Re: mail server DNS configuration questions

[CyberLeo Kitsana]

Andrew Falanga wrote:
 ...
 While diagnosing this, I connect to the server (using Putty) from a
 machine in PN1, using either a mail client or telnet I'm unable to make
 a connection to the mail server over port 25.  Using tcpdump during this
 putty session I do not even see the SYN packets for the start of the
 connection from the machines in PN1.  This is only when connecting to
 port 25.  Obviously, I can connect to the server because I'm using
 ...

Are you sure CableOne does not filter outgoing port 25 connection
attempts to any servers save it's own relay?

My ISP (A big name DSL provider; grep the headers if curious) does not
perform incoming port filtering, but rather aggressively filters
outbound TCP port 25 and (for reasons unexplained)  as well.

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
[EMAIL PROTECTED]

Furry Peace! - http://.fur.com/peace/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Andrew Falanga]

Patrick Mahan wrote:



Andrew Falanga presented these words - circa 9/6/08 6:28 PM-

Hi,

Well, my clients at church are still having issues and after working 
with George, a respondant to my original questions, I think that 
most, if not all, of my problems are related to DNS and how we've got 
it improperly configured.


First, a crude drawing of how our mail server exists in the world:

192.168.2.x/24   72.24.23.252  lot's of networks
Private Network -- CableOne -- Internet

Now, our mail server's IP is 192.168.2.23.  On the router, he (the 
person at whose house the mail server is) has IP forwarding setup so 
that mail get's sent to our FreeBSD machine.  Using dig, here's the 
responses:


(from my FBSD machine at home, not the server)
[/usr/home/andy]
- dig +short -t MX whitneybaptist.org
10 mail.whitneybaptist.org.
[/usr/home/andy]
- dig +short -t A whitneybaptist.org
72.24.34.252
[/usr/home/andy]
- dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.

(from the church FBSD machine)
[/home/afalanga]
- hostname
whitbap
[/home/afalanga]
- ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=8VLAN_MTU
inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255
ether 00:d0:b7:74:87:48
media: Ethernet autoselect (100baseTX full-duplex)
status: active
[/home/afalanga]
- cat /etc/resolv.conf
search McCutchanLAN
nameserver 192.168.2.1


It doesn't take a rocket scientist, or a computer scientist, to 
figure out we've got DNS issues.  I'm thinking that I should setup a 
domain within the 192.168.2.0/24 network on this box.  I've done this 
before, at work.  The question I've got is I've never actually 
integrated a domain like this to a domain on the Internet.  I'm 
thinking that we'll setup something like: internal.whitneybaptist.org 
with hosts in that sub-domain.





First, what are you trying to accomplish with the internal DNS?  Make 
it easier to
resolve machines in the 192.168.2.0 network?  Allow lookups external 
of the
192.168.2.0 network?  What machine is 'mail.whitneybaptist.com'?  Is 
it on the

192.168.2.0 network?  Is it reachable from the Internet?

Who is the owner of whitneybaptist.org DNS zone?  I show the following 
NS servers:


[EMAIL PROTECTED]/src/MPS/DocDownload 140  dig +short -t NS 
whitneybaptist.org

ns1.domaindirect.com.
ns2.domaindirect.com.
ns3.domaindirect.com.

Which is administered by tucows.com (Tucows, Inc) a seller of DNS 
services.


So, what would my DNS tables need to look like to make this happen.  
Also, to any knowledgable souls here, what RFCs address these issues?




You can read the RFC's if you want, but you would be better served to 
purchase
DNS and BIND, Fourth Edition, by Paul Albitz  Cricket Liu to learn 
how to

administer DNS.

Patrick


It's been quite some time since I last looked at that book.  It was at 
edition 3 then, and owned by the company I worked for so I didn't get to 
keep it.  I'll have to look into it.


Andy
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Andrew Falanga]

George Davidovich wrote:

On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote:
  
Well, my clients at church are still having issues and after working with 
George, a respondant to my original questions, I think that most, if not all, 
of my problems are related to DNS and how we've got it improperly configured.


First, a crude drawing of how our mail server exists in the world:

192.168.2.x/24   72.24.23.252  lot's of networks
Private Network -- CableOne -- Internet

Now, our mail server's IP is 192.168.2.23.  On the router, he (the person at 
whose house the mail server is) has IP forwarding setup so that mail get's 
sent to our FreeBSD machine.  Using dig, here's the responses:


(from my FBSD machine at home, not the server)
[/usr/home/andy] - dig +short -t MX whitneybaptist.org
10 mail.whitneybaptist.org.
[/usr/home/andy] - dig +short -t A whitneybaptist.org
72.24.34.252
[/usr/home/andy] - dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.

(from the church FBSD machine)
[/home/afalanga] - hostname
whitbap
[/home/afalanga] - ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=8VLAN_MTU
inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255
ether 00:d0:b7:74:87:48
media: Ethernet autoselect (100baseTX full-duplex)
status: active
[/home/afalanga] - cat /etc/resolv.conf
search McCutchanLAN
nameserver 192.168.2.1

It doesn't take a rocket scientist, or a computer scientist, to figure out 
we've got DNS issues.  I'm thinking that I should setup a domain within the 
192.168.2.0/24 network on this box.  I've done this before, at work.  The 
question I've got is I've never actually integrated a domain like this to a 
domain on the Internet.  I'm thinking that we'll setup something like: 
internal.whitneybaptist.org with hosts in that sub-domain.


So, what would my DNS tables need to look like to make this happen.  Also, to 
any knowledgable souls here, what RFCs address these issues?



Hello again, Andy.
 
What you're asking is actually a FAQ, but I'll spell things out anyway.

The following excerpt from RFC 1918 is most relevant:

If an enterprise uses the private address space, or a mix of
private and public address spaces, then DNS clients outside of
the enterprise should not see addresses in the private address
space used by the enterprise, since these addresses would be
ambiguous.  One way to ensure this is to run two authority
servers for each DNS zone containing both publically and
privately addressed hosts.  One server would be visible from the
public address space and would contain only the subset of the
enterprise's addresses which were reachable using public
addresses.  The other server would be reachable only from the
private network and would contain the full set of data,
including the private addresses and whatever public addresses
are reachable the private network.  In order to ensure
consistency, both servers should be configured from the same
data of which the publically visible zone only contains a
filtered version. There is certain degree of additional
complexity associated with providing these capabilities.

That's a roundabout way of saying you can't mix and match private
non-routable addresses with public addresses in the same namespace.

Note the authoritative part.  Until CableOne delegates your assigned
netblock to your organisation, your public DNS server will not be
authoritative (it currently isn't!) for 72.24.34.252.  You can reference
RFC 2317 (classless in-addr.arpa delegation) for how that works.  As to
why you must be authoritative, I've already pointed out off-list how Bad
Things can happen when you're not, especially in regards to email where
reverse lookups are integral to How Things Work.
  


I could be wrong, but I think they've done something like this.  I 
administered DNS on an OpenBSD machine (2 of them actually) back in 
2000-2001.  Since then, I've done nothing with DNS administration.  I'm 
wondering what I need to get from CableOne to get this done.  Here's the 
result of a dig, on that mail server, for the IP address 72.24.34.252:


[/home/afalanga]
- dig -x 72.24.34.252

;  DiG 9.3.3  -x 72.24.34.252
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 19747
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;252.34.24.72.in-addr.arpa. IN  PTR

;; ANSWER SECTION:
252.34.24.72.in-addr.arpa. 86333 IN PTR 
34-252.72-24-cpe.cableone.net.


;; AUTHORITY SECTION:
24.72.in-addr.arpa. 75566   IN  NS  NS1.cableone.net.
24.72.in-addr.arpa. 75566   IN  NS  NS2.cableone.net.

;; ADDITIONAL SECTION:
NS1.cableone.net.   3507IN  A   24.116.0.201
NS2.cableone.net.   69544   IN  A  

Re: mail server DNS configuration questions

[Andrew Falanga]

Sahil Tandon wrote:

Andrew Falanga [EMAIL PROTECTED] wrote:

  
It doesn't take a rocket scientist, or a computer scientist, to 
figure out we've got DNS issues.



What exactly is the problem though?  What problems are you having on 
the mail server that lead you to the above conclusion?


