I currently have a server running Debian 6, with postfix and dovecot handling email. This server hosts email for a number of domains and users, so I use MySQL as my backing store for users and forwardings and everything related.
Currently, this server is the only server listed in an MX record for all of the domains it serves. I would like to create a secondary server that would be listed in the DNS with a lower priority (e.g. current primary server is priority 5, secondary would be priority 10), so that in the event that I need to reboot the primary server, or otherwise make it unavailable, the secondary server would receive email, and hold it until the primary server came back up, at which point it would deliver any held email to the primary server.
I do not need the secondary server to function as a backup sending server. Users would never need to see the secondary server, they would simply not lose incoming emails if the primary server is down, and they would be unable to send or receive until the primary came back up.
How would I go about doing this? I would like to use the same software if they can handle this task, because I’m already familiar with managing them.
When your primary isn't available, the foreign mailserver queues mails und does a delivery retry up to five days. I haven`t setup an additional MX, because most spammers deliver to the secondary first. Often this server isn't maintained as good as the primary.
summa summarum: much work, less benefit. Let the world queue your mails!
There is a complete documentation on how to setup Postfix as primary and secondary MX. Just follow the guide: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
You need to use one of the available HA solutions such as
keepalivedorheartbeat. This package will assign a VIP to one of the servers. The other server will sit idle.Then, you need to set the virtual IP (VIP) in the DNS MX record.
When the primary server (holding VIP) is down, the other server will get the VIP and be able to send/receive emails. The users should not notice this at all except for the IP transition period between the two nodes (few seconds).
There is one point to consider which is the email directories sync. There should be a mechanism to sync the email dirs between the two servers to make sure you don't lose any email when a switch occurs between the two servers.
Generally in that sort of scenario you put a spam filter box out in front of the actual mailserver, and let it queue mail for when the actual server is down. It also gives you the additional benefit of offloading your spam filtering from your mailserver.
The backup MX is almost useless, but I still use it, because I don't want to relay on other servers queuing policies, but take control of all the email transport for my clients. BUT - the most important thing is to have a back up DNS server, because mail will bounce as undeliverable, if no MX host is found. It is very simple to set up secondary MX server. Just use postfix and transport maps (routes).