From Exchange to 2 separate MTA"s

Hi,

I'm fairly new to Sendmail. I've gotten it working as a mail store &
configured imaps over it for my home domain. Now I hope to introduce
it carefully into my work environment - 1st by removing exchange from
the DMZ (yes, I know!).

At work we are running Exchange. I don't think I can get that changed
but I do think there would be some real advantages to routing all of
my internet inbound & outbound exchange e-mail thru 2 Sendmail MTA's.

So the flow of e-mail inbound will be:

Internet ---> 2 load balanced Sendmail MTAs in the DMZ --> Cluster of
4 Exchange Servers --> MUA on the desktop

I plan on assigning an equal weight to both MX records for our domain
pointing to the 2 MTA's. Do I have to create an /etc/aliases entry
for each user account on the exchange server? Is there an option to
forward all the e-mail? Would that be thru the mailertable? Can I
configure the mailer table to evenly send messages to all 4
servers?

Once this is working reliably for a few days I plan on putting in
dspam or other spam filtering at the MTA level.

The outbound flow of e-mail should be:

MUA on the desktop --> Cluster of 4 Exchange Servers --> 2 load
balanced MTA's in the DMZ --> Internet

Now - I don't have access to a load balancer & this might be more of a
MS Exchange question. But how I can evenly load balance between those
2 MTA's for outbound relaying & fail over if I need to in case one
goes down?

I was thinking DNS round robin but that doesn't have the ability to
detect a failure at the MTA.

Thanks,

-Mike

Re: From Exchange to 2 separate MTA"s

On 01/16/08 11:20, mikegws@gmail.com wrote:
> So the flow of e-mail inbound will be:
>
> Internet ---> 2 load balanced Sendmail MTAs in the DMZ --> Cluster
> of 4 Exchange Servers --> MUA on the desktop

*nod*

> I plan on assigning an equal weight to both MX records for our domain
> pointing to the 2 MTA's. Do I have to create an /etc/aliases entry
> for each user account on the exchange server? Is there an option to
> forward all the e-mail? Would that be thru the mailertable? Can I
> configure the mailer table to evenly send messages to all 4 servers?

You do not "have to" create entries for every user, but it is advisable
to ""Educate Sendmail on valid recipients in some way, be it /etc/access
entries or LDAP routing that interfaces with AD, or some form of
call-ahead, or something else. This way, your Sendmail edge gateways
will not accept messages for invalid recipients.

Yes, there are multiple options to forward all email to Exchange.
Seeing as how you are wanting these same systems to send email out to
the world too, I would suggest Mailertable.

I'm not sure if you can configure the Mailertable entry to load balance
per say. It is my (mis)understanding that Mailertable entries do
support multiple hosts per entry, but only in a backup fashion in case
one (or more) fail, use the subsequent backup(s). If you are wanting to
do load balancing, I suggest that you look at some form of load
balancing technology. If you don't want to pay for a hardware load
balancer (or pair of for redundancy) I'd look at Linux Virtual Server as
a software load balancer to distribute the load across your multiple
Exchange servers. (LVS is worth the 15 minute read to see what it can
do for you on commodity hardware.)

> Once this is working reliably for a few days I plan on putting in
> dspam or other spam filtering at the MTA level.

Depending on load, I'd suggest that you consider using systems other
than your Sendmail gateways to do your spam filtering. Sure, use
milters on the Sendmail gateways, but have said milters pass messages
off to other systems to actually do the spam filtering and then return a
result to the Sendmail gateways as to whether or not the message should
be accepted or not. In essence, SMTP clients would connect to the
Sendmail gateways, the Sendmail gateways hand off (parts of) message(s)
to various back end daemon processing nodes (clamd, spamd, etc.) which
respond to Sendmail gateways, which then pass the message(s) on in to
the (load balanced) Exchange server(s).

One nice thing about having your filtering daemons on separate nodes is
that you can add more nodes to them as load increases.

