Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-15 Thread Poliman - Serwis 
2018-11-15 15:19 GMT+01:00 B. Reino :

> On 2018-11-15 12:24, Poliman - Serwis wrote:
>
> I have few domains on the server. Some part of them use my server for send
>> emails but few have
>> configured external mail service like Google. I need to disable using my
>> mail service by
>> colonel.com.pl on my server. There need to be only google, nothing more
>> but other domains need
>> to use my mail service.
>>
>
> Well then just leave it as it is. Obviously the warning you got from
> Google does not apply, because that SMTP server is taking care of other,
> unrelated, domains. Therefore you can safely ignore the warning, as it is
> wrong.
>

Ok, thank you.

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-15 Thread B. Reino 

On 2018-11-15 12:24, Poliman - Serwis wrote:

I have few domains on the server. Some part of them use my server for 
send emails but few have
configured external mail service like Google. I need to disable using 
my mail service by
colonel.com.pl on my server. There need to be only google, nothing more 
but other domains need

to use my mail service.


Well then just leave it as it is. Obviously the warning you got from 
Google does not apply, because that SMTP server is taking care of other, 
unrelated, domains. Therefore you can safely ignore the warning, as it 
is wrong.

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-15 Thread Poliman - Serwis 
2018-11-15 12:14 GMT+01:00 Dominic Raferd :

> On Thu, 15 Nov 2018 at 09:40, Poliman - Serwis  wrote:
>
>> Really appreciate help. About " In other words: if you want mail to end
>> up at your MX, your A ip-address should not accept incoming mail. " -
>> currently I have spf which allow sending emails only for google servers
>> added as MX records (I have removed 'a' from spf record). Second - I tried
>> "nc colonel.com.pl 25" from virtual machine deployed on my PC in job and
>> result:
>> tot@haha:~# nc colonel.com.pl 25
>> 220 s1.poliman.net ESMTP Postfix (Ubuntu)
>>
>
> So you are running a receiving postfix mail server on the A ip-address of
> colonel.com.pl. What for? G-Suite does it all for you, you shouldn't be
> using any other relaying mail server - just send and receive through Gmail.
>
> If you still want to run postfix for outgoing mail on the machine which is
> receiving colonel.com.pl:25,  you can stop postfix processing incoming
> mail there with:
> postconf inet_interfaces=loopback-only
>

I have few domains on the server. Some part of them use my server for send
emails but few have configured external mail service like Google. I need to
disable using my mail service by colonel.com.pl on my server. There need to
be only google, nothing more but other domains need to use my mail service.

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-15 Thread Dominic Raferd 
On Thu, 15 Nov 2018 at 09:40, Poliman - Serwis  wrote:

> Really appreciate help. About " In other words: if you want mail to end up
> at your MX, your A ip-address should not accept incoming mail. " -
> currently I have spf which allow sending emails only for google servers
> added as MX records (I have removed 'a' from spf record). Second - I tried
> "nc colonel.com.pl 25" from virtual machine deployed on my PC in job and
> result:
> tot@haha:~# nc colonel.com.pl 25
> 220 s1.poliman.net ESMTP Postfix (Ubuntu)
>

So you are running a receiving postfix mail server on the A ip-address of
colonel.com.pl. What for? G-Suite does it all for you, you shouldn't be
using any other relaying mail server - just send and receive through Gmail.

If you still want to run postfix for outgoing mail on the machine which is
receiving colonel.com.pl:25,  you can stop postfix processing incoming mail
there with:
postconf inet_interfaces=loopback-only

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-15 Thread Poliman - Serwis 
2018-11-14 10:22 GMT+01:00 Håkon Alstadheim :

