I am currently trying to find a way to Load Balance our 4 Mail Gateways ( Running Mail Cleaner). I was able to bring up HAProxy and use tcp mode to load balance without issue. The only real problem being my Source IP is always the HAProxy server, so some of my mail filter checks are useless now because I can not check if the mail is coming from a known bad relay.
Is their any FLOSS Software out that could be used to handle this type of situation? I know HAProxy has this ability if I have the Mail Gateways use it as the Default Gateway, and compile some additional modules and configure iptables. I just dont want to start down that path if I am just missing an easier solution.
SMTP has built in load balancing using DNS, in a round robin fashion. This works quite well for most purposes. If that's not sufficient for you, you will have to create your own custom set up which is not an easy task. So unless you really need it I'd stick with what is available and widely used.
I am assuming your email servers (MTA) are on the same domain (say example.org), in that case create an MX record for each separate MTA, with the same priority. Using same priority ensures each server is tried in a round robin fashion, otherwise the one with the highest priority (lower number) is always tried first (in the case of MTAs that aren't broken, spammers love to hit the server with lowest priority thinking it may be a lower spec "fallback" server):
Of course make sure each mx* can be resolved:
If you want to also use DNS to "load balance" MTAs for your users to send out email you can configure DNS in this way. Let's call your outgoing server smtp.example.org and tell your users to submit email to it. I put "load balance" in quotes because this won't avoid connecting to a server that's down the way MTAs deal with it using MX records. In this case the user has to retry one or more times to hit a working server.
This is a crude solution because depending on the user's system and setup they may keep trying to hit just one IP. But at least it's not "down for everyone" and you can always direct them to a working server. In addition if a server is permanently down you can remove it from the DNS and once cached that should prevent your users from hitting it. In this case haproxy may not be such a bad solution.
We do this simply using Linux Virtual Server, which is part of the standard linux kernel for some years now.
It allows for weigth-based loadbalancing and is quite easy to setup, we are doing something like this:
(where 192.168.0.3 is your "service IP" or "virtual IP" and 192.168.0.8 and 192.168.0.9 are your "real servers")
Most important to know - the way of operation. This setup uses "gateway mode", in which source and destination of the packets are not changed. But this has some implications. The virtual ip has to be configured on all "real servers". But this might lead to ARP race conditions you should avoid by design:
Perhaps -m - masquerading mode is a little bit easier to set up.
And - another hint here: you might want to use keepalived which sets ipvsadm up, monitors your mail server for reachabilty and perhaps provides redundancy for the loadbalancer itself using VRRP.
We are using ipvs to handle 15k CPS DNS load balancing.
(*) at least in debian it's called this way, but searching for ipvs should be easy