> The outbound flow of e-mail should be:
>
> MUA on the desktop --> Cluster of 4 Exchange Servers --> 2 load
> balanced MTA's in the DMZ --> Internet

*nod* It should be trivial to configure the Exchange servers to use the
Sendmail gateways as "Smart Hosts" to route email out through.

This is also why I suggested that you use Mailertable verses something
else like Smart Hosting on the Sendmail systems. Smart hosting forwards
all email to the Smart Host, while Mailertable forwards email where you
tell it to.

> Now - I don't have access to a load balancer & this might be more of
> a MS Exchange question. But how I can evenly load balance between
> those 2 MTA's for outbound relaying & fail over if I need to in case
> one goes down?

I don't know that Sendmail or Exchange can be configured to load balance
them selves. I strongly encourage you to look in to some form of load
balancing, be it software like Linux Virtual Server (LVS) or hardware.
The fact that you have a cluster of four Exchange servers and are
talking about multiple Sendmail gateways tells me that you are working
with a sizable install and are not afraid of adding a few systems to
this over all solution. I would suggest that you look at a load
balancer (config) for your Sendmail gateways and an additional config
for your Exchange servers, be it done by the same load balancer or not.
I'd also suggest that each load balanced config have multiple IPs that
can be used for redundancy / pseudo ad-hoc round-robin DNS load
balancing. If you would like more details, just ask.

> I was thinking DNS round robin but that doesn't have the ability to
> detect a failure at the MTA.

If you use a short TTL on DNS, you can do some of this. There is also
the fact that you can do some interesting things in your firewalls /
switches / host systems to re-direct traffic to the failed IP to the up
and functioning system.

Chew on this and reply with questions / comments / concerns / general
complaints. ;)



Grant. . . .

Re: From Exchange to 2 separate MTA"s

mikegws@gmail.com wrote:
> Hi,
>
> I'm fairly new to Sendmail. I've gotten it working as a mail store &
> configured imaps over it for my home domain. Now I hope to introduce
> it carefully into my work environment - 1st by removing exchange from
> the DMZ (yes, I know!).
>
> At work we are running Exchange. I don't think I can get that changed
> but I do think there would be some real advantages to routing all of
> my internet inbound & outbound exchange e-mail thru 2 Sendmail MTA's.
>
> So the flow of e-mail inbound will be:
>
> Internet ---> 2 load balanced Sendmail MTAs in the DMZ --> Cluster of
> 4 Exchange Servers --> MUA on the desktop
>
> I plan on assigning an equal weight to both MX records for our domain
> pointing to the 2 MTA's. Do I have to create an /etc/aliases entry
> for each user account on the exchange server? Is there an option to
> forward all the e-mail? Would that be thru the mailertable?

Use LDAP routing to check addresses on incoming mail on your borderline
MTAs, so you won't bounce on an internal server. You won't need
mailertable for your internal domains, but look at LOCAL_RELAY and MAIL_HUB.

cheers

Erich

Re: From Exchange to 2 separate MTA"s

On Jan 16, 12:51 pm, Grant Taylor wrote:
> You do not "have to" create entries for every user, but it is advisable
> to ""Educate Sendmail on valid recipients in some way, be it /etc/access
> entries or LDAP routing that interfaces with AD, or some form of
> call-ahead, or something else. This way, your Sendmail edge gateways
> will not accept messages for invalid recipients.

Yeah - I've been googling like crazy and came across that one. I also
like the idea of using milters to spread the load across several
systems for sanitizing etc..

> I'm not sure if you can configure the Mailertable entry to load balance
> per say. It is my (mis)understanding that Mailertable entries do
> support multiple hosts per entry, but only in a backup fashion in case
> one (or more) fail, use the subsequent backup(s). If you are wanting to

Apparently - you can get some crude load balancing via comma
delimitation in
the mailertable. However, I saw a message in my google searches from
one
of the developers pointing out a) it's undocumented and may go away b)
that's
why we have MX records.

