Backup Exchange Server

Hi all

I would like to offer my clients a backup exchange service so if their site
goes down I can switch their MX dns record over to my server.

My clients are all using SBS2000 and I am as well. Is there an easy way for
me to set this up? I can envision setting their accounts on my server for
mail delivery, but dont know how I can get it all back onto their server
when things on their end go back up.

I know some DNS providors offer this service, but if I can offer it from my
end then thats even better (free too).

Thoughs?
Thanks

Mark
Sun Nov 02 20:45:30 CST 2003

Gary, you can have additional MX records but then you have to get those
emails over to your client and unless you check regularly, they may get
there late. Personally, I do not like this approach. I have my clients
rent space on my colo mail/web server (Linux with perfect uptime) and then
their Exchange pops out and pulls down their email. They get to close a few
more ports and never miss an email during a windows update reboot. Many
larger companies use this similar approach with a smarthost in house in
front of their firewall and then their Exchange cluster(s) pull it in from
there. It's a very good practice.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"Gary Peacock" <email1@lighthouse-its.com> wrote in message
news:OrKdnRnz08sKHDiiRVn-gw@comcast.com...
> Hi all
>
> I would like to offer my clients a backup exchange service so if their
site
> goes down I can switch their MX dns record over to my server.
>
> My clients are all using SBS2000 and I am as well. Is there an easy way
for
> me to set this up? I can envision setting their accounts on my server for
> mail delivery, but dont know how I can get it all back onto their server
> when things on their end go back up.
>
> I know some DNS providors offer this service, but if I can offer it from
my
> end then thats even better (free too).
>
> Thoughs?
> Thanks
>
>

Steve
Mon Nov 03 11:43:16 CST 2003

Mark Mancini wrote:

> Gary, you can have additional MX records but then you have to get
> those emails over to your client and unless you check regularly, they
> may get there late. Personally, I do not like this approach. I have
> my clients rent space on my colo mail/web server (Linux with perfect
> uptime) and then their Exchange pops out and pulls down their email.
> They get to close a few more ports and never miss an email during a
> windows update reboot. Many larger companies use this similar
> approach with a smarthost in house in front of their firewall and
> then their Exchange cluster(s) pull it in from there. It's a very
> good practice.

a) There's no such thing as perfect uptime with any OS - unless perhaps
you're not keeping it updated of course. There's not a current OS today
that never needs a reboot for patching. All OSes have made strides in
this area, but there's still plenty of room for improvement.

b) Using POP3 to pull mail into Exchange allows the closure of a single
port - 25 - not "a few".

c) Most mail servers retry mail delivery in the event that a remote
server is not available. Certainly, no mail would be "lost" - the worst
that might happen is the sender gets a message that their mail could
not be delivered.

d) Most larger companies would cringe at the idea of running a server
outside any firewall. They might run a bastion mail server in a DMZ,
but not "naked" on the net.

e) what happens to your clients' email if you suffer a DoS attack?
You're creating a single point of failure shared among your clients.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Gary
Mon Nov 03 14:15:36 CST 2003

I agree that the email sent to servers that are ofline end up going back to
the sender but the goal is to avoid this... I know nothing about Linux so
this is not an option(this is a MS SBS ng anyway) and genrally all my
clients like to keep things on site or with me so outsourcing is not what
they are looking for.

What I am trying to accomplish is a emergency backup system for my clients
in case they drop off the net for what ever reason (ISP failure, server
failure etc). This is not going to happen everyday.

Through status monitoring I know when this happens and can switch the MX
record over to me. I am running SBS (as are all my clients). If I get all
of their email for the day or two it takes to get them back online, but then
how can I easily send it over to them when they come back up?