>
> Den 14.11.2018 08:21, skrev Poliman - Serwis:
>
>>
>>
>> 2018-11-13 19:58 GMT+01:00 Wietse Venema > wie...@porcupine.org>>:
>>
>> Poliman - Serwis:
>> > 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni <
>> postfix-us...@dukhovni.org
>> >:
>> >
>> > > > On Nov 13, 2018, at 11:48 AM, Wietse Venema
>> mailto:wie...@porcupine.org>>
>> > > wrote:
>> > > >
>> > > >> It's colonel.com.pl . Please check.
>> I don't see anywhere MX's IP as A
>> > > record
>> > > >> in dns zone.
>> > > >
>> > > > You have both A and MX records for colonel.com.pl
>> . Some SMTP systems
>> > > > may try to send email using the A record, if those SMTP
>> systems are
>> > > > borked and if their DNS resolver is borked.
>> > >
>> > > In other words, nothing to worry about. There's no need to
>> worry about
>> > > such broken systems in practice.  Real MTAs don't get this
>> wrong (though
>> > > perhaps what I'm saying is that if there are some MTAs that
>> get this wrong,
>> > > they are garbage that deserves to be ignored).
>> > >
>> > > --
>> > > Viktor.
>> > >
>> > > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
>> 
>> >
>> >
>> > Ok, thank you guys for answers and advices. Appreciate!
>>
>> You man still want to turn off the SMTP listener on colonel.com.pl
>> ,
>> because it will never receive legitimate email.
>>
>> Wietse
>>
>>
>> Thank you for answer. I suppose I don't understand properly. How could I
>> do this if this domain has MX on Google?
>>
>> To make sure all mail delivered to colonel.com.pl gets to google, make
> sure that the host colonel.com.pl will NOT accept connections for
> incoming mail from the internet.
>
> In other words: if you want mail to end up at your MX, your A ip-address
> should not accept incoming mail.
>
> If that is already OK, you are OK. It looks OK from where I am sitting.
>
> Viz:
>
> # dig colonel.com.pl mx
>
> ; <<>> DiG 9.11.2-P1 <<>> colonel.com.pl mx
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63690
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;colonel.com.pl.IN  MX
>
> ;; ANSWER SECTION:
> colonel.com.pl. 3600IN  MX  5 alt1.aspmx.l.google.com.
> colonel.com.pl. 3600IN  MX  5 alt2.aspmx.l.google.com.
> colonel.com.pl. 3600IN  MX  10 alt4.aspmx.l.google.com
> .
> colonel.com.pl. 3600IN  MX  10 alt3.aspmx.l.google.com
> .
> colonel.com.pl. 3600IN  MX  1 aspmx.l.google.com.
>
> ;; AUTHORITY SECTION:
> colonel.com.pl. 3576IN  NS  ns6.poliman.net.
> colonel.com.pl. 3576IN  NS  ns7.poliman.net.
>
> ;; ADDITIONAL SECTION:
> ns6.poliman.net.3576IN  A   193.70.38.6
> ns7.poliman.net.3576IN  A   54.38.202.128
>
> ;; Query time: 42 msec
> ;; SERVER: 192.168.2.2#53(192.168.2.2)
> ;; WHEN: on. nov. 14 10:20:30 CET 2018
> ;; MSG SIZE  rcvd: 240
>
> 0:gt ~ # nc colonel.com.pl 25
> nc: unable to connect to address colonel.com.pl, service 25
>
>
> Really appreciate help. About " In other words: if you want mail to end up
at your MX, your A ip-address should not accept incoming mail. " -
currently I have spf which allow sending emails only for google servers
added as MX records (I have removed 'a' from spf record). Second - I tried
"nc colonel.com.pl 25" from virtual machine deployed on my PC in job and
result:
tot@haha:~# nc colonel.com.pl 25
220 s1.poliman.net ESMTP Postfix (Ubuntu)
^C



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-14 Thread Håkon Alstadheim 



Den 14.11.2018 08:21, skrev Poliman - Serwis:



2018-11-13 19:58 GMT+01:00 Wietse Venema >:


Poliman - Serwis:
> 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni mailto:postfix-us...@dukhovni.org>>:
>
> > > On Nov 13, 2018, at 11:48 AM, Wietse Venema
mailto:wie...@porcupine.org>>
> > wrote:
> > >
> > >> It's colonel.com.pl . Please check.
I don't see anywhere MX's IP as A
> > record
> > >> in dns zone.
> > >
> > > You have both A and MX records for colonel.com.pl
. Some SMTP systems
> > > may try to send email using the A record, if those SMTP
systems are
> > > borked and if their DNS resolver is borked.
> >
> > In other words, nothing to worry about. There's no need to
worry about
> > such broken systems in practice.  Real MTAs don't get this
wrong (though
> > perhaps what I'm saying is that if there are some MTAs that
get this wrong,
> > they are garbage that deserves to be ignored).
> >
> > --
> >         Viktor.
> >
> > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem

>
>
> Ok, thank you guys for answers and advices. Appreciate!

