Don't configure any zones but allow recursion. John T eServices For You
"Seek, and ye shall find!" > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of IMail Admin > Sent: Saturday, April 01, 2006 9:45 AM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM scores? > > That's what I was thinking. How do you configure the cache-only? > > Thanks, > > Ben > > ----- Original Message ----- > From: "John T (Lists)" <[EMAIL PROTECTED]> > To: <Declude.JunkMail@declude.com> > Sent: Saturday, April 01, 2006 1:59 AM > Subject: RE: [Declude.JunkMail] recursion turned off causes higher JM > scores? > > > What I do is install the MS DNS service on the Imail server, configure it > for cache only allowing recursion, and point Imail and Declude to that. Make > sure your firewall is configured to not allow the world to make DNS queries > against it and you are set. > > John T > eServices For You > > "Seek, and ye shall find!" > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > > [EMAIL PROTECTED] On Behalf Of IMail Admin > > Sent: Saturday, April 01, 2006 12:20 AM > > To: Declude.JunkMail@declude.com > > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM > scores? > > > > Hi Sandy, > > > > OK, I've got recursion back on, so now I get email again. I hate to think > > how many complaints I'm going to have in the morning. Fortunately, most > of > > our clients aren't as aggressive as I am in deleting spam based on rating. > > > > I understand what you're saying, and I thank you for the explanation. I'm > > not real anxious to get into SimpleDNS (and I've read enough complaints > > about BIND to be cautious) first, because of cost, and, second, because > it's > > one more complication. However, I was thinking about something else I > read > > here. > > > > There was some discussion about running a cache-only DNS server for > > IMail/Declude. I didn't read most of the thread, and I never saw how to > > make the DNS serve cache only, but I was thinking that if I had a > cache-only > > server that is only available to the mail server, then I can leave on > > recursion for it and it won't matter because it wouldn't be available to > the > > public. The public DNS servers I can then turn off their recursion > feature. > > What do you think? > > > > Thanks again, > > > > Ben > > > > ----- Original Message ----- > > From: "Sanford Whiteman" <[EMAIL PROTECTED]> > > To: "IMail Admin" <Declude.JunkMail@declude.com> > > Sent: Saturday, April 01, 2006 12:06 AM > > Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM > > scores? > > > > > > >> That's when the JM scores got so high. I'm testing a different > > >> config now: allow recursion on the Forwarders tab, but disable it on > > >> the Advanced tab. I won't know if this works until I get some > > >> messages. In the meanwhile, can anyone explain this to me? > > > > > > You _must_ allow recursion for the Declude server, or it will not be > > > able to resolve zones for which it is not authoritative (i.e. every > > > domain you do not own). > > > > > > You do not need to allow recursion for the wild Internet, however. > > > > > > But MS DNS has a weakness (not a security weakness exactly, but more > > > of a functional one) in that recursion is either on or off, globally, > > > for the DNS service. This means that if you are hosting authoritative > > > zones on the box, and thus need to expose the box to the outside > > > world, and that same box is providing recursive DNS to internal > > > servers or users, then you are effectively providing recursive DNS to > > > the outside world as well (if someone should choose to abuse you for > > > this purpose). > > > > > > The way around this is to use SimpleDNS or BIND on the server you > > > expose to the outside, which both have means of limiting recursion > > > without completely disabling it. The simplest install, to my mind, > > > without a full migration off MS DNS (a full migration causing soluble, > > > but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on > > > the same box by binding each one to a different IP. Expose SimpleDNS > > > without recursion and make it a secondary for the authoritative zones. > > > Keep MS DNS as your primary and as your internal recursive DNS. Done. > > > > > > --Sandy > > > > > > > > > ------------------------------------ > > > Sanford Whiteman, Chief Technologist > > > Broadleaf Systems, a division of > > > Cypress Integrated Systems, Inc. > > > e-mail: [EMAIL PROTECTED] > > > > > > SpamAssassin plugs into Declude! > > > > > > > http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release > / > > > > > > Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail > > > Aliases! > > > > > > > > > http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa > d/rel > > ease/ > > > > > > > > > http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re > lease/ > > > > > > --- > > > This E-mail came from the Declude.JunkMail mailing list. To > > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > > type "unsubscribe Declude.JunkMail". The archives can be found > > > at http://www.mail-archive.com. > > > > > > > --- > > This E-mail came from the Declude.JunkMail mailing list. To > > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > > type "unsubscribe Declude.JunkMail". The archives can be found > > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
