Round Robin DNS cannot provide Mail Proxy failover for Symantec Encryption Management Server

book

Article ID: 158256

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

If the mail proxy being used by SEMS (Symantec Encryption Management Server) becomes unavailable, mail flow will be interrupted and the SEMS Mail Proxy settings will need to be updated. Using round robin DNS is not a viable solution to this problem.

The SEMS Mail log will contain error messages like this:

SMTP-00001: connection to mailserver.domain.dom[10.12.32.109]:25 failed: No route to host Mon Jul 29, 2013 at 12:49:48 PM +01:00

 

Cause

Each Mail Proxy entry in SEMS proxies to a single mail server.  If that mail server is unavailable then SEMS will reject associated SMTP connections.

Resolution

  • Administrators may believe that providing SMTP failover using DNS round robin may provide a solution to this.  Unfortunately, however, DNS round robin is relatively unsophisticated and will return the IP address of an unavailable mail server to SEMS.  Therefore this is not a viable solution.
  • DNS round robin that can be dynamically updated depending on the availability of the mail server would provide a potential solution.
  • An IP load balancer that monitors the availability of mail servers and updates its settings would provide a potential solution.
  • Another potential solution is to use a dedicated mail server with its own private DNS entries. These DNS entries would need to include MX records for the SEMS managed domains. The MX records would provide a means of relaying mail to upstream mail servers and bypassing unavailable mail servers. However, this method would require maintenance of the private DNZ zone files and would introduce additional points of failure.

Applies To

Symantec Encryption Management Server 3.3

PGP Universal Server 3.x