Synchronization of MTA queue directories after a failover
During normal operation, email messages are in one of three states:
• being received or sent by the primary unit
• waiting to be delivered in the mail queue
• stored on the primary unit’s mail data directories (email quarantines, email archives, and email inboxes of server mode)
When normal operation of an active-passive HA group is interrupted and a failover occurs, sending and receiving is interrupted. The delivery attempt fails, and the sender usually retries to send the email message. However, stored messages remain in the primary unit’s mail data directories.
You usually should configure HA to synchronize the stored mail data to prevent loss of email messages, but you usually will not want to regularly synchronize the mail queue. This is because, to prevent loss of email messages in the failed primary unit, FortiMail units in active-passive HA use the following failover mechanism:
| If the failed primary unit effective HA operating mode is failed, a sequence similar to the following occurs automatically when the problem that caused the failure is corrected. |
1. The secondary unit detects the failure of the primary unit, and becomes the new primary unit.
2. The former primary unit restarts, detects the new primary unit, and becomes a secondary unit.
| You may have to manually restart the failed primary unit. |
3. The former primary unit pushes its mail queue to the new primary unit.
This synchronization occurs through the heartbeat link between the primary and secondary units, and prevents duplicate email messages from forming in the primary unit’s mail queue.
4. The new primary unit delivers email in its mail queues, including email messages synchronized from the new secondary unit.
As a result, as long as the failed primary unit can restart, no email is lost from the mail queue.
Even if you choose to synchronize the mail queue, because its contents change very rapidly and synchronization is periodic, there is a chance that some email in these directories will not be synchronized at the exact moment a failover occurs.