  
Clients in the churches private network cannot send mail using this 
server, though they can receive mail from it (POP).  The church has a 
private network, PN1, and the mail server sits at a church members house 
because he has a static IP address; let's call that PN2.  The router at 
his house is setup to forward traffic over port 25, and the POP port, to 
this server.  Also, just to further clarify, the Internet separates 
these two Private Networks.  However, this may not be entirely true as I 
think about it because at both locations, the ISP is CableOne using 
cable broadband.  So, though technically part of the Internet, the 
traffic shouldn't leave the CableOne domain.  Also, of interest, is that 
another of our pastors uses CableOne at home and is unable to send 
e-mail using the churches server from home.  However, from a coffee shop 
in town, that our pastors frequent, they are able to send mail.  It is 
my understanding that this coffee shop does not use CableOne.


So, just to make sure everyone's got it, the mail server sits in PN2.  
While diagnosing this, I connect to the server (using Putty) from a 
machine in PN1, using either a mail client or telnet I'm unable to make 
a connection to the mail server over port 25.  Using tcpdump during this 
putty session I do not even see the SYN packets for the start of the 
connection from the machines in PN1.  This is only when connecting to 
port 25.  Obviously, I can connect to the server because I'm using 
putty.  Also, I can see the SYN packets for the start of the connection 
when this same machine in PN1 attempts to connect to port 80.  The 
problem seems to be when trying to connect over port 25.  For some 
reason, the packets aren't being delivered to that address 
(72.24.34.252).  This happens if I try to telnet to 
mail.whitneybaptist.org or telnet to 72.24.34.252 on port 25.  The 
packets aren't being delivered.  They're being sent somewhere else, or 
lost in digital purgatory.


Now, from home (my home) let's call this PN3, I can send/receive mail 
using the church e-mail server.  I, however, don't use CableOne.  Are 
there routers that route traffic based on port number?  It's almost as 
if traffic, that originates within the CableOne domain and travels 
through, but not outside, the CableOne domain, doesn't get routed to the 
correct address when it's destined for port 25.


Andy
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Kevin Kinsey]

Andrew Falanga wrote:

Clients in the churches private network cannot send mail using this 
server, though they can receive mail from it (POP).  The church has a 
private network, PN1, and the mail server sits at a church members house 
because he has a static IP address; let's call that PN2.  The router at 
his house is setup to forward traffic over port 25, and the POP port, to 
this server.  Also, just to further clarify, the Internet separates 
these two Private Networks.  However, this may not be entirely true as I 
think about it because at both locations, the ISP is CableOne using 
cable broadband.  So, though technically part of the Internet, the 
traffic shouldn't leave the CableOne domain.  Also, of interest, is that 
another of our pastors uses CableOne at home and is unable to send 
e-mail using the churches server from home.  However, from a coffee shop 
in town, that our pastors frequent, they are able to send mail.  It is 
my understanding that this coffee shop does not use CableOne.


So, just to make sure everyone's got it, the mail server sits in PN2.  
While diagnosing this, I connect to the server (using Putty) from a 
machine in PN1, using either a mail client or telnet I'm unable to make 
a connection to the mail server over port 25.  Using tcpdump during this 
putty session I do not even see the SYN packets for the start of the 
connection from the machines in PN1.  This is only when connecting to 
port 25.  Obviously, I can connect to the server because I'm using 
putty.  Also, I can see the SYN packets for the start of the connection 
when this same machine in PN1 attempts to connect to port 80.  The 
problem seems to be when trying to connect over port 25.  For some 
reason, the packets aren't being delivered to that address 
(72.24.34.252).  This happens if I try to telnet to 
mail.whitneybaptist.org or telnet to 72.24.34.252 on port 25.  The 
packets aren't being delivered.  They're being sent somewhere else, or 
lost in digital purgatory.


Now, from home (my home) let's call this PN3, I can send/receive mail 
using the church e-mail server.  I, however, don't use CableOne.  Are 
there routers that route traffic based on port number?  It's almost as 
if traffic, that originates within the CableOne domain and travels 
through, but not outside, the CableOne domain, doesn't get routed to the 
correct address when it's destined for port 25.


So a common thread is that traffic on the ISP's net isn't going
out via yourserver.com:25 --- would seem to indicate port blocking,
which is quite common for port 25.  Tried 587 or some weird alternate?

