Synology MailPlus - testing a failover mail cluster on NAS

E-mail is by far the most hack-resistant means of communication, more reliable than `` no one knows how to earn free messengers", and you can set up your own mail server in your office.

Your mail server is:

  • Your antivirus
  • Your antispam
  • Your privacy
  • Your protection and resiliency
  • Your web interface is ad-free
  • (in a whisper): It's your freedom to write whatever you want, without fear that in two days from all pages of the Internet sites you will be advertised what you corresponded with friends.

Typically, a company sysadmin sets up a mail server, an account database, a separate POP/IMAP server, and a certificate renewal system. This whole mail bunch needs to be updated, because vulnerabilities in OpenSource are such that sometimes they can kill the entire server.

Testbed configuration:

NAS:

  • Intel X550-T2
  • 3 x HDD 4 x SSD Kingston DC500 1.92 Tb

OS:

  • Windows Server 2016

On the other hand, you already have Synology with its closed operating system and the same closed packages. For corporate use, the company offers the MailPlus Server mail server with a modern MailPlus Web client and the ability to work in a failover cluster. The entire installation is reduced to one mouse click, and the configuration is done via the NAS web interface without the command line and editing configs. And before I hit the MailPlus install button, let's set a task: I need a personal secure mail with a modern interface and mobile access. And if some robot reads your letters, then this is my robot, and if there are encryption keys somewhere, then they are on my server, not the hacker.

In order for our mail to withstand the failure of one server, let's take two NAS. These are completely different models in relation to each other, in which only the manufacturer's logo and the operating system Synology DSM are in common.

FlashStation FS1018 :

  • Desktop All-Flash-Array
  • Intel Pentium D1508 Starter Server Processor (2C/4T, 2.2-2.6 GHz, 3Mb L3, Broadwell)
  • 8GB DDR4 2400 ECC Server Memory (expandable to 32GB)
  • 12 compartments for 2.5" 7.5mm SATA SSD (expandable to 36 bays with disk enclosures)

In general, before Synology, no one produced desktop All-Flash arrays, and even FlashStation FS1018 was a kind of experiment for the company. Well, judge for yourself: the 12-disk, powerful desktop NAS comes with only 4 1-gigabit network ports in the basic configuration, and to use the device at full capacity, you have to install a network card such as Intel X550-T2 But with a Pentium D processor.

RackStation RS1619xs +

  • 1U Rack Server
  • Server SoC for storage, Intel Xeon D-1527 (4C/8T, 2.2-2.7 GHz, 6Mb L3, Broadwell)
  • 8GB DDR4 2400 ECC Server Memory (expandable to 64GB)
  • 4 bays for 3.5" SATA HDD/SSD (expandable to 16 bays using disk shelves)

The exact opposite of the first is the RackStation RS1619xs +. A sufficiently powerful SoC of the Xeon D family is already installed here, on which you can raise a security gateway, and some kind of database, and caching applications on your network, but this processing power is accompanied by only 4 hard drive bays without slots for SSD. The server has 1 expansion slot, which can be occupied by either a 10-Gigabit network card or a board for a pair of M.2 drives for SSD cache (how does Read our article for SSD cache in Synology).

Configuring a failover cluster

Installing a mail server on Synology is a click of a button in the Package Center interface and the MailPlus Server itself (includes SMTP and POP3/IMAP servers) and the MailPlus web mail reader will be installed on the system. Since we are going to set up a failover configuration, we need to bind accounts from the domain to the server. For the demonstration, we will use an authentication server on one of the NAS, but for full cluster failover, you need to use not the built-in LDAP server installed via Synology packages, but some third-party solution with replication that can be deployed in a virtual machine on the same NAS with Virtual Machine Manager.

There is no need to explain why all this is being done: we have two SMTP servers that must take data about their users from somewhere, and LDAP in this case is the best solution, although you can also use a Windows domain. In a fault-tolerant configuration, there will always be one master server with full functionality and one slave, on which, for example, you cannot read mail via the Web interface or change the cluster settings. Let's see what kind of settings we're talking about.

The main thing in MailPlus Server is not to get confused in domains, because you can have mail domains and subdomains like:

  • hwp.media
  • mail.hwp.media
  • smtp.hwp.media

Do not forget to register MX records for each of these mail domains in the DNS settings. But you can also have an LDAP domain of the form local.hwp.test, and the user [email protected] can have mail of the form [email protected], and the mail server can be mail.hwp.ru or any other. But, for each user, you can easily import mail from another server, for example, from mail.ru or Gmail. IMAP/POP3 protocols are supported to connect mail clients (thunderbird, windows mail or some kind of CRM).

Technically, MailPlus Server can work through an external gateway, or act as a gateway itself, if, for example, your provider has closed the 25th port, and you are forced to rent a VPS to broadcast mail through the hoster's channel.

Anti-spam and security

Of course, in modern realities, just sending mail is a penny, and spam protection is a ruble, so we are very interested in what methods the Synology Mail Plus server offers. Let's start by checking our own IP address in the DNSBL blacklists. Your address can be listed as spam for years, and until you write a complaint to the blacklist support service, no one will delete it or grant amnesty. Synology checks your IP address against 55 databases of spam lists (I bet you didn't know there were so many). These things need to be monitored because no one knows which spam list your counterparty's server trusts. For example, six months ago I started cleaning our IP from spam lists and lived happily, but the mail system said that HWP is listed as a spammer in two databases.

