Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dexteroule
New Contributor

FortiMail 100C operating in server mode / Adding a domain as a backup

Hello everyone,

 

I use a FortiMail 100C in server mode.

 

In this operation mode, is it possible to add a new domain as a backup mail exchanger so that the FortiMail unit will accept mails for this domain in case the primary mail exchanger is down or unreachable and pass the mails on to the primary MX once that one is up again.

 

Thanks, 

 

5 REPLIES 5
Carl_Windsor_FTNT

No this is not possible, we are considering this DR scenario for a future release.  Please feed back your interest to your FortiMail account team.

Dr. Carl Windsor Field Chief Technology Officer Fortinet

ede_pfau
Esteemed Contributor III

Maybe I'm too unexperienced, but why would that not be possible?

In a MX record you state at least one IP address. You can give 2 addresses for failover.

If the second address would point to the FML, the FML would never receive any mail until mail clients run into an 'unreachable' problem with the primary address, and resend to the secondary address.

Am I assuming wrong here?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
KPS
New Contributor III

Hi!

 

I can 95% agree to what ede_pfau wrote:

There should be no problem to setup a second FortiMail as MX with higher metric. The "second-MX" can send the mails to an upstream MTA (the first FortiMail) and can hold mails in it's queue, when the first MTA is not reachable for some time.

Option 2: The second FortiMail can send the mails to the same upstream-system, as the primary-one (e.g. Exchange-server).

 

But:

1. Problems:

You have no central config-instance. You need to setup both systems.

 

2. (the 5%, I do not agree to ede_pfau):

Some MTAs, that are not configured RFC-compliant to not only use the MX-record with the lowest metric. So, you will see some mails on the "backup-Fortimail".

MANY spammers try to bypass spam-filters on sending mails to the backup-MX-records.

 

Both should not be an issue.

 

Regards,

KPS

Carl_Windsor_FTNT

I agree, there are workarounds that can be used to achieve something close to this requirement but they have limitations e.g.

[ul]
  • You would need a Gateway mode (primary mx) and Server mode (secondary mx) instance which is not what the original request mentioned (single FML100C) 
  • As per @KPS Secondary MX sometimes gets get (mis)used for delivery. 
  • How do you cleanly deliver mail from the Server mode instance to the Exchange server once it is available?  Server mode would have to operate with a queuing based system to deliver once exchange is back up or duplicate all email and clear down the mailboxes after a configurable time period.[/ul]

    All doable, but not in a simple way, hence why an official DR deployment scenario is being considering for a future release.

     

  • Dr. Carl Windsor Field Chief Technology Officer Fortinet

    ede_pfau
    Esteemed Contributor III

    Thanks @KPS and Carl, for a lot more insight in what this would take. Looking forward to a future release.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    Labels
    Top Kudoed Authors