Seconding what David said.
And the beauty here is that this doesn't break anything and doesn't
expose you to risk.
On 01/23/17 09:20, David Boyes wrote:
I don't understand, do you mean
add another MX and A record at
the company site domain server,
In yours. The root problem is actually a good thing - modern mail systems
require that the sending domain name actually resolve to something to prevent
spammers. Otherwise, the SMTP protocol allows you to put literally anything in
the MAIL FROM: part of the transaction. It's possible to turn this feature off
by changing the source (it's one of the things in the 'dontblamesendmail'
options) but it is a Very Bad Idea.
Of all the methods employed to fight spam, some good, some not so good,
some really counter-productive, this one is great! And it's easy (for
legitimate senders), downright trivial.
As long as the receiving system can resolve whatever the sending system says to
*something*, you're good. Thus, an entry in your DNS like this:
Hmc1 in a 192.168.0.1
In mx your.mx.server
will fix it. You don't have to actually be able to connect to it; the name just
has to resolve.
I like to repeat the entry name, but otherwise David's example is
perfect except for auto-mis-correct.
hmcl in A 192.168.0.1
hmcl in MX 10 your.mx.server.yourdomain.
hmcl in MX 20 alt.mx.server.yourdomain.
Numeric priority is the norm, especially if you have multiple mail
exchangers.
Optional dot at the end tells resolvers to stop there (and not tack-on
foreign local domains which would stop the search next iteration, you
hope).
(In case you care, the error message you posted has only one cause. In the last
few years, almost all mail systems have required the sending system to be in
DNS to prevent spammers on the theory that it's generally harder to spam if you
have to take the step of registering in DNS before you start sending out mail.
The NXDOMAIN message is telling you that the receiving system cannot find the
sending system in DNS (non-existent domain) so it's bailing.)
There are other tricks you can try, like SPF records.
I'm also (nominally) a fan of zone signing, but it's not always
practical. And zone signing would not help this. (And there are storms
brewing in PKI space.)
In general, make a practice of putting everything that gets an IP address into
DNS, even if you're using DHCP. It's been 35+ years since DNS was invented;
it's time.
And it's easy!
DNS is just /not rocket surgery/.
If you're using one of the fancier tools like QIP to handle your DNS, it
may seem complicated. But it's not.
I recommend people have one or more sub-domains not managed by a formal
tool. It's just too easy, and frequently really helpful, to have a zone
or two served by plain ole BIND <https://en.wikipedia.org/wiki/BIND>
flat files. You don't need a database.
-- R; <><
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
