DKIM and DNS records for Backup MX

[staticn0de]

Hi there,

I've read the instructions below for setting up a backup MX

https://github.com/mailcow/mailcow/wiki/Backup-MX-setup

But I've read another post on an issue here about how they are for the old non-dockerised version.

Is there anything missing that I need to do? Does both mx01 and mx02 need to have the same DKIM records? does the backup need DKIM records at all? Does the backup MX need all the same DNS records that the primary does (autoconfig, autodiscover, etc)?

Or is all I need to do is setup the domain without DKIM, check the backup options and set the MX record in my DNS server?

[mkuron]

The instructions apply to the current version unchanged. The backup MX only needs an A record and an MX record with a higher numerical priority than your main MX record. If you have IPv6, you need AAAA as well, and if you want DANE encryption, you need TLSA. No clients connect to the server, so you don‘t need SRV, autoconfig etc., and nobody sends email through it, so no DKIM records either.

[Xadagain]

@mkuron

if the same instructions apply to the current dockerized version, why did noboby copy the old backup mx instruction to the new documentation? There is no word about it.

so what do i have to do to set up a backup mx server? ive set up a second mailcow with only an A record and a MX record with higher priority.

ive added the domain and check both backup mx options. No mailboxes. Do i have to set somewhere the path to the first mx server? Do i have to configure something like whitelist on the main mx server?

[Xadagain]

PS the old wiki is sadly not longer available so i could not check the old instructions.

[thomas126]

I would love to hear an answer to that question. Also I have read it’s better to have two Mailserver setup instead of a backup one. Does anyone agree on that? If yes how to achieve that? Is there a way to keep both servers in sync?

[mkuron]

Do i have to set somewhere the path to the first mx server?

That is picked up from the MX records in DNS.

Do i have to configure something like whitelist on the main mx server?

No.

Is there a way to keep both servers in sync?

Syncing two Mailcows is not supported (#241), so I‘m not sure who recommended that.

[thomas126]

Would it be possible to run two mailcow servers. One at home with the main storage. The one on the vps with all outgoing mail setting set up in order to send all outgoing mails via a stable ip4 address and holding all mails when the home server is offline?

[mkuron]

You could use the VPS as smarthost for outgoing messages and fetch incoming messages from it via imapsync jobs.

[thomas126]

What is meant by smarthost and how to set it up?

You mean the imapsync available inside the settings page? I think you are referring to https://github.com/imapsync/imapsync right?

[mkuron]

What is meant by smarthost and how to set it up?

All outgoing messages are sent to the smarthost instead of delivering directly to the destination server. On the VPS, create a new mailbox. Edit that mailbox and in the "Allow to send as" dropdown, select "Disable sender check for domain *". On the home server, got to Configuration, Relayhosts and add a new one with your VPS as host and the username and password you just created. Then on the home server, go to Mailboxes, Domains, edit your domain and select the relayhost you just created.

You mean the imapsync available inside the settings page?

yes

[thomas126]

By that action all mails would be send via that server? The original mail sender would stay alive right? Would that be risky because technically spammers could send mails through that server? Backend home server would still run Mailcow...

Also is there a more sufficient way to use some kind of less ram and CPU heavy used container on the vps. Which should only has the task to send all outgoing mails plus act as a backup server. Is postfix able to handle that on its own?

[mkuron]

By that action all mails would be send via that server?

Yes, that's what a relayhost/smarthost configuration is for.

The original mail sender would stay alive right?

Yes, that's what the "Disable sender check for domain *" is for.

Would that be risky because technically spammers could send mails through that server?

No, the server does not accept any unauthenticated messages for relaying. You created a special mailbox on the VPS with a password that is only used on the home server.

[thomas126]

Would that relayhost/smarthost option solve the changing ip problem on home network? So that the Domain stays off blacklists?

[mkuron]

Yes. Your server at home will never directly deliver to any remote server. It always goes through the smarthost.