Secondly, you need to set up your own spam lists: there are not so many of them here. Usually, one or two DNSBL providers are enough for comfortable work. By the way, have you ever wondered why they are called DNSBL? The exchange of lists of spam IP addresses is carried out using the UDP protocol (this is faster). Lists are stored and cached by DNS servers, including local ones. When the mail server makes a reverse request to the blacklist provider, it can be answered by its own DNS server, which takes literally a couple of milliseconds. The server returns a response like 127.x.y.z, where

  • z - spam rate estimate,
  • y - type of spam (mail/hackers/viruses),
  • x - takes on values ​​not equal to 0, if some error occurred.

DNSBL services work so fast that sometimes a check is put on websites for each visitor, and you don't even notice it: nothing slows down, so it's better to keep it enabled in the mail service.

There is a built-in antivirus feature that supports two engines: free ClamAV and commercial McAfee. There is also support for a list of safe links in posts, Google SafeBrowsing . There is support for third-party databases, but without any settings.

There are three mechanisms for using resource records for sender authentication:
  • SPF - through a special record in the DNS server of the sender's domain. For information on how to configure SPF on hosting
  • DKIM is a technology for transferring encryption keys through DNS with signature verification on the recipient's side.
  • DMARC - identification of the sender's mail domain based on the characteristics specified on the addressee's server side.

SPF + DKIM can be used to provide sufficient protection against phishing messages.

Content filtering allows you to reject not only attached files with certain permissions, but also HTML iFrame tags, calling scripts and forms, and you can select the function of changing the specified tags so that they no longer work, but at the same time you receive a letter no unwanted content.

And of course, you can manually define the rules for filtering text content. The simplest use case is to prevent credit card numbers from being sent by mail or to prevent mail from being delivered from certain addresses and domains.

How do you usually back up your mail server? Well, you probably save the configuration files separately and separately - the user's mail, if it is stored in the form of files, or in the database. In Synology NAS, you just need to select the backup of the MailPlus Server application - and not worry about what is saved and how: in the event of any disaster, the server will be restored in its entirety with all the settings and user emails. And since Synology is actively developing its Active Backup for Business package I really hope that all backup functions will be consolidated into a single application with a single control panel.

MailPlus Interface

If in your company it is not customary to install third-party software on computers, you can use the Web-based interface to access mail, MailPlus, access to which can be configured for a group or user separately. We recommend that you immediately change the wallpaper in the interface settings - this will revive the rather pragmatic appearance of the Web shell ..

There are standard email client functions for color labels and other functions that are not particularly interesting from my point of view, but what's really cool is that Synology is already building its so-called `` ecosystem", where in one window Web browser, your employees use all services. In addition to mail, it is also a corporate chat and a calendar. Remember, at the very beginning of the article, I mentioned free, it is not known how earning instant messengers? So, if privacy is really important to you, use Synology's web chat, which runs on your server, with your administration and does not leak personal data.

Of course, Synology has mobile mail and chat clients that can run through your NAS's public domain or through your QuickConnect account.

Testing

During normal cluster operation, the primary and secondary servers synchronize the user's mailboxes and calendars in real time. At the same time, since both devices work with the same IP address, turning off either NAS does not affect the mail system in any way. When the work of the second device in the cluster is restored, it takes some time during which the data between the NAS is synchronized.

In addition to fault tolerance, mail cluster has a useful load balancing feature between servers. Let's run some tests to show us load balancing and overall cluster performance. We will use a test bench with the following configuration, and the postal mail server as a load:

/usr/sbin/postal -M 25 -m 256 -t 32 -c 3
Testbed layout

In general, a 10-gigabit network was not needed for such experiments: the total network performance rarely exceeded 400 Mbps.

As you can see, security filters affect the performance of the mail cluster the most, and of course, the RackStation RS1619xs + pulls out the performance of the entire cluster due to its more powerful processor. But without filtering, when the role of the CPU is not so important, we already start to run into the synchronization between the two machines and the speed of the disk system, so in this mode one FlashStation FS1018 works faster.

In our tests, we used 1.92 terabyte SSD Kingston DC500M series, where the DC name is guessed at Data Center. These drives have built-in power outage protection (PLP), which ensures that the contents of the drive's cache will be written to the NAND memory cells even if the server is suddenly shut down.

Тест Kingston DC500M

Kingston emphasizes that the DC500M SSDs have QoS support, which allows them to be used with diverse workloads, for example, where volumes for databases, backups and virtual machines are located on the same drive pool. One drive in the test shows 83 thousand read operations and 61 thousand write operations per second, which is really cool for a SATA device, but really these SSDs will open up in something like FS3017 (read our review of Synology FlashStation FS3017 ), which runs all your company's services, including virtual machines set up a failover cluster on Synology ), containers, fault-tolerant video surveillance and a large backup of everything that is available, including desktop PCs, servers and virtual machines (read" Big test of Synology Active Backup for business - recovering from backup in 11 seconds! ).

Issue price and conclusions

There is also an unpleasant side of the question: Synology believes that you have to pay for a fault-tolerant mail server, so the basic package includes a license for only 5 users. Synology offers its customers to purchase licenses for 5 and 20 perpetual accounts. The default cluster has 10 account licenses activated, and additional licenses are applied to the entire cluster.

If that doesn't stop you, then overall MailPlus Server is the case when setting up a mail server is as easy as anything we used to associate with Synology. No special knowledge or experience with mail servers is required: everything is intuitive, including a graphical interface for monitoring activity and reflected threats. Step by step, Synology is migrating your services from a third-party cloud to on-premises, adding ease of administration and resiliency to the process. It also came to corporate mail.

Michael Degtjarev (aka LIKE OFF)


Read also: