Hot!Multi-WAN DNS Records and Fortimail

Author
Drkrieger
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/02 11:16:22
  • Status: offline
2019/11/12 11:01:51 (permalink)
0

Multi-WAN DNS Records and Fortimail

Hello Folks!

I'm in the process of setting up a second datacenter, and I'd like to ensure that all possible ISP connections can be used to receive email. The final plan will be to have two Fortimail units, two Exchange servers, and that regardless of what ISP is down, or which datacenter is down, email will arrive or send without issue. The sending part I think I'm good on - we'll have our SPF record programmed with all IP's that can send email. It's the receiving part - I know I can set up weighted MX records, however they all point to A records. If I only have two Fortimail units, but 2 connections at each datacenter, will the Fortimail unit be able to respond to an A record that doesn't match the hostname of the unit?
Example: Datacenter 1's Fortimail unit's hostname will be mx1. If I program the A record match for that to say, 'edm-ftm1' (mx record -> edm-ftm1) will the unit still be able to send/receive/properly filter email even though the hostnames don't match? (I'll be using a wildcard certificate)
 
Example 2:
Here's what I was thinking for MX record setup:
MX Record 1 = mx1.domain.com ->  A-Record = edm-ftm1
MX Record 2 = mx2.domain.com ->  A-Record = edm-ftm2
MX Record 3 = mx3.domain.com ->  A-Record = red-ftm1
MX Record 4 = mx4.domain.com ->  A-Record = red-ftm2
The physical units will be programmed with hostnames of mx1 and mx2 internally.
 
I know ideally I should have a total of 4 Fortimail units (2 per site), but the company I work for won't go for that cost. Unfortunately this is what I have to work with.
 
My biggest concern will be the network sessions. If the traffic starts on one IP, will it end up being sent out another IP? We're using a pfSense firewall, and we do have a policy route for outgoing mail traffic to be sent from a specific IP. We're trying to determine if it would be better to have the Fortimail on the edge with a connection to each ISP, or in DMZ and use the FW to do policy routing.
 
Thoughts?
Thanks in advance!
#1
Jump to:
© 2020 APG vNext Commercial Version 5.5