MailStore Gateway Redundancy - Failover
Overview of the options and risks
MailStore Gateway does not offer any high availability capabilities, but there are a few options to provide redundancy depending on your requirements and technical abilities.
These are unsupported, please do not contact MailStore Support with problems related to these configurations.
Consider if you need redundancy at all. A short term outage of a gateway is not an emergency and will not cause message loss. Journal reports are e-mails like any other and the sending server will queue them for re-delivery for period of time.
These are the currently available options:
Failover (this article)
- Quick, easy to understand.
- Requires manual intervention to switch between servers.
- Involves short downtimes to switch between servers.
Failover, with recovery
- Requires manual intervention to switch between servers.
- Does not require any downtime to switch between servers.
- More technical, requires an understanding of DNS.
Active-Active
- The most complex configuration, and should only be used by experienced administrators.
- Highest risk of message loss due to configuration errors.
- No downtime involved as both servers are running at all times.
- Requires additional configuration within each MailStore instance.
This article assumes a basic understanding of how to use MailStore Gateway, networking, DNS, and Microsoft 365 (or your e-mail platform)
Configuration
-
Configure MailStore Gateway using a single hostname for all clients
If your company’s domain is mailarchiveco.example then your gateway could be
msgw.mailarchiveco.example, if you have multiple MailStore instances then each would have a separate mailbox, e.g.mbx-123...@mailarchiveco.exampleandmbx-456...@mailarchiveco.example. -
Backup the configuration
Once the primary server is configured, take a backup of your MailStore Gateway configuration as described in the Backup and Restore article from the documentation.
-
Keep the configuration backup up to date
Be sure to update the configuration backup whenever you make any configuration changes to the gateway. This applies to new mailboxes as well as password changes.
Warning: MailStore Gateway stores all messages encrypted at rest, relying on the mailbox password to decrypt messages. If either server has messages in the mailbox when you do a password change you’ll likely lose messages. I would recommend not ever changing the password of the gateway mailbox.
-
You can optionally even have the gateway installed and ready, just be sure to upgrade both servers to matching versions of MailStore Gateway.
-
I would recommend not keeping the service running on the second server, failovers should be done intentionally.
Technically you can failover automatically (for example, with a monitoring system updating a DNS record or NAT rule) but a human must review the mailbox status on both servers to ensure that no messages were left behind.
Let’s Encrypt will only work on one server at a time and will fail on the other server.
Failover process
In the event you have a failure that you cannot resolve within 24-hours:
-
Either switch the DNS A record or update your NAT firewall rules to redirect traffic to the secondary server.
-
Start MailStore Gateway on the secondary server.
-
Verify the certificate is valid and properly configured.
If you use Let’s Encrypt then the certificate may be out of date as the secondary server will not be able to renew the certificate. You can manually renew the certificate on the secondary server, but the gateway should update the certificate on start-up.
Switching back to the primary server
Once the primary server is back up and running, you can switch back to it by reversing the DNS A record or NAT firewall rules, then review the mailbox status on both servers.
-
Switch the DNS A record or NAT firewall rule back to the primary server.
Remember to consider DNS TTLs, if you have a 24-hour TTL then you will have to wait 24-hours before the change takes effect globally.
-
Stop the service on the secondary MailStore Gateway.
It is important to stop the service to prevent the secondary MailStore Gateway from receiving messages, otherwise you may have to repeat the process.
-
Move the mailbox directories containing the messages from the secondary server to the primary server. The mailbox directories will already exist, you are just adding the files from one into the other.
Failover testing
You can test a failover any time, or switch permanently to the secondary server if desired, just be sure to not leave any messages behind on the non-active server.