
smtp.example.com ~ # iptables -A INPUT -s BACKUP-SERVER-IP -p tcp --destination-port 25 -j DROP\nlocalhost ~ $ swaks --to foobar@example.com --from toto@gmail.com --server mx.example.com<\/pre>
Wait a few minutes, and then open access again:<\/p>
smtp.example.com ~ # iptables -D INPUT -s BACKUP-SERVER-IP -p tcp --destination-port 25 -j DROP<\/pre>
That\u2019s all folks! Something wasn\u2019t clear? Please drop a comment.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"
This week a hard disk from one of my servers broke. It has been replaced with just 3 minutes of downtime (kudos to\u00a0OVH), and right now the RAID array is being rebuilt. Since this is the first time this happens to me, and the server is running a production mailman service, I decided to take […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_header_footer","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1779","post","type-post","status-publish","format-standard","hentry","category-sin-categoria"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/posts\/1779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/comments?post=1779"}],"version-history":[{"count":6,"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/posts\/1779\/revisions"}],"predecessor-version":[{"id":2140,"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/posts\/1779\/revisions\/2140"}],"wp:attachment":[{"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/media?parent=1779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/categories?post=1779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lineo.es\/en\/wp-json\/wp\/v2\/tags?post=1779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}