Re: mail server DNS configuration questions
Andrew Falanga wrote: ... While diagnosing this, I connect to the server (using Putty) from a machine in PN1, using either a mail client or telnet I'm unable to make a connection to the mail server over port 25. Using tcpdump during this putty session I do not even see the SYN packets for the start of the connection from the machines in PN1. This is only when connecting to port 25. Obviously, I can connect to the server because I'm using ... Are you sure CableOne does not filter outgoing port 25 connection attempts to any servers save it's own relay? My ISP (A big name DSL provider; grep the headers if curious) does not perform incoming port filtering, but rather aggressively filters outbound TCP port 25 and (for reasons unexplained) as well. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net [EMAIL PROTECTED] Furry Peace! - http://.fur.com/peace/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
Patrick Mahan wrote: Andrew Falanga presented these words - circa 9/6/08 6:28 PM- Hi, Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: (from my FBSD machine at home, not the server) [/usr/home/andy] - dig +short -t MX whitneybaptist.org 10 mail.whitneybaptist.org. [/usr/home/andy] - dig +short -t A whitneybaptist.org 72.24.34.252 [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. (from the church FBSD machine) [/home/afalanga] - hostname whitbap [/home/afalanga] - ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255 ether 00:d0:b7:74:87:48 media: Ethernet autoselect (100baseTX full-duplex) status: active [/home/afalanga] - cat /etc/resolv.conf search McCutchanLAN nameserver 192.168.2.1 It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. I've done this before, at work. The question I've got is I've never actually integrated a domain like this to a domain on the Internet. I'm thinking that we'll setup something like: internal.whitneybaptist.org with hosts in that sub-domain. First, what are you trying to accomplish with the internal DNS? Make it easier to resolve machines in the 192.168.2.0 network? Allow lookups external of the 192.168.2.0 network? What machine is 'mail.whitneybaptist.com'? Is it on the 192.168.2.0 network? Is it reachable from the Internet? Who is the owner of whitneybaptist.org DNS zone? I show the following NS servers: [EMAIL PROTECTED]/src/MPS/DocDownload 140 dig +short -t NS whitneybaptist.org ns1.domaindirect.com. ns2.domaindirect.com. ns3.domaindirect.com. Which is administered by tucows.com (Tucows, Inc) a seller of DNS services. So, what would my DNS tables need to look like to make this happen. Also, to any knowledgable souls here, what RFCs address these issues? You can read the RFC's if you want, but you would be better served to purchase DNS and BIND, Fourth Edition, by Paul Albitz Cricket Liu to learn how to administer DNS. Patrick It's been quite some time since I last looked at that book. It was at edition 3 then, and owned by the company I worked for so I didn't get to keep it. I'll have to look into it. Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
George Davidovich wrote: On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote: Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: (from my FBSD machine at home, not the server) [/usr/home/andy] - dig +short -t MX whitneybaptist.org 10 mail.whitneybaptist.org. [/usr/home/andy] - dig +short -t A whitneybaptist.org 72.24.34.252 [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. (from the church FBSD machine) [/home/afalanga] - hostname whitbap [/home/afalanga] - ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255 ether 00:d0:b7:74:87:48 media: Ethernet autoselect (100baseTX full-duplex) status: active [/home/afalanga] - cat /etc/resolv.conf search McCutchanLAN nameserver 192.168.2.1 It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. I've done this before, at work. The question I've got is I've never actually integrated a domain like this to a domain on the Internet. I'm thinking that we'll setup something like: internal.whitneybaptist.org with hosts in that sub-domain. So, what would my DNS tables need to look like to make this happen. Also, to any knowledgable souls here, what RFCs address these issues? Hello again, Andy. What you're asking is actually a FAQ, but I'll spell things out anyway. The following excerpt from RFC 1918 is most relevant: If an enterprise uses the private address space, or a mix of private and public address spaces, then DNS clients outside of the enterprise should not see addresses in the private address space used by the enterprise, since these addresses would be ambiguous. One way to ensure this is to run two authority servers for each DNS zone containing both publically and privately addressed hosts. One server would be visible from the public address space and would contain only the subset of the enterprise's addresses which were reachable using public addresses. The other server would be reachable only from the private network and would contain the full set of data, including the private addresses and whatever public addresses are reachable the private network. In order to ensure consistency, both servers should be configured from the same data of which the