You man still want to turn off the SMTP listener on colonel.com.pl
,
because it will never receive legitimate email.

        Wietse


Thank you for answer. I suppose I don't understand properly. How could 
I do this if this domain has MX on Google?


To make sure all mail delivered to colonel.com.pl gets to google, make 
sure that the host colonel.com.pl will NOT accept connections for 
incoming mail from the internet.


In other words: if you want mail to end up at your MX, your A ip-address 
should not accept incoming mail.


If that is already OK, you are OK. It looks OK from where I am sitting.

Viz:

# dig colonel.com.pl mx

; <<>> DiG 9.11.2-P1 <<>> colonel.com.pl mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63690
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;colonel.com.pl.    IN  MX

;; ANSWER SECTION:
colonel.com.pl. 3600    IN  MX  5 alt1.aspmx.l.google.com.
colonel.com.pl. 3600    IN  MX  5 alt2.aspmx.l.google.com.
colonel.com.pl. 3600    IN  MX  10 alt4.aspmx.l.google.com.
colonel.com.pl. 3600    IN  MX  10 alt3.aspmx.l.google.com.
colonel.com.pl. 3600    IN  MX  1 aspmx.l.google.com.

;; AUTHORITY SECTION:
colonel.com.pl. 3576    IN  NS  ns6.poliman.net.
colonel.com.pl. 3576    IN  NS  ns7.poliman.net.

;; ADDITIONAL SECTION:
ns6.poliman.net.    3576    IN  A   193.70.38.6
ns7.poliman.net.    3576    IN  A   54.38.202.128

;; Query time: 42 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: on. nov. 14 10:20:30 CET 2018
;; MSG SIZE  rcvd: 240

0:gt ~ # nc colonel.com.pl 25
nc: unable to connect to address colonel.com.pl, service 25

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-14 Thread B. Reino 

On 2018-11-14 08:21, Poliman - Serwis wrote:


2018-11-13 19:58 GMT+01:00 Wietse Venema :


You man still want to turn off the SMTP listener on colonel.com.pl,
because it will never receive legitimate email.

Wietse


Thank you for answer. I suppose I don't understand properly. How could 
I do this if this

domain has MX on Google?


If your e-mail is handled by Google, then you should not have an SMTP 
server running (listening) on colonel.com.pl.


So you should go (ssh) to colonel.com.pl and 
disable/deinstall/firewall/etc. postfix so that it does not accept 
incoming e-mails (e.g. ports 25, 465, 587).


If anyone wants to send you an e-mail, the MTA (sending server) will 
lookup colonel.com.pl and find the relevant MX record pointing to 
Google. The MTA will then send the e-mail to the Google server.


In severely broken situations an MTA might decide to try to send it 
directly to colonel.com.pl and -- surprise -- find a welcoming 
(listening) SMTP server. You don't want that, so, again, you should 
disable/remove/uninstall the SMTP server on colonel.com.pl


Hopefully this is clear now.

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Poliman - Serwis 
2018-11-13 19:58 GMT+01:00 Wietse Venema :

> Poliman - Serwis:
> > 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni :
> >
> > > > On Nov 13, 2018, at 11:48 AM, Wietse Venema 
> > > wrote:
> > > >
> > > >> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as
> A
> > > record
> > > >> in dns zone.
> > > >
> > > > You have both A and MX records for colonel.com.pl. Some SMTP systems
> > > > may try to send email using the A record, if those SMTP systems are
> > > > borked and if their DNS resolver is borked.
> > >
> > > In other words, nothing to worry about.  There's no need to worry about
> > > such broken systems in practice.  Real MTAs don't get this wrong
> (though
> > > perhaps what I'm saying is that if there are some MTAs that get this
> wrong,
> > > they are garbage that deserves to be ignored).
> > >
> > > --
> > > Viktor.
> > >
> > > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
> >
> >
> > Ok, thank you guys for answers and advices. Appreciate!
>
> You man still want to turn off the SMTP listener on colonel.com.pl,
> because it will never receive legitimate email.
>
> Wietse
>

Thank you for answer. I suppose I don't understand properly. How could I do
this if this domain has MX on Google?

