The Importance of High Availability for Postfix in Large On-Premises Email Relays

In environments with high email traffic, such as universities, ensuring high availability (HA) for email relay infrastructure is paramount. Reliable email delivery impacts communication, operations, and the academic experience. Open-source tools like Postfix, combined with modern load balancing and failover solutions, can provide a robust, scalable email relay system. This article explores how Postfix can be configured for HA in such scenarios, using Debian as the base operating system.

Understanding High Availability in Email Relays

High availability ensures continuous operation of email relay services even during server failures or maintenance. For universities, where thousands of emails are sent daily from various departments, research groups, and administrative offices, disruptions in email flow can lead to significant operational challenges. Configuring Postfix in an HA setup ensures:

1. Redundancy: Eliminating single points of failure.
2. Load Balancing: Distributing email traffic evenly across multiple Mail Transfer Agents (MTAs).
3. Failover: Seamless transition during server downtimes or network issues.

Setting Up Multiple MTAs with Postfix on Debian

Postfix, known for its flexibility and performance, is an ideal choice for handling unauthenticated email relay within a university’s internal network. Here’s how you can set up multiple MTAs:

1. Install Postfix on Debian:

   apt update && apt install postfix
   

   Configure Postfix to operate as a relay host during installation.

2. Restrict Access to LAN IPs: In the Postfix configuration file /etc/postfix/main.cf, restrict relay permissions to LAN IPs:

   mynetworks = 192.168.0.0/16 [::1]/128
   relay_domains = *
   smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
   

3. Enforce TLS 1.3 to Smarthosts: Configure Postfix to communicate with smarthosts over TLS 1.3:

   smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2, TLSv1.3
   smtp_tls_security_level = encrypt
   smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
   

4. Reverse DNS Setup: Ensure all university IPs have reverse DNS entries pointing to meaningful hostnames to avoid being flagged as spam.

5. DKIM Signing and SPF Records:

   • Use smarthosts to apply DKIM signatures to outgoing emails.
   • Ensure the smarthost IPs are listed in the university domain’s SPF record.

     v=spf1 ip4:203.0.113.0/24 -all
     

Load Balancing with HAProxy

To distribute traffic among multiple MTAs, HAProxy acts as a load balancer:

1. Install HAProxy:

   apt install haproxy
   

2. Configure HAProxy: Create /etc/haproxy/haproxy.cfg:

   global
       log /dev/log local0
       maxconn 2000
   
   defaults
       log global
       option tcplog
       timeout connect 5000ms
       timeout client 50000ms
       timeout server 50000ms
   
   frontend smtp_frontend
       bind *:25
       mode tcp
       default_backend smtp_backend
   
   backend smtp_backend
       mode tcp
       balance roundrobin
       server mta1 192.168.1.2:25 check
       server mta2 192.168.1.3:25 check
       server mta3 192.168.1.4:25 check
   

   Restart HAProxy to apply the changes.

Adding Failover with Keepalived

Keepalived ensures continuous availability by managing virtual IPs with failover and failback capabilities.

1. Install Keepalived:

   apt install keepalived
   

2. Configure Keepalived: Create /etc/keepalived/keepalived.conf:

   vrrp_instance VI_1 {
       state MASTER
       interface eth0
       virtual_router_id 51
       priority 100
       advert_int 1
       authentication {
           auth_type PASS
           auth_pass secret
       }
       virtual_ipaddress {
           192.168.1.100
       }
   }
   

   Configure similar instances on other servers with adjusted state and priority values.

3. Restart Keepalived:

   systemctl restart keepalived
   

End-to-End Email Relay Workflow

1. Email Submission: Devices within the university LAN submit emails to the Postfix servers via HAProxy.

2. Relay and Encryption: Postfix enforces TLS 1.3 and relays the email to configured smarthosts.

3. DKIM Signing and SPF Validation: Smarthosts sign outgoing emails with DKIM, and their IPs align with the SPF records.

4. Recipient Delivery: The smarthosts send the emails to their final destinations.

Benefits of the Architecture

• Resilience: Redundant MTAs and load balancing minimize downtime.
• Security: TLS enforcement and compliance with email authentication protocols reduce the risk of spoofing and data breaches.
• Scalability: HAProxy and Keepalived allow seamless addition of MTAs to handle increased traffic.

By combining Postfix, HAProxy, and Keepalived, universities can build a high-performance, resilient email relay system that ensures reliable communication across campus.