"Steve Foster [SBS MVP]" <steve.foster@picamar.co.uk> wrote in message
news:eKvg3HjoDHA.424@TK2MSFTNGP10.phx.gbl...
> Mark Mancini wrote:
>
> > Gary, you can have additional MX records but then you have to get
> > those emails over to your client and unless you check regularly, they
> > may get there late. Personally, I do not like this approach. I have
> > my clients rent space on my colo mail/web server (Linux with perfect
> > uptime) and then their Exchange pops out and pulls down their email.
> > They get to close a few more ports and never miss an email during a
> > windows update reboot. Many larger companies use this similar
> > approach with a smarthost in house in front of their firewall and
> > then their Exchange cluster(s) pull it in from there. It's a very
> > good practice.
>
> a) There's no such thing as perfect uptime with any OS - unless perhaps
> you're not keeping it updated of course. There's not a current OS today
> that never needs a reboot for patching. All OSes have made strides in
> this area, but there's still plenty of room for improvement.
>
> b) Using POP3 to pull mail into Exchange allows the closure of a single
> port - 25 - not "a few".
>
> c) Most mail servers retry mail delivery in the event that a remote
> server is not available. Certainly, no mail would be "lost" - the worst
> that might happen is the sender gets a message that their mail could
> not be delivered.
>
> d) Most larger companies would cringe at the idea of running a server
> outside any firewall. They might run a bastion mail server in a DMZ,
> but not "naked" on the net.
>
> e) what happens to your clients' email if you suffer a DoS attack?
> You're creating a single point of failure shared among your clients.
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.

Mark
Mon Nov 03 19:01:50 CST 2003

Ok, Steve....
1) compared to MS, Linux has about 100 times fewer needs for reboot. The
number of updates that require recompile is small compared. Perfect
uptime....b/c my datacenter had a 4hour outage with SQL slammer, that was
the only downtime in 2003 except a few minutes for recompiles. It isn't
perfect but qualifies for 99.999% which is less than 6 hours/year. I think
Linux has come further than MS has in this area and this is why many
enterprise size companies use Linux Smarthosts.
2) some people open port 25 AND port 110....why?!?! I don't know but ask
some of these people and you will see that many newbies open both. I making
an assumption from what I see from other "consultant" installs.
3) Yes, it will retry but the ND email is one that looks REALLY BAD!! I
deal with professionals and this is not acceptable...even if it eventually
gets there. I prefer to remove this blemish. besides, how long do your
servers take to scan disk? Some of mine about 1+ hours.
4) your right, when I said "in front" of their firewall I meant in front of
their REAL firewall, not in front of a NAT router or something not as costly
as one that secures the LAN side of the DMZ. I don't think anyone nowadays
runs naked on the net....then again there are idiots. I figure if you know
enough to use a smart host then this is a given assumption that I think is
safe.
5) What happens when YOU suffer a DoS attack. Funny you should say that
though!!! My datacenter already thought of this and other attacks and their
Cisco outer perimeter routers block many such traffic. They don't want
their 45Mb pipe clogged either.

Well, I know Kevin uses this approach as well but you probably just hate me
so I assume that is why you posted instead of helping Gary here....nice MVP!

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"Steve Foster [SBS MVP]" <steve.foster@picamar.co.uk> wrote in message
news:eKvg3HjoDHA.424@TK2MSFTNGP10.phx.gbl...
> Mark Mancini wrote:
>
> > Gary, you can have additional MX records but then you have to get
> > those emails over to your client and unless you check regularly, they
> > may get there late. Personally, I do not like this approach. I have
> > my clients rent space on my colo mail/web server (Linux with perfect
> > uptime) and then their Exchange pops out and pulls down their email.
> > They get to close a few more ports and never miss an email during a
> > windows update reboot. Many larger companies use this similar
> > approach with a smarthost in house in front of their firewall and
> > then their Exchange cluster(s) pull it in from there. It's a very
> > good practice.
>
> a) There's no such thing as perfect uptime with any OS - unless perhaps
> you're not keeping it updated of course. There's not a current OS today
> that never needs a reboot for patching. All OSes have made strides in
> this area, but there's still plenty of room for improvement.
>
> b) Using POP3 to pull mail into Exchange allows the closure of a single
> port - 25 - not "a few".
>
> c) Most mail servers retry mail delivery in the event that a remote
> server is not available. Certainly, no mail would be "lost" - the worst
> that might happen is the sender gets a message that their mail could
> not be delivered.
>
> d) Most larger companies would cringe at the idea of running a server
> outside any firewall. They might run a bastion mail server in a DMZ,
> but not "naked" on the net.
>
> e) what happens to your clients' email if you suffer a DoS attack?
> You're creating a single point of failure shared among your clients.
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.