Kevin Kinsey

--
If the odds are a million to one against something
occurring, chances are 50-50 it will.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Patrick Mahan]

Andrew Falanga presented these words - circa 9/6/08 6:28 PM-

Hi,

Well, my clients at church are still having issues and after working with 
George, a respondant to my original questions, I think that most, if not all, 
of my problems are related to DNS and how we've got it improperly configured.


First, a crude drawing of how our mail server exists in the world:

192.168.2.x/24   72.24.23.252  lot's of networks
Private Network -- CableOne -- Internet

Now, our mail server's IP is 192.168.2.23.  On the router, he (the person at 
whose house the mail server is) has IP forwarding setup so that mail get's 
sent to our FreeBSD machine.  Using dig, here's the responses:


(from my FBSD machine at home, not the server)
[/usr/home/andy]
- dig +short -t MX whitneybaptist.org
10 mail.whitneybaptist.org.
[/usr/home/andy]
- dig +short -t A whitneybaptist.org
72.24.34.252
[/usr/home/andy]
- dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.

(from the church FBSD machine)
[/home/afalanga]
- hostname
whitbap
[/home/afalanga]
- ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=8VLAN_MTU
inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255
ether 00:d0:b7:74:87:48
media: Ethernet autoselect (100baseTX full-duplex)
status: active
[/home/afalanga]
- cat /etc/resolv.conf
search McCutchanLAN
nameserver 192.168.2.1


It doesn't take a rocket scientist, or a computer scientist, to figure out 
we've got DNS issues.  I'm thinking that I should setup a domain within the 
192.168.2.0/24 network on this box.  I've done this before, at work.  The 
question I've got is I've never actually integrated a domain like this to a 
domain on the Internet.  I'm thinking that we'll setup something like: 
internal.whitneybaptist.org with hosts in that sub-domain.





First, what are you trying to accomplish with the internal DNS?  Make it easier 
to
resolve machines in the 192.168.2.0 network?  Allow lookups external of the
192.168.2.0 network?  What machine is 'mail.whitneybaptist.com'?  Is it on the
192.168.2.0 network?  Is it reachable from the Internet?

Who is the owner of whitneybaptist.org DNS zone?  I show the following NS 
servers:

[EMAIL PROTECTED]/src/MPS/DocDownload 140  dig +short -t NS whitneybaptist.org
ns1.domaindirect.com.
ns2.domaindirect.com.
ns3.domaindirect.com.

Which is administered by tucows.com (Tucows, Inc) a seller of DNS services.

So, what would my DNS tables need to look like to make this happen.  Also, to 
any knowledgable souls here, what RFCs address these issues?




You can read the RFC's if you want, but you would be better served to purchase
DNS and BIND, Fourth Edition, by Paul Albitz  Cricket Liu to learn how to
administer DNS.

Patrick
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[RW]

On Sat, 6 Sep 2008 19:28:28 -0600
Andrew Falanga [EMAIL PROTECTED] wrote:

 Hi,
 
 Well, my clients at church are still having issues and after working
 with George, a respondant to my original questions, I think that
 most, if not all, of my problems are related to DNS and how we've got
 it improperly configured.
 
 First, a crude drawing of how our mail server exists in the world:
 
 192.168.2.x/24   72.24.23.252  lot's of networks
 Private Network -- CableOne -- Internet
 
 Now, our mail server's IP is 192.168.2.23.  On the router, he (the
 person at whose house the mail server is) has IP forwarding setup so
 that mail get's sent to our FreeBSD machine. 
 ...
 It doesn't take a rocket scientist, or a computer scientist, to
 figure out we've got DNS issues.  I'm thinking that I should setup a
 domain within the 192.168.2.0/24 network on this box. 

This has little to do with DNS, and there's nothing obviously wrong. The
router has the routable IP address and is forwarding incoming port 25
tcp connections to the real mail server using NAT.  

As far as the internet side is concerned your entire network has to
look like a single server, so the mailserver has to pretend to be
running on the router, and announce itself as mail.whitneybaptist.org.

You'll probably need to pass your outgoing mail through another mail
server to avoid its being rejected though.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Kevin Kinsey]

Andrew Falanga wrote:


*Not having* a reverse entry for a mail server is often
the cause of issues.


