reverse proxy for multiple SMTP / IMAP servers
Solution 1:
There is no need to put nginx
or any other form of load balancer in front of your border SMTP servers. If you don't get the configuration right, it is likely to hurt your ability to successfully deliver mail. Just put your servers in your DMZ.
Incoming traffic will be part way through a conversation before you can route it appropriately. IMAP users will be attempting to login. SMTP servers will be at the RCPT TO
command, and may be attempting to deliver the same message to different domains for which you are listed as the MX.
It is common to use names like smtp01.example.com
for farms of servers. For each of these servers. The domain you use for your mail server(s) rarely matches the server name. For common services like SMTP, Web, IMAP, POP and other it is common to publish and use service names in addition (or instead of) host names. Load balance your MX servers by publishing them at the same priority.
- Publish an
A
record in DNS for your mail server's IP address. Also add anAAAA
record for the mail server's IPv6 IP. if you want to support IPv6. (You will need two PTR records if you are configuring both IPv4 and IPv6 support.) - Have you IP provider configure the
PTR
record to return the service (SMTP) name of the server. This will enable reverse DNS (rDNS) validation to work. - Configure your mail server to bind to the above address(es) when sending email.
- Configure the mail server to use the service name as its identity. This will allow rDNS validation to work on the
HELO
orEHLO
command.
Consider adding an SPF record like v=spf1 a -all
to the DNS entries for each SMTP server. This will allow recipients to verify that this server is intended to send mail. (SPF can be used to verify the server as well as the sender.)
While it is common for the MX servers to also be the outbound mail servers, it is not necessary. List the outbound SMTP servers in the SPF record for the domains used in email addresses (usually example.com
rather than george.example.com
).
Your SMTP servers should belong to one domain. The MX servers for a domain do not have to be in the same domain. If you are configuring multiple domains, pick one for the mail servers and use that for all the domains.
In larger installations, it is common for the border (externally facing) SMTP servers to forward to internal mail servers for final delivery of incoming mail. All outgoing mail should be sent to the border servers for delivery. If you have split your incoming MX (mail exchange) servers from outgoing MTA (Mail Transfer Agent) servers outgoing messages should be sent via the outgoing MTAs rather than the MX servers. It is a good idea to include MX
in the SPF records anyway. This will allow your MX servers to send delayed delivery notifications without the message being considered spam.
For roaming users you may need authenticated SMTP access to allow the users to send email. This is best done on the Submission port (587) rather than the SMTP port (25). This should be secured with TLS (SSL) using the startTLS
command after connecting. Authentication should only be allows on encrypted connections. This can be offered on the servers configured above, or on the servers providing IMAP access.
Depending on your needs you can use an IMAP server that supports proxying connections, or just allow the users to connect to the server for their domain. It is common to use a service domain for this purpose, usually imap.example.com
or mail.example.com
. These can be configured in DNS as A
records or CNAMES
. Many mail clients will auto-configure correctly to the common service accounts for the domain. If [email protected]
is entered as the user during configuration, the software is likely to find service domains like mail.example.com
, imap.example.com
, pop.example.com
and smtp.example.com.
It is relatively common to use different service names for IMAP and STMP traffic.