0

I need help for a mail server configuration. I would like to know if it's possible to have multiple MX with different pub IP, pointing to the same local server. this is because in my environment exist 2 gateway (multiple services providers), a watchguard t30 (local 10.0.0.254) that manage 12.12.12.5 and a watchguard t35 (local 10.0.0.253) that manage 12.12.12.6, for failover purpose. they share the same isp router has the 12.12.12.0/28.

watchguard t35 - loc 10.0.0.254 - pub 12.12.12.5

watchguard t30 - loc 10.0.0.253 - pub 12.12.12.6

zone mycompany.com:

mycompany.com. MX 5 mail.mycompany.com
mycompany.com. MX 15 samemail.mycompany.com
mycompany.com. TXT "v=sfp1 a mx ip4:12.12.12.5 ip4:12.12.12.6 ~all"
mail.mycompany.com. A 12.12.12.5
samemail.mycompany.com A 12.12.12.6

zone 12.12.12.in-addr.apra:

5.12.12.12.in-addr.arpa. PTR mail.mycompany.com.
6.12.12.12.in-addr.arpa. PTR samemail.mycompany.com.

on firewall1: nat 12.12.12.5 - 10.0.0.1 commons mail ports

on firewall2: nat 12.12.12.6 - 10.0.0.1 commons mail ports

MAILSERVER nic config

ip: 10.0.0.1
subnet mask: 255.0.0.0
gw 10.0.0.254 metric 2
gw 10.0.0.253 metric 50

In this way when the first gateway goes down, all the request start comes (and goes out) from 10.0.0.253 (12.12.12.6) on common ports (25..443..) instead of the gateway with metric 2.

or maybe I could assign another NIC to the mail server and change all rules on firewalls, and then works with INTERFACE metrics, like in the example:

MAILSERVER NIC1

10.0.0.1 
255.0.0.0
10.0.0.254
nic metric 2

NIC2

10.0.0.2
255.0.0.0
10.0.0.253 
nic metric 50

I would like to know if there is any contraindication in using this method, or if there are alternatives.. other infos, the mailserver is Mdaemon. every help is appreciable!

edit: If I use the configuration with two gateways and different metrics, my server will always use the one with the lowest metric 10.0.0.254 (12.12.12.5) until it finds it online. Unless I set some particular route, the server will not be able to use the secondary 10.0.0.253 (12.12.12.6), not even port 25 and the other common ports will listen. I did a test, I launched a continuous query on port 25 on 12.12.12.5 and on 12.12.12.6, in the meantime of this test I turned off the firewall 10.0.0.254 (12.12.12.5), the server has therefore stopped listening on it, and began to listen on the secondary firewall in metric. are there scenarios where my server could start communication not using the 10.0.0.254 when it is online? test fw1 down

bind2lrz
  • 7
  • 4
  • Could you clarify what it is that you are actually trying to solve? You are asking about what appears to be a somewhat convoluted solution to something, but that something itself is not entirely clear. – Håkan Lindqvist Dec 15 '18 at 16:25
  • I'm sorry, I try to explain myself better. My question is about the configuration of a single mailserver with two different gateways with different public IP addresses. I would like to know if the configuration, related to the records dns that I wrote can work, and if it has any contraindications or not. the goal I want to achieve is that in the event of a firewall breaking, I can have the continuity of the service. I edited the post to make it more readable. – bind2lrz Dec 15 '18 at 16:58

1 Answers1

0

Hi this configuration will not do what you suppose it would to do :-(. Mainly the DNS records would be for the domain (the most probably you have this correct but for the readers to have it visible correctly)...

zone mycompany.com:

mycompany.com. MX 5 mail.mycompany.com
mycompany.com. MX 15 samemail.mycompany.com
mycompany.com. TXT "v=sfp1 a mx ip4:12.12.12.5 ip4:12.12.12.6 ~all"
mail.mycompany.com. A 12.12.12.5
samemail.mycompany.com A 12.12.12.6

zone 12.12.12.in-addr.apra:

5.12.12.12.in-addr.arpa. PTR mail.mycompany.com.
6.12.12.12.in-addr.arpa. PTR samemail.mycompany.com.

From the DNS point of view it is correct but the issue may be the routing on server side. Based on the network setting you have post, it is not behave internally as two independent network connection on server side but all the time it is preferred to use 10.0.0.254 / 12.12.12.5 even in case the communication has been started using 10.0.0.253 / 12.12.12.6 (for any reason). In some cases it may work but in other cases it will not work (like in case other side has utilized e.g. Cisco ASA - at that moment it will not be recognized as related communication and it will be terminated).

To have it working it would be better to utilize some HA options on gateway side and - e.g. Virtual IP, Stand-by gateway,... And on dns side to use one MX record. As it is "ending" on the same router of ISP it would not be an issue. The mail server would have at that moment also just one interface.

In case you would insist on two interfaces on mail server it may be possible but you need to make sure that the response will follow the same gateway which would be used to established the connection. The easiest way would be sNAT on gateway / firewall but in case of mail server it is not good idea as you are loosing the track of source IP (e.g. spam check based on source IP) so some other (more complicated approach would be selected).

Kamil J
  • 1,587
  • 1
  • 4
  • 10
  • Hi Kamil and thank for your contribution. also I would like to work on virtual ip or backup firewall, unfortunately I find myself able to manage only the main firewall 10.0.0.254, because the secondary firewall is currently another supplier, and then I can only ask to implement the rules in my place, unfortunately they can not be clustered. I can exclude the hypothesis of using two physical interfaces on the server because of the protests you pointed out to me now. – bind2lrz Dec 16 '18 at 00:33
  • I edit with some infos and a screenshot of a real test in primary post. – bind2lrz Dec 16 '18 at 00:38