Can't really argue with the logic there.

> Exchange servers. (LVS is worth the 15 minute read to see what it can
> do for you on commodity hardware.)

Yes - very cool stuff. But my MTA's are in different timezones and
forwarding
to exchange servers in different branch offices.

My setup isn't that big. We have less than 2000 accounts. I don't
admin exchange
so I don't know if have more servers or not than needed. It's still
slow as hell to
replicate. But, that's another story ;-)

Good idea about using the milters to spread the load across several
systems. Something
else I'll play around with to get going.

> This is also why I suggested that you use Mailertable verses something
> else like Smart Hosting on the Sendmail systems. Smart hosting forwards
> all email to the Smart Host, while Mailertable forwards email where you
> tell it to.

I like it all. I think the only area where I have some more thinking
and planning to do is wether
or not I can use Active Directory to actually deliver the mail
straight to the mailbox on the exchange
server.

Right now I've got my 2 MTA's dumping everything straight to a MX
record that goes to the Exchange MTA's which
know where to route the messages.

I don't think the AD has the right attributes out of the box to
support this. And that's (thankfully)
out of my control. Also - I wonder if I did that and one of our
Exchanges machines went down, wouldn't I
end up generating message undelivables?

Whereas if I mx'd it I could at least queue up the message until the
crappy exchange server came back online?

-Mike

Re: From Exchange to 2 separate MTA"s

On 01/18/08 15:53, mikegws@gmail.com wrote:
> Yeah - I've been googling like crazy and came across that one. I =

> also like the idea of using milters to spread the load across several =

> systems for sanitizing etc..

*nod*

> Apparently - you can get some crude load balancing via comma =

> delimitation in the mailertable. However, I saw a message in my =

> google searches from one of the developers pointing out a) it's =

> undocumented and may go away b) that's why we have MX records.

See as how Mailertable is not meant for load balancing, I don't think =

I'd try to use it.

> Can't really argue with the logic there.

No you cant.

> Yes - very cool stuff. But my MTA's are in different timezones and =

> forwarding to exchange servers in different branch offices.

Ah, ok.

> My setup isn't that big. We have less than 2000 accounts. I don't =

> admin exchange so I don't know if have more servers or not than =

> needed. It's still slow as hell to replicate. But, that's another =

> story ;-)

It's Exchange, that tends to say it all.

> Good idea about using the milters to spread the load across several =

> systems. Something else I'll play around with to get going.

*nod*

> I like it all. I think the only area where I have some more thinking =

> and planning to do is wether or not I can use Active Directory to =

> actually deliver the mail straight to the mailbox on the exchange =

> server.

I was not thinking about using AD to locate the proper server to deliver =

messages to, rather to see if a recipient is valid or not.

> Right now I've got my 2 MTA's dumping everything straight to a MX =

> record that goes to the Exchange MTA's which know where to route the =

> messages.

*nod*

For now, continue letting Exchange route the messages for you.

> I don't think the AD has the right attributes out of the box to =

> support this. And that's (thankfully) out of my control. Also - I =

> wonder if I did that and one of our Exchanges machines went down, =

> wouldn't I end up generating message undelivables?

I may be wrong, but it was my (mis)understanding that you needed to =

tweak Sendmail's LDAP query to be able to query the AD LDAP to see what =

recipients were valid.

I also don't know that you need to talk to an Exchange server per say, =

just an AD server that is holding a Global Catalog. If this is all that =

is needed, it would be trivial to add an AD Global Catalog server near =

your Sendmail boxen for the sole purpose of providing a Global Catalog =

for Sendmail to query. That way, you are not dependent on any Exchange =

servers.

I think (hope) that you would at worst return 4xy errors if you were =

unable to query AD, not out right reject the message(s).

> Whereas if I mx'd it I could at least queue up the message until the =

> crappy exchange server came back online?

*nod*



Grant. . . .

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : chments/20080118/81f56a54/attachment.bin>