Simple Backup Mail Server with OpenSMTPd

Receive emails even when your server is offline.

If you run your own email server, you know it’s Not Good if it goes offline. Fortunately, it’s easy to set up a backup server. This quick tutorial shows you how to add a second mail server using a cheap Debian VPS of your choice. If your main email server is offline, emails sent to you will be received by the backup server and safely stored until your main server is back up and running.

I assume you already have a VPS or some sort of server ready to go. This tutorial assumes Debian 12, but it should work on pretty much anything.

1. DNS

Assign a subdomain A record for your backup mail server, something like mail2.example.com. While you’re in there, make an MX record for it (like your main email server has), but set the priority to a larger number than your main server (for example, if your main server is 10, use 20). This will cause email senders to use it only if your main server is unreachable. It’s a good idea to set a reverse DNS, a.k.a. PTR record for your backup email server. Some VPS providers do this automatically when you rename your VPS.

2. OpenSMTPd

OpenSMTPd is a really simple and lightweight email server. Install it with apt install opensmtpd. It will ask you some questions. Put the newly-assigned subdomain record in when it asks.

3. Certificates

Generate some certificates:

mkdir -p /etc/smtpd
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out /etc/smtpd/tls.key
openssl req -key /etc/smtpd/tls.key -x509 -new -days 99999 -out /etc/smtpd/tls.crt

4. Configure OpenSMTPd

Open /etc/smtpd.conf in a text editor like nano, comment out everything, and replace it with this, except replace mail2.example.com with your backup server’s name, replace mail.example.com with the address of your main email server, and replace eth0 with your server’s public network interface.

queue ttl 30d
filter spamhaus proc-exec "/opt/opensmtpd_filters/spamhaus.py mail2.example.com"
pki mail2.example.com cert "/etc/smtpd/tls.crt"
pki mail2.example.com key "/etc/smtpd/tls.key"
listen on eth0 filter spamhaus
action backuprelay relay host smtp://mail.example.com
match for any from any action backuprelay

This configuration will keep emails queued for up to 30 days before discarding them, which means as long as your main server is offline for less than that, all emails sent to you while it’s down should be delivered when it comes back online.

5. Configure IP filtering

This is useful because email spammers will likely confuse this backup server for an open relay, and try to use it for sending spam. Adding a filter will block most of these annoying emails, which saves your main email server from having to reject them after they’re relayed to it. Basically, copy the contents of src/opensmtpd_filters from this Git repo into /opt/opensmtpd_filters, get a free Spamhaus key from here, and put the key into /opt/opensmtpd_filters/spamhauslib.py where you see spamhaus_dqs_key = "".

6. Test it out

Run systemctl restart opensmtpd to reload your configuration, journalctl -u opensmtpd --follow to see what happens, then shut down your main email server and have someone else send you an email. You should see the backup server log an incoming email and a failure to connect to your main server. Now turn your main email server back on, and within a few minutes the backup server will have noticed your server is online and sent the queued email to it.

You’re done!

You now have a safety net for your self-hosted email server. It’ll prevent incoming emails from being bounced back to the sender when your email server is down.