2 Mail Exchange Servers and 1 Exchange Server using DNS

[Beambones]

Ok, this is going to be a long one. But hopefully someone can help.

Our organisations mail exchange is configured as follows; We have 1 Exchange Server and two SMTP Relay Servers. Mail comes in through our Firewall and is redirected to 1 Relay server which in turn forwards all mail to the Exchange Server. The other Relay server is not yet configured but intend to use it for the following purpose. Instead of having our firewall use IP Redirection, we want to have these 2 Relay servers active and deliver all mail (inbound/outbound) using DNS. This purpose of this is so that if one relay server goes down, DNS will automatically switch over to the other relay server. I've already set up MX records on our DNS server for both of these. But I'm just really unclear on what I should do.

So to sum it all up, we want to have inbound mail coming from the firewall to be delivered to either of our relay servers which in turn will forward all mail to our single Exchange Server... all using DNS rather then IP forwarding. Then we want our Exchange server to forward all outbound messages to either relay server which in turn will deliver the messages outside to the public internet.. again all using DNS rather then IP forwarding.

Can someone provide some assistence here? I'm not that clued up on handling SMTP using DNS. But I have no problem handling mail using IP forwarding.

Thanks.

 

[brontosaurus]

OK then. As for inbound, I don't know what kind of firewall you have, but I don't know of any that understand DNS, so please enlighten me if you can. As for outbound, if you use DNS (assuming your exchange box has internet connectivity), you'll completely bypass these smtp servers. So what you want to do, is use the "forward all mail to host" option, and enter the IP addresses of both your servers, separated by a comma with no spaces. This will make exchange "round robin" between the 2, and if one goes down, obviously that's the one that'll be used...

 

[Beambones]

Hi, thanks for your reply. I have done what you said with the outbound mail using 2 ip addresses in Exchange. The Firewall we use is Raptor Firewall 6.5 (software). There is a section in the console where we we can set up IP Redirecting (from the public to an internet (private) ip address). Our host (BT) redirects all our mail to that public IP address which our firewall then routes to an internal address which is one of our relay servers. The problem with this ip redirection is that I can only redirect to one ip and not two. I've been told to use DNS rather then ip forwarding but I'm not all that clued up on DNS and how it works. Can you provide any advise?

 

[brontosaurus]

hmm...what is this "relay" server? that may be your only chance, the firewall is not going to give this functionality...

 

[dmandell]

Actually, the inbound mail question is fairly simple if I read you correctly. You will need to do the following.

1. In your external DNS (on BT's server)(public address space) set up two MX records. for example we will call the servers mail1 and mail2. you then set an MX priority of say 10 for mail1 and 20 for mail2. the DNS record would look something like this.

IN MX 10 mail1.domain_name.com.
IN MX 20 mail2.domain_name.com.

This is pretty simple for the ISP. it's usually handled by a simple change request. But for a bigger ISP, it might take several days to make and propagate the change, so have your servers in place first.

on your firewall you will NAT the two public addresses to the private addresses of your mail servers. All incoming mail will then go to mail1 since it's priority is higher and go to mail2 if mail1 is not available. (or you can actually set the priority the same too and it will be hit or mis which server gets the mail)

It is assumed that you are not directing one public address to two private addresses, but two public addresses to two private addresses. (one to one)

Even the cheapest firewall routers will allow this, assuming that you have more than one public address available. If you do not have more than one public address available, you will need a more sophisticated firewall that will allow for "load-balancing" (like a netscreen or Cisco PIX)

It's probably cheaper to get the second address from your ISP if needed than to buy one of these firewalls.

I hope this helps.
-Dana

 

[brontosaurus]

Very good points, Dana, thanks. I was working under the assumption that there was only one public IP...but now you've got me curious...could I impose upon you to tell me what commands would allow load-balancing one public IP to two private IP's on the PIX? That would be very handy info...even a link if you're busy. Thanks Again!

 

[dmandell]

Bronto, I can tell you the commands on the Netscreen, but in truth I only heard that it can be done on the PIX. (We shelved ours 2 years ago) sorry, Dana

 

[brontosaurus]

No problem. I guess I have some research to do....

 

[dmandell]

Well, the bad news is that I just found a site that says that a Cisco PIX 535 will not do ISP or Server pool load balancing. Looks like you need a Catalyst to do it.