| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by mjl- 473 days ago
	Seems reasonable. I have been thinking about schemes for backup mx'es. When the primary is online, the backup would just forward the smtp connections to the primary directly. The backup mx only has to do their own work when the primary is down. I was/am concerned about the backup mx accepting spam that you don't really want to bounce later on. But that should be an exception. I am also thinking about synchronizing all the data to another machine. It would allow a manual failover procedure. And it's nice to have another machine (IP) for outgoing email in case the primary IP gets on a block list. But this is all future work.

1 comments

stonogo 473 days ago

the backup mx shouldn't have any special delivery privileges. when the primary mx comes back online, the backup should deliver to that rather than trying to deliver anything itself. this allows those spam checks which will still work to benefit from the normal delivery path.

you can have several hosts with the same MX priority, and only spin up actual service when necessary. given modern health check tools and raft-consensus filesystems, it's very possible to build a robuse mail network on the cheap.

mjl- 473 days ago

> this allows those spam checks which will still work to benefit from the normal delivery path.

It's not exactly the same. When a backup MX has accepted the message, it takes responsibility of the message, and will have to send a DSN when it is rejected for being spam. Mox never "delivers" messages to a spam mailbox (it's that behaviour from the bigmail providers I don't like and undermines trust in email!). Mox either accepts a message, or rejects it at the SMTP level. When the backup sends to the primary, and the primary wants to reject, the backup would have to send a DSN to the potential spammer. Not great, and not something we have to do now.

But still, if it's only needed for emergencies, when the primary is down, it probably isn't too problematic. And the backup mx (with primary offline) can always be more strict, requiring dmarc-like alignment before accepting (to prevent backscatter if the primary rejects later on).