Setup Postfix + Antispam as MX backup


In mail-server architecture, MX backup is a solution that should be always implemented for redundancy and to avoid emails being returned with errors due to mail-server unavailability.

The working concept is pretty easy: when the mail-server is offline (failure or maintenance), incoming emails are collected and stored in the MX backup and released once the primary mail-server is back online again.



DNS configuration

To work properly, system requires a second MX record in the DNS entry with a lower priority to properly deliver incoming email to MX backup while mail-server is offline.  MX  10 MX  20

Mail-server and MX backup public IPs have to be also set to reflect the designed architecture.



Required packages installation

In order to use yum command to install all required packages, we need to add the RPMforge repository to our system.

# wget
# rpm -Uvh rpmforge-release-0.5.2-1.el6.rf.x86_64.rpm


In addition to Postfix, the installation process includes additional packages to protect the server from spamming: ClamAV, Spamassassin and Amavisd-new.

# yum install postfix spamassassin clamd clamav-db amavisd-new


Because in this system we want to use only Postfix, if other packages are installed (Sendmail for instance) we need to set the correct MTA through the command alternatives selecting the right option.

# alternatives --config mta


Because in this example only the package Postfix is installed, the number option to type is 1.

If Sendmail is installed in the system, remove it using the yum command.

# yum remove sendmail


ClamAV configuration

Edit the file /etc/clamd.conf and check that communication between Amavisd-new -> ClamAV is made through the local UNIX socket instead of TCP socket.

LocalSocket /var/run/clamav/clamd.sock
#TCPSocket  3310

# vi /etc/clamd.conf


Enable ClamAV option removing the #.

   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
   qr/\bOK$/m, qr/\bFOUND$/m,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],



Amavisd-new configuration

Edit configuiration file /etc/amavisd.conf and set the parameters with values that reflect your network environment.

$mydomain = '';            #
$MYHOME = '/var/amavis';
$helpers_home = "$MYHOME/var";
$lock_file = "$MYHOME/var/amavisd.lock";
$pid_file = "$MYHOME/var/";
$myhostname = '';    #

# vi /etc/amavisd.conf



Postfix configuration

Edit the file /etc/postfix/ and add the following lines:

# ==========================================================================
# service type  private  unpriv  chroot  wakeup  maxproc  command + args
#               (yes)    (yes)   (yes)   (never) (100)
# ==========================================================================
amavisfeed unix    -       -       n       -       2       lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20 inet n    -        n       -       -       smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=

# vi /etc/postfix/


Edit the file /etc/postfix/ .

# vi /etc/postfix/

Add the following two lines:



Change the configuration parameters with values that fit with your network environment.

myhostname =        #
mydomain =                #
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain
mynetworks =,     # IP MX backup host
relay_domains =           # target domain
inet_interfaces = all
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
relay_recipient_maps =
message_size_limit = 0
mailbox_size_limit = 0
maximal_queue_lifetime = 5d


If the relay_recipient_maps parameter is left blank, all the emails are processed by the MX backup regardless if recipients exist or not in the mail-server with the risk of storing also “junk” emails. By creating the file /etc/postfix/relay_recipients with existing accounts, the problem is solved and only emails addresses to existing recipients are kept. Of course if you have a dynamic environment with thousand mailboxes, this approach is perhaps not the best option.

# vi /etc/postfix/ relay_recipients

# Accounts configured in mail-server

Enable installed services to be processed during system startup.

# chkconfig postfix on
# chkconfig amavisd on
# chkconfig clamd on
# chkconfig spamassassin on


Start the services following the correct sequence.

# service spamd restart
# service clamd restart
# service amavisd restart
# service postfix restart


If a warning related to an outdated ClamAV database is shown, you can manually update the signature by using the command:

# /usr/bin/freshclam


Signature is then updated to latest available release.



System test

Once the configuration is completed, we need to test the system to verify its correct functionality checking if emails are properly processed.

Using the telnet command, we test first if Amavisd service is listening on

# telnet localhost 10024

ehlo localhost


Next to test Postfix smtpd service is listening on

# telnet localhost 10025

ehlo localhost


Using another computer, connect the MX backup via telnet. In yellow are shown the instructions to enter.

telnet 25

# telnet 25

mail from:<>
rcpt to:<>
Subject: test backup mx
sending message to test backup mx


If the message is delivered to the recipient, then the system is working properly.


If the message is delivered to the recipient, then the system is working properly.


Check Postfix logs activity to verify whether MX backup is processing messages or not.

# tail -f /var/log/maillog


To check the MX backup emails queue, the command mailq shows the messages received so far.

# mailq


On regular basis the system perform a flush action of queued messages based on the value specified in the  /etc/postfix/ file (default 1000 seconds).

# vi /etc/postfix/mastercf


If you don’t want to wait for next flush schedule, a manual flush can be performed using the command postqueue and checking with mailq the queue status.

# postqueue -f
# mailq


When messages are released from the MX backup, if everything works as expected, emails are delivered to the email client.


Instead of buying some cloud resources that could be quite expensive, in the market are available some providers that offer the MX backup service with interesting fees.

With this solution no emails will be lost in case of mail-server failure and scheduled maintenance can be performed taking all the necessary time.

mx backup 1