Mark
Mon Nov 03 19:06:44 CST 2003

Gary, you don't have to know Linux... I don't! The GUI is butt easy!
Besides, do you really want the responsibilty for handling any other email?
On a box without redundant pipe or power in a locked facility? So, what
makes your setup more secure? See what I'm saying.....colo is actually an
EASIER sell. What you want to do is going to require manual checking of
mail and nothing automated in SBS. Kevin here also does this colo
setup.....it is a better way.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"Gary Peacock" <email1@lighthouse-its.com> wrote in message
news:OJqdnUAc36z1KjuiRVn-sw@comcast.com...
> I agree that the email sent to servers that are ofline end up going back
to
> the sender but the goal is to avoid this... I know nothing about Linux so
> this is not an option(this is a MS SBS ng anyway) and genrally all my
> clients like to keep things on site or with me so outsourcing is not what
> they are looking for.
>
> What I am trying to accomplish is a emergency backup system for my clients
> in case they drop off the net for what ever reason (ISP failure, server
> failure etc). This is not going to happen everyday.
>
> Through status monitoring I know when this happens and can switch the MX
> record over to me. I am running SBS (as are all my clients). If I get
all
> of their email for the day or two it takes to get them back online, but
then
> how can I easily send it over to them when they come back up?
>
>
> "Steve Foster [SBS MVP]" <steve.foster@picamar.co.uk> wrote in message
> news:eKvg3HjoDHA.424@TK2MSFTNGP10.phx.gbl...
> > Mark Mancini wrote:
> >
> > > Gary, you can have additional MX records but then you have to get
> > > those emails over to your client and unless you check regularly, they
> > > may get there late. Personally, I do not like this approach. I have
> > > my clients rent space on my colo mail/web server (Linux with perfect
> > > uptime) and then their Exchange pops out and pulls down their email.
> > > They get to close a few more ports and never miss an email during a
> > > windows update reboot. Many larger companies use this similar
> > > approach with a smarthost in house in front of their firewall and
> > > then their Exchange cluster(s) pull it in from there. It's a very
> > > good practice.
> >
> > a) There's no such thing as perfect uptime with any OS - unless perhaps
> > you're not keeping it updated of course. There's not a current OS today
> > that never needs a reboot for patching. All OSes have made strides in
> > this area, but there's still plenty of room for improvement.
> >
> > b) Using POP3 to pull mail into Exchange allows the closure of a single
> > port - 25 - not "a few".
> >
> > c) Most mail servers retry mail delivery in the event that a remote
> > server is not available. Certainly, no mail would be "lost" - the worst
> > that might happen is the sender gets a message that their mail could
> > not be delivered.
> >
> > d) Most larger companies would cringe at the idea of running a server
> > outside any firewall. They might run a bastion mail server in a DMZ,
> > but not "naked" on the net.
> >
> > e) what happens to your clients' email if you suffer a DoS attack?
> > You're creating a single point of failure shared among your clients.
> >
> > --
> > Steve Foster [SBS MVP]
> > ---------------------------------------
> > MVPs do not work for Microsoft. Please reply only to the newsgroups.
>
>

Steve
Tue Nov 04 22:30:32 CST 2003

Gary Peacock wrote:

> I agree that the email sent to servers that are ofline end up going
> back to the sender but the goal is to avoid this... I know nothing
> about Linux so this is not an option(this is a MS SBS ng anyway) and
> genrally all my clients like to keep things on site or with me so
> outsourcing is not what they are looking for.

Fair enough. Just understand that you cannot guarantee 100% that no
sender will ever get a "unable to deliver" response from their
favourite email client when trying to send mail to a server you're
responsible for. It's the nature of the internet - it's not a 100%
guaranteed medium.

>
> What I am trying to accomplish is a emergency backup system for my
> clients in case they drop off the net for what ever reason (ISP
> failure, server failure etc). This is not going to happen everyday.

Indeed, SBS2000 servers don't generally fall over and die on a regular
basis... <g>

>
> Through status monitoring I know when this happens and can switch the
> MX record over to me. I am running SBS (as are all my clients). If
> I get all of their email for the day or two it takes to get them back
> online, but then how can I easily send it over to them when they come
> back up?