publically visible zone only contains a filtered version. There is certain degree of additional complexity associated with providing these capabilities. That's a roundabout way of saying you can't mix and match private non-routable addresses with public addresses in the same namespace. Note the authoritative part. Until CableOne delegates your assigned netblock to your organisation, your public DNS server will not be authoritative (it currently isn't!) for 72.24.34.252. You can reference RFC 2317 (classless in-addr.arpa delegation) for how that works. As to why you must be authoritative, I've already pointed out off-list how Bad Things can happen when you're not, especially in regards to email where reverse lookups are integral to How Things Work. I could be wrong, but I think they've done something like this. I administered DNS on an OpenBSD machine (2 of them actually) back in 2000-2001. Since then, I've done nothing with DNS administration. I'm wondering what I need to get from CableOne to get this done. Here's the result of a dig, on that mail server, for the IP address 72.24.34.252: [/home/afalanga] - dig -x 72.24.34.252 ; DiG 9.3.3 -x 72.24.34.252 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 19747 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;252.34.24.72.in-addr.arpa. IN PTR ;; ANSWER SECTION: 252.34.24.72.in-addr.arpa. 86333 IN PTR 34-252.72-24-cpe.cableone.net. ;; AUTHORITY SECTION: 24.72.in-addr.arpa. 75566 IN NS NS1.cableone.net. 24.72.in-addr.arpa. 75566 IN NS NS2.cableone.net. ;; ADDITIONAL SECTION: NS1.cableone.net. 3507IN A 24.116.0.201 NS2.cableone.net. 69544 IN A
Re: mail server DNS configuration questions
Sahil Tandon wrote: Andrew Falanga [EMAIL PROTECTED] wrote: It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. What exactly is the problem though? What problems are you having on the mail server that lead you to the above conclusion? Clients in the churches private network cannot send mail using this server, though they can receive mail from it (POP). The church has a private network, PN1, and the mail server sits at a church members house because he has a static IP address; let's call that PN2. The router at his house is setup to forward traffic over port 25, and the POP port, to this server. Also, just to further clarify, the Internet separates these two Private Networks. However, this may not be entirely true as I think about it because at both locations, the ISP is CableOne using cable broadband. So, though technically part of the Internet, the traffic shouldn't leave the CableOne domain. Also, of interest, is that another of our pastors uses CableOne at home and is unable to send e-mail using the churches server from home. However, from a coffee shop in town, that our pastors frequent, they are able to send mail. It is my understanding that this coffee shop does not use CableOne. So, just to make sure everyone's got it, the mail server sits in PN2. While diagnosing this, I connect to the server (using Putty) from a machine in PN1, using either a mail client or telnet I'm unable to make a connection to the mail server over port 25. Using tcpdump during this putty session I do not even see the SYN packets for the start of the connection from the machines in PN1. This is only when connecting to port 25. Obviously, I can connect to the server because I'm using putty. Also, I can see the SYN packets for the start of the connection when this same machine in PN1 attempts to connect to port 80. The problem seems to be when trying to connect over port 25. For some reason, the packets aren't being delivered to that address (72.24.34.252). This happens if I try to telnet to mail.whitneybaptist.org or telnet to 72.24.34.252 on port 25. The packets aren't being delivered. They're being sent somewhere else, or lost in digital purgatory. Now, from home (my home) let's call this PN3, I can send/receive mail using the church e-mail server. I, however, don't use CableOne. Are there routers that route traffic based on port number? It's almost as if traffic, that originates within the CableOne domain and travels through, but not outside, the CableOne domain, doesn't get routed to the correct address when it's destined for port 25. Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
Andrew Falanga wrote: Clients in the churches private network cannot send mail using this server, though they can receive mail from it (POP). The church has a private network, PN1, and the mail server sits at a church members house because he has a static IP address; let's call that PN2. The router at his house is setup to forward traffic over port 25, and the POP port, to this server. Also, just to further clarify, the Internet separates these two Private Networks. However, this may not be entirely true as I think about it because at both locations, the ISP is CableOne using cable broadband. So, though technically part of the Internet, the traffic shouldn't leave the CableOne domain. Also, of interest, is that another of our pastors uses CableOne at home and is unable to send e-mail using the churches server from home. However, from a coffee shop in town, that our pastors frequent, they are able to send mail. It is my understanding that this coffee