multiple MX pointing to the same server

I need help for a mail server configuration.
I would like to know if it’s possible to have multiple MX with different pub IP, pointing to the same local server.
this is because in my environment exist 2 gateway (multiple services providers), a watchguard t30 (local that manage and a watchguard t35 (local that manage, for failover purpose. they share the same isp router has the

watchguard t35 – loc – pub

watchguard t30 – loc – pub

zone MX 5 MX 15 TXT "v=sfp1 a mx ip4: ip4: ~all" A A

zone PTR PTR

on firewall1: nat – commons mail ports

on firewall2: nat – commons mail ports

MAILSERVER nic config

subnet mask:
gw metric 2
gw metric 50 

In this way when the first gateway goes down, all the request start comes (and goes out) from ( on common ports (25..443..) instead of the gateway with metric 2.

or maybe I could assign another NIC to the mail server and change all rules on firewalls, and then works with INTERFACE metrics, like in the example:

nic metric 2

nic metric 50  

I would like to know if there is any contraindication in using this method, or if there are alternatives..
other infos, the mailserver is Mdaemon.
every help is appreciable!

If I use the configuration with two gateways and different metrics, my server will always use the one with the lowest metric ( until it finds it online. Unless I set some particular route, the server will not be able to use the secondary (, not even port 25 and the other common ports will listen. I did a test, I launched a continuous query on port 25 on and on, in the meantime of this test I turned off the firewall (, the server has therefore stopped listening on it, and began to listen on the secondary firewall in metric. are there scenarios where my server could start communication not using the when it is online?
test fw1 down


Hi this configuration will not do what you suppose it would to do :-(. Mainly the DNS records would be for the domain (the most probably you have this correct but for the readers to have it visible correctly)…

zone MX 5 MX 15 TXT "v=sfp1 a mx ip4: ip4: ~all" A A

zone PTR PTR

From the DNS point of view it is correct but the issue may be the routing on server side. Based on the network setting you have post, it is not behave internally as two independent network connection on server side but all the time it is preferred to use / even in case the communication has been started using / (for any reason). In some cases it may work but in other cases it will not work (like in case other side has utilized e.g. Cisco ASA – at that moment it will not be recognized as related communication and it will be terminated).

To have it working it would be better to utilize some HA options on gateway side and – e.g. Virtual IP, Stand-by gateway,… And on dns side to use one MX record. As it is “ending” on the same router of ISP it would not be an issue. The mail server would have at that moment also just one interface.

In case you would insist on two interfaces on mail server it may be possible but you need to make sure that the response will follow the same gateway which would be used to established the connection. The easiest way would be sNAT on gateway / firewall but in case of mail server it is not good idea as you are loosing the track of source IP (e.g. spam check based on source IP) so some other (more complicated approach would be selected).

Source : Link , Question Author : bind2lrz , Answer Author : Kamil J

Leave a Comment