Exchange is not particularly good at handling the duties of secondary
mail hosting. 5.5 was better at it, IMHO, than Ex2K - I don't expect
Ex2003 to be any better. Exchange has increasingly been focussed on the
"corporate groupware" aspect of its' functionality in recent versions,
rather than its' abilities for ISP-style duties.

There were a couple of reasonable KB articles that covered doing this
for Ex55, but I don't know if they've been updated for Ex2K and Ex2003
- I haven't looked recently.

I think if these were my clients, I'd probably be looking to use the
domain registrars, or the current ISPs providing connectivity, to
provide secondary mail hosting, rather than trying to do it myself with
SBS.

If you were determined to use Exchange, I think you'd need to be
looking at configuring relaying for the clients' domains, with long
timeouts and high retry counts. Or perhaps using a catch-all postmaster
account, and having them POP3 connector the mails out.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Steve
Tue Nov 04 22:30:32 CST 2003

Mark Mancini wrote:

> Ok, Steve....
> 1) compared to MS, Linux has about 100 times fewer needs for reboot.
> The number of updates that require recompile is small compared.
> Perfect uptime....b/c my datacenter had a 4hour outage with SQL
> slammer, that was the only downtime in 2003 except a few minutes for
> recompiles. It isn't perfect but qualifies for 99.999% which is less
> than 6 hours/year. I think Linux has come further than MS has in
> this area and this is why many enterprise size companies use Linux
> Smarthosts.

I'm not arguing about whether MS or Linux require more or less reboots,
only that neither OS (nor any other mainstream OS AFAIK) can be kept
updated without any reboots.

99.999% uptime means <6 minutes/year downtime, not 6hrs.

365*24*60* 0.001% = 5.256 minutes.

2) some people open port 25 AND port 110....why?!?! I
> don't know but ask some of these people and you will see that many
> newbies open both. I making an assumption from what I see from other
> "consultant" installs.

Unless a company wants to host POP services, there's no reason to open
port 110 at all, as I'm quite sure you're aware. SBS doesn't leave it
open by default.

3) Yes, it will retry but the ND email is one
> that looks REALLY BAD!! I deal with professionals and this is not
> acceptable...even if it eventually gets there. I prefer to remove
> this blemish. besides, how long do your servers take to scan disk?
> Some of mine about 1+ hours.

How can it look really bad? The internet is not a 100% reliable medium
ever. There are often minor outages that can impact mail delivery
between two points. Heck, a minor goof-up by the sender's IT dept could
cause unable to deliver messages. I find I can't always reach various
websites or mail servers on the net when I roam the planet.

Not sure why the reference to scanning disks?

4) your right, when I said "in front"
> of their firewall I meant in front of their REAL firewall, not in
> front of a NAT router or something not as costly as one that secures
> the LAN side of the DMZ. I don't think anyone nowadays runs naked on
> the net....then again there are idiots. I figure if you know enough
> to use a smart host then this is a given assumption that I think is
> safe.

Using a smart host simply shifts the burden. You're now relying on
someone else doing things right.

>5) What happens when YOU suffer a DoS attack. Funny you
> should say that though!!! My datacenter already thought of this and
> other attacks and their Cisco outer perimeter routers block many such
> traffic. They don't want their 45Mb pipe clogged either.

I figure that if the likes of Microsoft, Verisign, Amazon, various
banks and other large commercial organisations find it hard to
withstand a DoS, what chance would a small operator have?

>
> Well, I know Kevin uses this approach as well but you probably just
> hate me so I assume that is why you posted instead of helping Gary
> here....nice MVP!

No, I don't hate you. I just don't like to see vague or woolly postings
out here, particularly since Google are trying to archive everything,
and context is not always available when archives are searched. IMHO, I
simply thought your first post was a bit on the woolly side. I'm not
claiming to be perfect either - none of us are, after all (except Susan
maybe <g>) and I'm sure better folks than either of us have either
tutted at or corrected posts of mine too.

Frankly, if I make a mistake, I *want* and expect someone to correct me
on it. That's part of what the SBS community is about. You're bound to
have noticed that the general level of noise, spam, flamage, etc. is
pretty low on these groups. And I think it's reasonably safe to assume
that most folks like it that way.

And I have since posted a direct response to Gary, once I'd checked on
a couple of things.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.