shop does not use CableOne. So, just to make sure everyone's got it, the mail server sits in PN2. While diagnosing this, I connect to the server (using Putty) from a machine in PN1, using either a mail client or telnet I'm unable to make a connection to the mail server over port 25. Using tcpdump during this putty session I do not even see the SYN packets for the start of the connection from the machines in PN1. This is only when connecting to port 25. Obviously, I can connect to the server because I'm using putty. Also, I can see the SYN packets for the start of the connection when this same machine in PN1 attempts to connect to port 80. The problem seems to be when trying to connect over port 25. For some reason, the packets aren't being delivered to that address (72.24.34.252). This happens if I try to telnet to mail.whitneybaptist.org or telnet to 72.24.34.252 on port 25. The packets aren't being delivered. They're being sent somewhere else, or lost in digital purgatory. Now, from home (my home) let's call this PN3, I can send/receive mail using the church e-mail server. I, however, don't use CableOne. Are there routers that route traffic based on port number? It's almost as if traffic, that originates within the CableOne domain and travels through, but not outside, the CableOne domain, doesn't get routed to the correct address when it's destined for port 25. So a common thread is that traffic on the ISP's net isn't going out via yourserver.com:25 --- would seem to indicate port blocking, which is quite common for port 25. Tried 587 or some weird alternate? Kevin Kinsey -- If the odds are a million to one against something occurring, chances are 50-50 it will. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
Andrew Falanga presented these words - circa 9/6/08 6:28 PM- Hi, Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: (from my FBSD machine at home, not the server) [/usr/home/andy] - dig +short -t MX whitneybaptist.org 10 mail.whitneybaptist.org. [/usr/home/andy] - dig +short -t A whitneybaptist.org 72.24.34.252 [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. (from the church FBSD machine) [/home/afalanga] - hostname whitbap [/home/afalanga] - ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255 ether 00:d0:b7:74:87:48 media: Ethernet autoselect (100baseTX full-duplex) status: active [/home/afalanga] - cat /etc/resolv.conf search McCutchanLAN nameserver 192.168.2.1 It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. I've done this before, at work. The question I've got is I've never actually integrated a domain like this to a domain on the Internet. I'm thinking that we'll setup something like: internal.whitneybaptist.org with hosts in that sub-domain. First, what are you trying to accomplish with the internal DNS? Make it easier to resolve machines in the 192.168.2.0 network? Allow lookups external of the 192.168.2.0 network? What machine is 'mail.whitneybaptist.com'? Is it on the 192.168.2.0 network? Is it reachable from the Internet? Who is the owner of whitneybaptist.org DNS zone? I show the following NS servers: [EMAIL PROTECTED]/src/MPS/DocDownload 140 dig +short -t NS whitneybaptist.org ns1.domaindirect.com. ns2.domaindirect.com. ns3.domaindirect.com. Which is administered by tucows.com (Tucows, Inc) a seller of DNS services. So, what would my DNS tables need to look like to make this happen. Also, to any knowledgable souls here, what RFCs address these issues? You can read the RFC's if you want, but you would be better served to purchase DNS and BIND, Fourth Edition, by Paul Albitz Cricket Liu to learn how to administer DNS. Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
On Sat, 6 Sep 2008 19:28:28 -0600 Andrew Falanga [EMAIL PROTECTED] wrote: Hi, Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. ... It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. This has little to do with DNS, and there's nothing obviously wrong. The router has the routable IP address and is forwarding incoming port 25 tcp connections to the real mail server using NAT. As far as the internet side is concerned your entire network has to look like a single server, so the mailserver has to pretend to be running on the router, and announce itself as mail.whitneybaptist.org. You'll probably need to pass your outgoing mail through another mail server to avoid its being rejected though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
Andrew Falanga wrote: *Not having* a reverse entry for a mail server is often the cause of issues. This I do know very well. I had similar problems when running a sendmail backup spooler for Syracuse Networks back in 2000. The eventual solution was that our ISP delegated control of our subnet to us. I'm wondering if something similar must be done on the internal network, i.e. 192.168.2.0/24. Perhaps I shouldn't have eluded to the problems that my clients are experiencing. The real question is, should I configure a sub-domain under whitneybaptist.org for this server and if so, how to set it up? I'm interested as to why you got this answer to the host query you did. In my original mail, I provided the result of a reverse lookup on that IP address to which I got this response: [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. Using host, on my machine, I get this response: [/usr/home/andy] - host 72.24.34.252 252.34.24.72.in-addr.arpa domain name pointer 34-252.72-24-cpe.cableone.net. Well, interestingly enough: [30] Sun 07.Sep.2008 DING! [EMAIL PROTECTED]/logs] host 72.24.34.252 252.34.24.72.in-addr.arpa domain name pointer 34-252.72-24-cpe.cableone.net. So something's changed in the last 12 hours, although I can't say exactly what. AFAIK, my DNS boxen and I were communicating Just Fine(tm) last night as well as this afternoon. Regardless of the fact that I got a response and you didn't, I'm still not getting the right information. The reverse mapping should be something like: 252.34.24.72.in-addr.arpa PTR mail.whitneybaptist.org. I may have gotten the syntax wrong as it's been a while since I've had to manipulate BIND name tables. And the RFC for ESMTP is #2821. Thanks for the RFC. Andy Well, at this point, I'd take the day off, and tomorrow perhaps have a dig at cableone's support ppl, looky here: [35] Sun 07.Sep.2008 14:03:43 [EMAIL PROTECTED]/logs] dig 72.24.34.1 ; DiG 9.4.2-P1 72.24.34.1 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 56668 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;72.24.34.1.IN A ;; AUTHORITY SECTION: . 3600IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008090700 1800 900 604800 86400 ;; Query time: 222 msec ;; SERVER: 66.76.92.18#53(66.76.92.18) ;; WHEN: Sun Sep 7 14:03:50 2008 ;; MSG SIZE rcvd: 103 So, it's obvious they're playing with this zone Right Now(tm), (more or less) as the SN seems to indicate today. Possible this is auto-generated or something, but I think you'll get no joy on the PTR records until they do something upstream. As for your internal net, I don't know much about it, unfortunately. KDK ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
mail server DNS configuration questions
Hi, Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: (from my FBSD machine at home, not the server) [/usr/home/andy] - dig +short -t MX whitneybaptist.org 10 mail.whitneybaptist.org. [/usr/home/andy] - dig +short -t A whitneybaptist.org 72.24.34.252 [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. (from the church FBSD machine) [/home/afalanga] - hostname whitbap [/home/afalanga] - ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255 ether 00:d0:b7:74:87:48 media: Ethernet autoselect (100baseTX full-duplex) status: active [/home/afalanga] - cat /etc/resolv.conf search McCutchanLAN nameserver 192.168.2.1 It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. I've done this before, at work. The question I've got is I've never actually integrated a domain like this to a domain on the Internet. I'm thinking that we'll setup something like: internal.whitneybaptist.org with hosts in that sub-domain. So, what would my DNS tables need to look like to make this happen. Also, to any knowledgable souls here, what RFCs address these issues? Thanks, Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
Andrew Falanga wrote: Hi, Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: (from my FBSD machine at home, not the server) [/usr/home/andy] - dig +short -t MX whitneybaptist.org 10 mail.whitneybaptist.org. [/usr/home/andy] - dig +short -t A whitneybaptist.org 72.24.34.252 [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. (from the church FBSD machine) [/home/afalanga] - hostname whitbap [/home/afalanga] - ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255 ether 00:d0:b7:74:87:48 media: Ethernet autoselect (100baseTX full-duplex) status: active [/home/afalanga] - cat /etc/resolv.conf search McCutchanLAN nameserver 192.168.2.1 It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. I've done this before, at work. The question I've got is I've never actually integrated a domain like this to a domain on the Internet. I'm thinking that we'll setup something like: internal.whitneybaptist.org with hosts in that sub-domain. So, what would my DNS tables need to look like to make this happen. Also, to any knowledgable souls here, what RFCs address these issues? Thanks, Andy Andy, I'm not sure I'm DNS guru enough to answer all your questions, but --- you don't specify what problems are being experienced at the location, and, are you certain it's not about this? [25] Sat 06.Sep.2008 21:58:25 [EMAIL PROTECTED]/logs] host 72.24.34.252 Host 252.34.24.72.in-addr.arpa. not found: 3(NXDOMAIN) *Not having* a reverse entry for a mail server is often the cause of issues. And the RFC for ESMTP is #2821. HTH, Kevin Kinsey -- In Denver it is unlawful to lend your vacuum cleaner to your next-door neighbor. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
Andrew Falanga [EMAIL PROTECTED] wrote: It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. What exactly is the problem though? What problems are you having on the mail server that lead you to the above conclusion? -- Sahil Tandon [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: mail server DNS configuration questions
--On September 6, 2008 7:28:28 PM -0600 Andrew Falanga [EMAIL PROTECTED] wrote: Hi, Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: The 192.168.0.0/24 network is an IANA reserved network and **does not route** on the internet. You can send mail but you'll never be able to receive any. In order for you to receive email to that server, whatever device you've got in front of it (dsl router, for example) must be configured to hard code port 25 to your mail server so that all incoming mail to the public IP (72.24.23.252) will always go to the 192.168.2.23 address, which is the actual address of the mail server. Some mail servers will not receive mail if the IP of the mail server doesn't reverse. Yours does, so that shouldn't be a problem, *however* if they also try to talk to your mail server to verify that it's actually a mail server that will fail if you don't have port 25 hard coded. You don't say what the issues that you're having are, so that's my best guess about what's wrong. Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ** WARNING: Check the headers before replying
Re: mail server DNS configuration questions
On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote: Well, my clients at church are still having issues and after working with George, a respondant to my original questions, I think that most, if not all, of my problems are related to DNS and how we've got it improperly configured. First, a crude drawing of how our mail server exists in the world: 192.168.2.x/24 72.24.23.252 lot's of networks Private Network -- CableOne -- Internet Now, our mail server's IP is 192.168.2.23. On the router, he (the person at whose house the mail server is) has IP forwarding setup so that mail get's sent to our FreeBSD machine. Using dig, here's the responses: (from my FBSD machine at home, not the server) [/usr/home/andy] - dig +short -t MX whitneybaptist.org 10 mail.whitneybaptist.org. [/usr/home/andy] - dig +short -t A whitneybaptist.org 72.24.34.252 [/usr/home/andy] - dig +short -x 72.24.34.252 34-252.72-24-cpe.cableone.net. (from the church FBSD machine) [/home/afalanga] - hostname whitbap [/home/afalanga] - ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255 ether 00:d0:b7:74:87:48 media: Ethernet autoselect (100baseTX full-duplex) status: active [/home/afalanga] - cat /etc/resolv.conf search McCutchanLAN nameserver 192.168.2.1 It doesn't take a rocket scientist, or a computer scientist, to figure out we've got DNS issues. I'm thinking that I should setup a domain within the 192.168.2.0/24 network on this box. I've done this before, at work. The question I've got is I've never actually integrated a domain like this to a domain on the Internet. I'm thinking that we'll setup something like: internal.whitneybaptist.org with hosts in that sub-domain. So, what would my DNS tables need to look like to make this happen. Also, to any knowledgable souls here, what RFCs address these issues? Hello again, Andy. What you're asking is actually a FAQ, but I'll spell things out anyway. The following excerpt from RFC 1918 is most relevant: If an enterprise uses the private address space, or a mix of private and public address spaces, then DNS clients outside of the enterprise should not see addresses in the private address space used by the enterprise, since these addresses would be ambiguous. One way to ensure this is to run two authority servers for each DNS zone containing both publically and privately addressed hosts. One server would be visible from the public address space and would contain only the subset of the enterprise's addresses which were reachable using public addresses. The other server would be reachable only from the private network and would contain the full set of data, including the private addresses and whatever public addresses are reachable the private network. In order to ensure consistency, both servers should be configured from the same data of which the publically visible zone only contains a filtered version. There is certain degree of additional complexity associated with providing these capabilities. That's a roundabout way of saying you can't mix and match private non-routable addresses with public addresses in the same namespace. Note the authoritative part. Until CableOne delegates your assigned netblock to your organisation, your public DNS server will not be authoritative (it currently isn't!) for 72.24.34.252. You can reference RFC 2317 (classless in-addr.arpa delegation) for how that works. As to why you must be authoritative, I've already pointed out off-list how Bad Things can happen when you're not, especially in regards to email where reverse lookups are integral to How Things Work. As for other RFCs, I'd suggest instead starting with a careful reading of the Bind ARM at http://www.isc.org/sw/bind/, followed by a once-over of the Bind FAQ, and possibly the FreeBSD-supplied configuration files. To save you some time, the following abbreviated context-specific examples should explain things more clearly and get you started: Example 1: Two domains and two separate (sets of) name servers: On the ns.whitneybaptist.org machine: zone whitneybaptist.org { type master; file master/whitneybaptist.org; }; zone 252.34.24.72.in-addr.arpa { type master; file master/db.72.24.34.252; }; On the ns.internal.whitneybaptist.org machine: zone internal.whitneybaptist.org { type master; file master/internal.whitneybaptist.org; }; zone 1.168.192.in-addr.arpa