This I do know very well.  I had similar problems when running a sendmail 
backup spooler for Syracuse Networks back in 2000.  The eventual solution was 
that our ISP delegated control of our subnet to us.  I'm wondering if 
something similar must be done on the internal network, i.e. 192.168.2.0/24.  
Perhaps I shouldn't have eluded to the problems that my clients are 
experiencing.  The real question is, should I configure a sub-domain under 
whitneybaptist.org for this server and if so, how to set it up?


I'm interested as to why you got this answer to the host query you did.  In my 
original mail, I provided the result of a reverse lookup on that IP address 
to which I got this response:

[/usr/home/andy]
- dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.

Using host, on my machine, I get this response:
[/usr/home/andy]
- host  72.24.34.252
252.34.24.72.in-addr.arpa domain name pointer 34-252.72-24-cpe.cableone.net.



Well, interestingly enough:

[30] Sun 07.Sep.2008 DING!
[EMAIL PROTECTED]/logs]
host 72.24.34.252
252.34.24.72.in-addr.arpa domain name pointer 34-252.72-24-cpe.cableone.net.

So something's changed in the last 12 hours, although I can't
say exactly what.  AFAIK, my DNS boxen and I were communicating
Just Fine(tm) last night as well as this afternoon.

Regardless of the fact that I got a response and you didn't, I'm still not 
getting the right information.  The reverse mapping should be something like:


252.34.24.72.in-addr.arpa PTR mail.whitneybaptist.org.

I may have gotten the syntax wrong as it's been a while since I've had to 
manipulate BIND name tables.



And the RFC for ESMTP is #2821.



Thanks for the RFC.

Andy


Well, at this point, I'd take the day off, and tomorrow
perhaps have a dig at cableone's support ppl, looky here:

[35] Sun 07.Sep.2008 14:03:43
[EMAIL PROTECTED]/logs]
dig 72.24.34.1

;  DiG 9.4.2-P1  72.24.34.1
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 56668
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;72.24.34.1.IN  A

;; AUTHORITY SECTION:
.   3600IN  SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 
2008090700 1800 900 604800 86400


;; Query time: 222 msec
;; SERVER: 66.76.92.18#53(66.76.92.18)
;; WHEN: Sun Sep  7 14:03:50 2008
;; MSG SIZE  rcvd: 103


So, it's obvious they're playing with this zone Right Now(tm),
(more or less) as the SN seems to indicate today.  Possible this
is auto-generated or something, but I think you'll get no joy
on the PTR records until they do something upstream.  As for
your internal net, I don't know much about it, unfortunately.

KDK
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

mail server DNS configuration questions

[Andrew Falanga]

Hi,

Well, my clients at church are still having issues and after working with 
George, a respondant to my original questions, I think that most, if not all, 
of my problems are related to DNS and how we've got it improperly configured.

First, a crude drawing of how our mail server exists in the world:

192.168.2.x/24   72.24.23.252  lot's of networks
Private Network -- CableOne -- Internet

Now, our mail server's IP is 192.168.2.23.  On the router, he (the person at 
whose house the mail server is) has IP forwarding setup so that mail get's 
sent to our FreeBSD machine.  Using dig, here's the responses:

(from my FBSD machine at home, not the server)
[/usr/home/andy]
- dig +short -t MX whitneybaptist.org
10 mail.whitneybaptist.org.
[/usr/home/andy]
- dig +short -t A whitneybaptist.org
72.24.34.252
[/usr/home/andy]
- dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.

(from the church FBSD machine)
[/home/afalanga]
- hostname
whitbap
[/home/afalanga]
- ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=8VLAN_MTU
inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255
ether 00:d0:b7:74:87:48
media: Ethernet autoselect (100baseTX full-duplex)
status: active
[/home/afalanga]
- cat /etc/resolv.conf
search McCutchanLAN
nameserver 192.168.2.1


It doesn't take a rocket scientist, or a computer scientist, to figure out 
we've got DNS issues.  I'm thinking that I should setup a domain within the 
192.168.2.0/24 network on this box.  I've done this before, at work.  The 
question I've got is I've never actually integrated a domain like this to a 
domain on the Internet.  I'm thinking that we'll setup something like: 
internal.whitneybaptist.org with hosts in that sub-domain.

So, what would my DNS tables need to look like to make this happen.  Also, to 
any knowledgable souls here, what RFCs address these issues?

Thanks,
Andy
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Kevin Kinsey]

Andrew Falanga wrote:

Hi,

Well, my clients at church are still having issues and after working with 
George, a respondant to my original questions, I think that most, if not all, 
of my problems are related to DNS and how we've got it improperly configured.


First, a crude drawing of how our mail server exists in the world:

192.168.2.x/24   72.24.23.252  lot's of networks
Private Network -- CableOne -- Internet

Now, our mail server's IP is 192.168.2.23.  On the router, he (the person at 
whose house the mail server is) has IP forwarding setup so that mail get's 
sent to our FreeBSD machine.  Using dig, here's the responses:


(from my FBSD machine at home, not the server)
[/usr/home/andy]
- dig +short -t MX whitneybaptist.org
10 mail.whitneybaptist.org.
[/usr/home/andy]
- dig +short -t A whitneybaptist.org
72.24.34.252
[/usr/home/andy]
- dig +short -x 72.24.34.252
34-252.72-24-cpe.cableone.net.

(from the church FBSD machine)
[/home/afalanga]
- hostname
whitbap
[/home/afalanga]
- ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=8VLAN_MTU
inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255
ether 00:d0:b7:74:87:48
media: Ethernet autoselect (100baseTX full-duplex)
status: active
[/home/afalanga]
- cat /etc/resolv.conf
search McCutchanLAN
nameserver 192.168.2.1


It doesn't take a rocket scientist, or a computer scientist, to figure out 
we've got DNS issues.  I'm thinking that I should setup a domain within the 
192.168.2.0/24 network on this box.  I've done this before, at work.  The 
question I've got is I've never actually integrated a domain like this to a 
domain on the Internet.  I'm thinking that we'll setup something like: 
internal.whitneybaptist.org with hosts in that sub-domain.


So, what would my DNS tables need to look like to make this happen.  Also, to 
any knowledgable souls here, what RFCs address these issues?


Thanks,
Andy


Andy, I'm not sure I'm DNS guru enough to answer all your
questions, but --- you don't specify what problems are
being experienced at the location, and, are you certain it's
not about this?

[25] Sat 06.Sep.2008 21:58:25
[EMAIL PROTECTED]/logs]
host 72.24.34.252
Host 252.34.24.72.in-addr.arpa. not found: 3(NXDOMAIN)

*Not having* a reverse entry for a mail server is often
the cause of issues.

And the RFC for ESMTP is #2821.

HTH,

Kevin Kinsey
--
In Denver it is unlawful to lend your vacuum cleaner to your next-door
neighbor.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Sahil Tandon]

Andrew Falanga [EMAIL PROTECTED] wrote:

 It doesn't take a rocket scientist, or a computer scientist, to 
 figure out we've got DNS issues.

What exactly is the problem though?  What problems are you having on 
the mail server that lead you to the above conclusion?

-- 
Sahil Tandon [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: mail server DNS configuration questions

[Paul Schmehl]

--On September 6, 2008 7:28:28 PM -0600 Andrew Falanga 
[EMAIL PROTECTED] wrote:



Hi,

Well, my clients at church are still having issues and after working
with  George, a respondant to my original questions, I think that most,
if not all,  of my problems are related to DNS and how we've got it
improperly configured.

First, a crude drawing of how our mail server exists in the world:

192.168.2.x/24   72.24.23.252  lot's of networks
Private Network -- CableOne -- Internet

Now, our mail server's IP is 192.168.2.23.  On the router, he (the
person at  whose house the mail server is) has IP forwarding setup so
that mail get's  sent to our FreeBSD machine.  Using dig, here's the
responses:



The 192.168.0.0/24 network is an IANA reserved network and **does not 
route** on the internet.  You can send mail but you'll never be able to 
receive any.  In order for you to receive email to that server, whatever 
device you've got in front of it (dsl router, for example) must be 
configured to hard code port 25 to your mail server so that all incoming 
mail to the public IP (72.24.23.252) will always go to the 192.168.2.23 
address, which is the actual address of the mail server.


Some mail servers will not receive mail if the IP of the mail server 
doesn't reverse.  Yours does, so that shouldn't be a problem, *however* if 
they also try to talk to your mail server to verify that it's actually a 
mail server that will fail if you don't have port 25 hard coded.


You don't say what the issues that you're having are, so that's my best 
guess about what's wrong.


Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
**
WARNING: Check the headers before replying

Re: mail server DNS configuration questions

[George Davidovich]

On Sat, Sep 06, 2008 at 07:28:28PM -0600, Andrew Falanga wrote:
 
 Well, my clients at church are still having issues and after working with 
 George, a respondant to my original questions, I think that most, if not all, 
 of my problems are related to DNS and how we've got it improperly configured.
 
 First, a crude drawing of how our mail server exists in the world:
 
 192.168.2.x/24   72.24.23.252  lot's of networks
 Private Network -- CableOne -- Internet
 
 Now, our mail server's IP is 192.168.2.23.  On the router, he (the person at 
 whose house the mail server is) has IP forwarding setup so that mail get's 
 sent to our FreeBSD machine.  Using dig, here's the responses:
 
 (from my FBSD machine at home, not the server)
 [/usr/home/andy] - dig +short -t MX whitneybaptist.org
 10 mail.whitneybaptist.org.
 [/usr/home/andy] - dig +short -t A whitneybaptist.org
 72.24.34.252
 [/usr/home/andy] - dig +short -x 72.24.34.252
 34-252.72-24-cpe.cableone.net.
 
 (from the church FBSD machine)
 [/home/afalanga] - hostname
 whitbap
 [/home/afalanga] - ifconfig fxp0
 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 options=8VLAN_MTU
 inet 192.168.2.23 netmask 0xff00 broadcast 255.255.255.255
 ether 00:d0:b7:74:87:48
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 [/home/afalanga] - cat /etc/resolv.conf
 search McCutchanLAN
 nameserver 192.168.2.1
 
 It doesn't take a rocket scientist, or a computer scientist, to figure out 
 we've got DNS issues.  I'm thinking that I should setup a domain within the 
 192.168.2.0/24 network on this box.  I've done this before, at work.  The 
 question I've got is I've never actually integrated a domain like this to a 
 domain on the Internet.  I'm thinking that we'll setup something like: 
 internal.whitneybaptist.org with hosts in that sub-domain.
 
 So, what would my DNS tables need to look like to make this happen.  Also, to 
 any knowledgable souls here, what RFCs address these issues?

Hello again, Andy.
 
What you're asking is actually a FAQ, but I'll spell things out anyway.
The following excerpt from RFC 1918 is most relevant:

If an enterprise uses the private address space, or a mix of
private and public address spaces, then DNS clients outside of
the enterprise should not see addresses in the private address
space used by the enterprise, since these addresses would be
ambiguous.  One way to ensure this is to run two authority
servers for each DNS zone containing both publically and
privately addressed hosts.  One server would be visible from the
public address space and would contain only the subset of the
enterprise's addresses which were reachable using public
addresses.  The other server would be reachable only from the
private network and would contain the full set of data,
including the private addresses and whatever public addresses
are reachable the private network.  In order to ensure
consistency, both servers should be configured from the same
data of which the publically visible zone only contains a
filtered version. There is certain degree of additional
complexity associated with providing these capabilities.

That's a roundabout way of saying you can't mix and match private
non-routable addresses with public addresses in the same namespace.

Note the authoritative part.  Until CableOne delegates your assigned
netblock to your organisation, your public DNS server will not be
authoritative (it currently isn't!) for 72.24.34.252.  You can reference
RFC 2317 (classless in-addr.arpa delegation) for how that works.  As to
why you must be authoritative, I've already pointed out off-list how Bad
Things can happen when you're not, especially in regards to email where
reverse lookups are integral to How Things Work.

As for other RFCs, I'd suggest instead starting with a careful reading
of the Bind ARM at http://www.isc.org/sw/bind/, followed by a once-over
of the Bind FAQ, and possibly the FreeBSD-supplied configuration files.
To save you some time, the following abbreviated context-specific
examples should explain things more clearly and get you started:

Example 1:  Two domains and two separate (sets of) name servers:

On the ns.whitneybaptist.org machine:

zone whitneybaptist.org {
type master;
file master/whitneybaptist.org;
};
zone 252.34.24.72.in-addr.arpa {
type master;
file master/db.72.24.34.252;
};

On the ns.internal.whitneybaptist.org machine:

zone internal.whitneybaptist.org {
type master;
file master/internal.whitneybaptist.org;
};
zone 1.168.192.in-addr.arpa