MX records multiple

killmasta93

Renowned Member
Aug 13, 2017
955
56
68
30
Hi,
I was wondering if someone could shed some light on mx records.
Currently have Post email server with DKIM, DMARC, SPF working great, and as the gateway proxmox which sends the email outbound. Recently we got another internet lSP to have 2 lSP just encase one fails. So the idea is to have another mx record on the lSP my question is how would that work? Lets say internet 1 fails so i get the email server to send email out with internet 2 but would the PTR be mail.mydomain.com or would it be mail2.mydomain.com? and how would the dkim and dmarc with spf be affected?
Thank you
 
I see the following issues/options:
for the outbound mails:
* you definitely need to include the public IP from your second ISP in your SPF-record
* the DKIM setup does not rely on ip-addresses - only on the configured domain/selector/key - so that won't change if the e-mails go out on another IP
* you should make sure that the helo-name PMG uses outbound fits the forward and reverse lookups of the ip it communicates (some setups take those 3 into account and need them to be in sync, and reject otherwise)

for the inbound direction:
* if you add a second mx-record it needs to be with another fqdn
* depending on the two links it could make sense to use different priorities (i.e. your fallback-provider being your backup-mx) - but then certain spammers will only use that IP - expecting lower security measures

I hope this helps!
 
I see the following issues/options:
for the outbound mails:
* you definitely need to include the public IP from your second ISP in your SPF-record
* the DKIM setup does not rely on ip-addresses - only on the configured domain/selector/key - so that won't change if the e-mails go out on another IP
* you should make sure that the helo-name PMG uses outbound fits the forward and reverse lookups of the ip it communicates (some setups take those 3 into account and need them to be in sync, and reject otherwise)

for the inbound direction:
* if you add a second mx-record it needs to be with another fqdn
* depending on the two links it could make sense to use different priorities (i.e. your fallback-provider being your backup-mx) - but then certain spammers will only use that IP - expecting lower security measures

I hope this helps!

Thank you for the reply,

So the inbound direction:
* so in my domain records i would create another mx record call it mail2.mydomain.com and point to the 2nd WAN IP and give it priority 2
currently this how i have my mx
MX-----@----- mail.mydomain.com (Priority: 1)
* so meaning if someone tries to send an email and our mx record which points to WAN 1 does not respond it automatically tries to find the 2nd MX record which points to my WAN 2 ip?

for the outbound mails:
* so currently have this
TXT------@-----v=spf1 mx a ip4:190.24.xx.xx
would it be something like this
TXT------@-----v=spf1 mx a ip4:190.024.xx.xx ip4:182.32.xx.xx
*wonderful about the DKIM as all the outbound emails does the PMG gateway
*so if my WAN 1 goes out i would have to change quickly the helo name on the PMG gateway to mail2.mydomain.com and also change the NAT on the firewall which is no problem

Thank you again
 
* so meaning if someone tries to send an email and our mx record which points to WAN 1 does not respond it automatically tries to find the 2nd MX record which points to my WAN 2 ip?
That would be the idea of lower-priority MX-records - keep in mind that certain senders (AFAIR mostly spammers) try to send the e-mail via a lower prio MX first (so to get past the lower security settings there)

the SPF part looks about right (keep an eye on your logs!)

*so if my WAN 1 goes out i would have to change quickly the helo name on the PMG gateway to mail2.mydomain.com and also change the NAT on the firewall which is no problem
I probably would not really change the helo-name (as said there are a few systems, which consider this as not-acceptable behavior but if forward+reverse DNS agree most systems should happily accept the mails in my experience)

As for the NAT-part - you should make sure that both public IPs point to your PMG at all times (and that the firewall sends the replies from PMG on the same way they came in)!
 
  • Like
Reactions: killmasta93
Hi to all,

Nice problem ... I would solve like this:

- 2 different isp each of them conected on one system=PR (at least) with policy routing(if a connection will be in using isp A then the response will be sent using the same isp) - on this system is connected your PMG

- dns, I would create the same dns records for both isp (ptr, a and mx) - is not a problem to have the same ptr name on different isp, and use the same mx priority for both isp(round robin dns)

- so you will have in the end not a FO (fail over) but a LB(load balacing)

This is for inbound traffic. For outbound traffic you can use the same PR for using FO or LB as you wish. The simple way is FO (use default gw on you PMG on isp A and if isp A is down you can change your default gw to isp B)

Good luck!
 
  • Like
Reactions: killmasta93
That would be the idea of lower-priority MX-records - keep in mind that certain senders (AFAIR mostly spammers) try to send the e-mail via a lower prio MX first (so to get past the lower security settings there)

the SPF part looks about right (keep an eye on your logs!)


I probably would not really change the helo-name (as said there are a few systems, which consider this as not-acceptable behavior but if forward+reverse DNS agree most systems should happily accept the mails in my experience)

As for the NAT-part - you should make sure that both public IPs point to your PMG at all times (and that the firewall sends the replies from PMG on the same way they came in)!

Thanks for the reply

so to make sure i would create mx record like this
MX-----@----- mail2.mydomain.com (Priority: 2) and points to my WAN2 IP

when you say keep an eye on my logs not sure what you mean?

duly noted on the Helo name

also duly noted on the NAT-part
 
Hi to all,

Nice problem ... I would solve like this:

- 2 different isp each of them connected on one system=PR (at least) with policy routing(if a connection will be in using isp A then the response will be sent using the same isp) - on this system is connected your PMG

- dns, I would create the same dns records for both isp (ptr, a and mx) - is not a problem to have the same ptr name on different isp, and use the same mx priority for both isp(round robin dns)

- so you will have in the end not a FO (fail over) but a LB(load balacing)

This is for inbound traffic. For outbound traffic you can use the same PR for using FO or LB as you wish. The simple way is FO (use default gw on you PMG on isp A and if isp A is down you can change your default gw to isp B)

Good luck!

Thanks for the reply,
so your saying to create the same DNS mail.mydomain.com to point to WAN2 and mail.mydomain.com to point to WAN 1 PTR and MX record with the same priority would be 1. and or outbound if i see that WAN1 dies out i quickly change the NAT rule to make PMG use the WAN2 but my question is woulnt the other email servers jump seeing that the IP changed?
as for the inbound wouldnt be better create mail2.mydomain.com to point to WAN2 and put priority 2 when when aclient tries to send an email and my WAN 1 dies out they will get a time out telnet on port 25 and will try to send o the mail2.mydomain.com
 
if i see that WAN1 dies out i quickly change the NAT rule to make PMG use the WAN2 but my question is woulnt the other email servers jump seeing that the IP changed?


You can use monit for automating this(check your both ISP connectivity, and iF isp A is down then change the default gw to B). Now a externel smtp server who now want to send a mail to you, using IP of isp A, and A is down, will try to re-send again the same mail using IP of your isp B(round robin). If isp A is down for many hours, then you could change your mx priority on isp a with a higher value, so by default any smtp server will use only isp B. When the isp a is up, after some time you can make like for initial situation, before A was down!


Good luck
 
  • Like
Reactions: killmasta93
See the draw. In this case you do not need to change any default gw! A router who can do this is under 100 eur!
 

Attachments

  • PMG.png
    PMG.png
    15.3 KB · Views: 15
Last edited:
  • Like
Reactions: killmasta93
Thank you so much this week going to try it out to see how it goes will post back my settings
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!