Authenticating to both 2 MX servers (ISPC in master/slave config)

Discussion in 'General' started by Ignacio Garcia, Sep 3, 2019.

  1. Hi there. I have a very-fine working ISPC master/slave scenario where I have 2 mail servers (A and B) both acting as primary and secondary MX servers for clients hosted in both servers as well (using mail routes and relays as instructed in the ISPC manual). With this configuration I've got covered redudancy for incoming mail in case one server fails.

    What I'd like to have now is the possibility of having a client hosted in server A to send outgoing emails by authenticating to server B as well as server A, and viceversa. I've been reviewing files in /etc/postfix/mysql-virtual*.cf validating logins against mysql, and, frankly, I'm afraid of manipulating things without knowing about potential side-effects.

    Is there any easy way of doing this? Has anybody been able to achieve this? Can anybody confirm which files need to be modified to achieve this?

    TIA

    Ignacio
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I believe you would need to setup dovecot's native dsync, at which point backup mx's aren't needed (you simply deliver the mail to either server, and it sync's to the other) so you can remove all that as a bonus.

    Disclaimer, I've never setup dsync yet myself, it's on my todo list, but I did review https://wiki.dovecot.org/Replication and my understanding seems in line with that.
     
  3. Actually I was not looking for having our mail stored in 2 or more servers. What I'm trying to achieve is using both SMTP servers for sending email no matter what server the account has been set up for.

    IN fact, after further testing (and without any deep knowledge on ISPC), it seems that, since we're using Dovecot SASL, modifying /etc/dovecot/dovecot-sql.conf 's line 7 and 8 along with some minor modifications to /etc/postfix/mysql* files should do the work:
    For example, in dovecot-sql.conf:
    Code:
    password_query = SELECT email as user, password, maildir as userdb_home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as userdb_mail, uid as userdb_uid, gid as userdb_gid, CONCAT('*:storage=', quota, 'B') AS userdb_quota_rule, CONCAT(maildir, '/.sieve') as userdb_sieve FROM mail_user WHERE (login = '%u' OR email = '%u') AND `disable%Ls` = 'n' AND (server_id = '1' OR server_id = '2')
    user_query = SELECT email as user, maildir as home, CONCAT( maildir_format, ':', maildir, '/', IF(maildir_format='maildir','Maildir',maildir_format)) as mail, uid, gid, CONCAT('*:storage=', quota, 'B') AS quota_rule, CONCAT(maildir, '/.sieve') as sieve FROM mail_user WHERE (login = '%u' OR email = '%u') AND `disable%Ls` = 'n' AND (server_id = '1' OR server_id = '2')
    
    However, that would break IMAP/POP connections unless I set up dovecot dsync, as you suggested.

    Does anybody suggest a different aproach?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    If you would have set up the servers according to the ISPConfig mirroring howto, then both servers would be able to act as smtp servers and both would share the same emails, it does not matter then to which server a client connects, he will be able to retrieve his mails on both systems and he will be able to send trough both systems.
     
    Ignacio Garcia likes this.
  5. Till, that's absolutely true, but I wanted to have both apache and nginx, and primary and secondary dns zones, as well as different settings and limits in the mail module ecosystem depending on the customers profile (business vs individuals/soho)
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, in that case, modifying the SQL queries that are used to authenticate the users are probably the best option.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    Depending on what settings/limits you want to be different, you can use limit templates to specify what they should be. Settings which cannot be specified in the templates like postfix's message_size_limit which you may wish to vary by customer often can't be, eg. it seems that message_size_limit cannot be made into a table lookup, so if it were set differently on the two servers, your customers would all have a different limit depending on which server they sent from each time.

    You are correct in that you can't use ispconfig mirroring across apache/nginx, and for dns primary/secondary; but what it sounds like you wish to do with email does not quite make sense to me, as it only makes one piece of your mail service redundant. Maybe I simply misunderstand it, or maybe you have a non-standard use case.

    It sounds like you wish to have some customers use server A for their imap/pop3 server, other customers use server B for their imap/pop3 server, and all customers can use either A or B for smtp? Assuming you set that up, then you have a scenario when a server goes down, where some users cannot check their email (imap/pop), but can still send out; though such a user would still get an error from the imap server when sending if their client tries to save a copy to the Sent folder.

    You should be able to accomplish it though by replicating the mail_user tables across servers (ie. so each server replicates a copy of the other's mail_user table, you're not trying to keep that table in sync). You then adjust your queries (iterate_query, password_query and user_query) to use both mail_user and your replicated table and vary with %s (dovecot service name variable) to see if it's allowed on that server or not.

    Perhaps you have a use case that requires redundant smtp but not imap/pop3? But it would be a more complete solution (and I think simpler) to use dsync, of course at the cost of additional disk space/resources for the redundancy.
     
    Ignacio Garcia likes this.
  8. Hi Jesse. Yes, you're right. Our dovecot servers have different global configurations. Also, around postfix we use custom postfwd, amavis, spamassassin, and others, to create different rules for different scenarios/clients. We also use postfix tables to block ip ranges, domains. We also limit (never block) sasl logins by country. And finally we have different IPs for different servers, of course. Some of these values can be applied individually, others are global.


    That's pretty much it. What I exactly want to achieve is:
    - Users in Server A (VIP customers):
    POP/IMAP: Server A
    SMTP: Server A or Server B
    -Users in Server B (Individuals/SOHO):
    POP/IMAP: Server B
    SMTP: Server B


    Thanks Jesse. I will try your suggestion this weekend if possible.

    About some /etc/postfix/mysql* files with queries to mysql, I believe they should be modified as well. What do you think?

    Thanks very much!

    Cheers,

    Ignacio
     
  9. Jesse Norell

    Jesse Norell Well-Known Member

    So you would only need to replicate tables from Server A to Server B, not both directions, and only change queries on server B.

    Yes, some of those would as well, and might require that you replicate additional tables.
     

Share This Page