Results 1 to 8 of 8

Thread: Handling MX change

Hybrid View

  1. #1
    Join Date
    Mar 2012
    Posts
    20
    Rep Power
    3

    Default Handling MX change

    Looking at options for migrating from our existing POP3 Mercury mail system to Zimbra, specifically how to transition MX records smoothly. Mercury mail is currently set to a priority of 10 in public dns, while Zimbra is set to 20. The same domain exists on both systems as well as the same users. Currently, I am prohibiting mail flow from going to Zimbra by keeping SMTP port 25 closed on for Zimbra's IP on our Juniper firewall facing the internet. We are a small company with about 25 users.

    I have always been under the impression that public dns propogation can take some time, up to 72 hours which can make MX changes tricky when it comes to migrating mail systems. I have reviewed the Split Domain article on how to handle this situation with forwarding and it seems like a bit of overkill for a small environment like ours.

    My question is since I have the MX record already in place, would it be easier to simply block SMTP port 25 on the firewall to the old system when I wish to migrate? I can't shut it down completely, since other services are hosted there. That way mail would bypass the primary MX and flow to the secondary MX, Zimbra, and all I would be left to do is change user client settings to point to Zimbra. Of course I would make the changes to reflect Zimbra as the primary MX, but would not be dependent on DNS propogation for desired mail flow. What am I missing here?

  2. #2
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    My advice:
    • setup a new VM inside your network, the OS you prefer, the MTA you prefer
    • setup this MTA to accept mails for your domains only (in order not to be public relay)
    • setup this MTA to relay emails to your old Mercury system
    • remove the second MX from your DNS, it's not needed (actually you SHOULD have a second MX but not on the same network/LAN)
    • setup your firewall to forward all incoming mails (previously going to the Mercury system) to the new VM (that will relay them to the Mercury system)
    • create the accounts on the ZCS systems, migrate the mails (imapsync?), allow ZCS to receive the mail
    • at the exact second you wish, stop the Mercuy incoming MTA: the VM will spool the mails
    • take the needed time to sync the mails between the Mercuy and the ZCS
    • close the Mercury
    • resetup the MTA on the VM to relay to Zimbra instead of the Mercury system: spooled mails will be delivered to the ZCS accounts

    You can resetup the firewall to deliver mails directly to the ZCS but I wouldn't do so: this way, when you stop your ZCS to upgrade it, mails are spooled on your LAN and delivered as soon as the ZCS comes back online.
    If you don't have a "spool VM", emails will be spooled by the senders' MTA and you have no real idea when the mail will be delivered to you.

    The VM can also be hosted outside of your network/LAN and do some AV/AS filtering.
    This way, your ZCS server will only get "nice" emails.

  3. #3
    Join Date
    Mar 2012
    Posts
    20
    Rep Power
    3

    Default

    Thanks for the reply. Some great, well thought out ideas for sure. A couple of things, my current system is POP3 I am dealing with local .pst files, so syncing between Mercury and Zimbra will not be necessary. And I do have a very small environment with 25 or so users. Thats why I was considering a simple, somewhat abrupt cut. I more or less simply want to "flip a switch" and redirect mail to Zimbra. Because an MX change can take some time, the best way I could think to control this would be with our firewall blocking SMTP to the old system which would allow mail to flow down to the secondary MX.

    For example, I make this change at 7 am on Monday morning, catch users as they arrive at work, change local mail/mobile device settings, migrate their local .pst's. With 25 users, I could likely finish the process in a single day. The only drawback I see is there may be some delay between the time I make the firewall change and the time I could get to them to change their settings to get to the new mail system. I think they will be alright with this as long as I communicate beforehand to temper expectations. Of course, I could always direct them to the web client to send/receive mail in the meantime. Does this make sense?



    Quote Originally Posted by Klug View Post
    My advice:
    • setup a new VM inside your network, the OS you prefer, the MTA you prefer
    • setup this MTA to accept mails for your domains only (in order not to be public relay)
    • setup this MTA to relay emails to your old Mercury system
    • remove the second MX from your DNS, it's not needed (actually you SHOULD have a second MX but not on the same network/LAN)
    • setup your firewall to forward all incoming mails (previously going to the Mercury system) to the new VM (that will relay them to the Mercury system)
    • create the accounts on the ZCS systems, migrate the mails (imapsync?), allow ZCS to receive the mail
    • at the exact second you wish, stop the Mercuy incoming MTA: the VM will spool the mails
    • take the needed time to sync the mails between the Mercuy and the ZCS
    • close the Mercury
    • resetup the MTA on the VM to relay to Zimbra instead of the Mercury system: spooled mails will be delivered to the ZCS accounts

    You can resetup the firewall to deliver mails directly to the ZCS but I wouldn't do so: this way, when you stop your ZCS to upgrade it, mails are spooled on your LAN and delivered as soon as the ZCS comes back online.
    If you don't have a "spool VM", emails will be spooled by the senders' MTA and you have no real idea when the mail will be delivered to you.

    The VM can also be hosted outside of your network/LAN and do some AV/AS filtering.
    This way, your ZCS server will only get "nice" emails.

  4. #4
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    Why not changing the IP on the Mercury system (it won't receive mails) and on the ZCS system (to get previous Mercury IP) ?
    And obviously do the correct changes in the DNS to reflect IP changes: rename the Mercury in the DNS, get the correct IP/name combinaison for ZCS and have the previous Mercury name to point to the Zimbra (no change of IP in the DNS for this name).

    If you can do this, you won't have to change anything on the firewall nor on your users system: their tools/mobile will connect to the same name but it's now the ZCS and not the Mercury anymore.

    Then you can import your PSTs to ZCS.

  5. #5
    Join Date
    Mar 2012
    Posts
    20
    Rep Power
    3

    Default

    I do like the way you are thinking here when it comes to making things simple here.

    I forgot to mention the current Mercury system is hosting our company's website on port 80. So, that sort of screws up the IP change idea. I owe the previous system admin a big thanks for this.

    We are also running the Zimbra system as IMAP, so I don't see a way around reconfiguring all client devices.



    Quote Originally Posted by Klug View Post
    Why not changing the IP on the Mercury system (it won't receive mails) and on the ZCS system (to get previous Mercury IP) ?
    And obviously do the correct changes in the DNS to reflect IP changes: rename the Mercury in the DNS, get the correct IP/name combinaison for ZCS and have the previous Mercury name to point to the Zimbra (no change of IP in the DNS for this name).

    If you can do this, you won't have to change anything on the firewall nor on your users system: their tools/mobile will connect to the same name but it's now the ZCS and not the Mercury anymore.

    Then you can import your PSTs to ZCS.

  6. #6
    Join Date
    Mar 2006
    Location
    Beaucaire, France
    Posts
    2,322
    Rep Power
    13

    Default

    It mainly depends on your firewall then...
    If you have a "1:1 NAT" (external IP to internal IP then some port allowed), you might want to change this to "port NAT" (aka "port mapping") and then redirect the mail ports (25, 143, 110, the same with enabled SSL) to the ZCS and the web port (80) to the Mercury once its IP is changed.

Similar Threads

  1. ics attachment handling in 5.08
    By AdrianR in forum Administrators
    Replies: 0
    Last Post: 11-26-2008, 10:43 AM
  2. Handling signatures
    By Veidit in forum General Questions
    Replies: 0
    Last Post: 02-06-2008, 04:01 PM
  3. Better spam handling in 5.0?
    By jbwiv in forum Administrators
    Replies: 9
    Last Post: 12-12-2007, 02:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •