Archive for March, 2008

3G Broadband Failover and Email

March 26, 2008

Almost all of our clients take the view that their broadband connection is critical to their business. In particular they are focused on the importance of email. Only a few, however, are willing to make the investment in a leased line. So, using ADSL or, occasionally, SDSL they don’t get any sort of SLA on their Internet connection.

All of our clients use MS SBS 2K3 as their mail server. As much as possible we encourage our clients to use the best available ISP – in our opinion Zen Internet. By using an external mail spooling service we can cover the inevitable occasional broadband outages with email delivered to the server once the connection is restored.

But, now that we can add a 3G USB dongle to the Draytek routers we use (currently the Vigor 2800) it should be possible to keep inbound and outbound mail flowing when the connection goes down. Well, this is where it gets interesting. The 3G failover works very well with the Draytek with a new connection coming up more or less immediately when the broadband line falls over. But, of course we now have a new IP address and a dynamic one at that.

Theoretically outbound email should still work fine – but it doesn’t. The problem now is that if we are using an unauthenticated ISP SMTP relay we now have an unacceptable IP address. Alternatively, if we are routing outbound email ourselves using DNS we will start getting blocked as spam as our Reverse DNS PTR record will no longer match and some ISPs will reject us out of hand as sending from a dynamic IP.

So the solution to maintaining continuity of outbound email is to use an authenticated SMTP relay either provided by the ISP or by a third party such as AuthSMTP This, of course, should be set up from the start and, if using a third party relay, will involve the client in extra expense.

So much for outbound email. But, what about inbound. Initially we thought we could set up a CNAME record for the MX at DynDNS. (By the way – DynDNS also seem to offer a pretty good authenticated SMTP relay). Using DynDNS with an appropriate CNAME it should be straightforward to switch IP addresses – and it is. But, some investigation then revealed that the dynamic IP address allocated to the 3G connection is not a fully routable address. It is in fact a NAT’d address behind the mobile provider’s firewall. And, alas it can’t be used to route email directly to the server.

As mentioned above, we have often used an external mail spooling service (usually from the excellent hosting company Hosting UK). While, this covers us in the sense of making sure that mail is not lost while a different IP address is in use, it doesn’t address the actual problem of maintaining inbound email while the broadband connection is down.

So the final piece in the jigsaw is to set up out own POP3 server using GFI Mail Essentials. The secondary MX is then pointed to this server and the tertiary, as an absolute final failover, points to the mail spool service. The SBS POP3 connector is permanently set to pull from the POP3 server every fifteen minutes and distribute to user mail boxes. Obviously, the POP3 connector will only ever find anything if the broadband connection.

So, there is a fully comprehensive solution to the problem of maintaining inbound and outbound mail flow during a broadband outage. The main downside appears to be the need to maintain identical mail addresses on the Mail Essentials server as on the SBS server. I haven’t investigated yet but it may be possible to set up catch all addresses on the external POP3 servers. This would make maintenance that bit easier.

As you can see this solution remains a work in progress. We haven’t fully worked out pricing on this and I would welcome feedback on better ways of achieving the same thing or additional services such as virus scanning and archiving that could be tagged on.


Sage, SBS 2K3 and AVAST

March 9, 2008

Anyone supporting the above combination will know that Sage can run like a dog in this situation. Here’s a tip I came across in the recent edition of the Avosec Partner newsletter.

At the following registry location on the server



(NB all of the above should be on one line)

Key EnableOplocks – value should be set to True (1)

Installation of AVAST server sets it to False

“Another thing to increase workstation to server communication especially when accessing a database is to add the following exclusion to the Standard Shield [\\*] adding the \\* turns off network drive scanning on both the client and server and stops both workstation and server scanning the files when accessed. This doesn’t effect protection at all”