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Wietse Venema 
Poliman - Serwis:
> 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni :
> 
> > > On Nov 13, 2018, at 11:48 AM, Wietse Venema 
> > wrote:
> > >
> > >> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A
> > record
> > >> in dns zone.
> > >
> > > You have both A and MX records for colonel.com.pl. Some SMTP systems
> > > may try to send email using the A record, if those SMTP systems are
> > > borked and if their DNS resolver is borked.
> >
> > In other words, nothing to worry about.  There's no need to worry about
> > such broken systems in practice.  Real MTAs don't get this wrong (though
> > perhaps what I'm saying is that if there are some MTAs that get this wrong,
> > they are garbage that deserves to be ignored).
> >
> > --
> > Viktor.
> >
> > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
> 
> 
> Ok, thank you guys for answers and advices. Appreciate!

You man still want to turn off the SMTP listener on colonel.com.pl,
because it will never receive legitimate email.

Wietse

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Poliman - Serwis 
2018-11-13 18:24 GMT+01:00 Viktor Dukhovni :

> > On Nov 13, 2018, at 11:48 AM, Wietse Venema 
> wrote:
> >
> >> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A
> record
> >> in dns zone.
> >
> > You have both A and MX records for colonel.com.pl. Some SMTP systems
> > may try to send email using the A record, if those SMTP systems are
> > borked and if their DNS resolver is borked.
>
> In other words, nothing to worry about.  There's no need to worry about
> such broken systems in practice.  Real MTAs don't get this wrong (though
> perhaps what I'm saying is that if there are some MTAs that get this wrong,
> they are garbage that deserves to be ignored).
>
> --
> Viktor.
>
> [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem


Ok, thank you guys for answers and advices. Appreciate!

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Viktor Dukhovni 
> On Nov 13, 2018, at 11:48 AM, Wietse Venema  wrote:
> 
>> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
>> in dns zone.
> 
> You have both A and MX records for colonel.com.pl. Some SMTP systems
> may try to send email using the A record, if those SMTP systems are
> borked and if their DNS resolver is borked.

In other words, nothing to worry about.  There's no need to worry about
such broken systems in practice.  Real MTAs don't get this wrong (though
perhaps what I'm saying is that if there are some MTAs that get this wrong,
they are garbage that deserves to be ignored).

-- 
Viktor.

[1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Bastian Blank 
On Tue, Nov 13, 2018 at 05:31:13PM +0100, Poliman - Serwis wrote:
> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
> in dns zone.

You missed that the point is called "There should not be a mail
exchanger set up on naked domain name."

Don't run an externally reachable SMTP server on colonel.com.pl.

| % nc colonel.com.pl 25   
| 220 s1.poliman.net ESMTP Postfix (Ubuntu)

Bastian

-- 
Men will always be men -- no matter where they are.
-- Harry Mudd, "Mudd's Women", stardate 1329.8

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Wietse Venema 
Poliman - Serwis:
> 2018-11-13 16:05 GMT+01:00 Kris Deugau :
> 
> > Poliman - Serwis wrote:
> >
> >> Hello. I have used G Suite MX checker available here
> >> https://toolbox.googleapps.com/apps/checkmx/
> >>
> >
> > This seems to be a Google-specific tester for domains hosted with Google,
> > so it's difficult to compare with random other domains.
> >
> > and I have message: "The address of the mail server in the domain record A
> >> can cause poorly visible and difficult to diagnose errors manifested by
> >> "disappearing" e-mails in the event of problems with the DNS server. This
> >> problem can be diagnosed by entering a command*telnet your.do.main
> >> 25*[..]". How can I resolve this?
> 
> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
> in dns zone.

You have both A and MX records for colonel.com.pl. Some SMTP systems
may try to send email using the A record, if those SMTP systems are
borked and if their DNS resolver is borked.

Wietse

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Kris Deugau 

Poliman - Serwis wrote:
Hello. I have used G Suite MX checker available here 
https://toolbox.googleapps.com/apps/checkmx/


This seems to be a Google-specific tester for domains hosted with 
Google, so it's difficult to compare with random other domains.


and I have message: "The 
address of the mail server in the domain record A can cause poorly 
visible and difficult to diagnose errors manifested by "disappearing" 
e-mails in the event of problems with the DNS server. This problem can 
be diagnosed by entering a command*telnet your.do.main 25*[..]". How can 
I resolve this?



It would be helpful to know which domain you're testing so the rest of 
us can read the entire report.


It sort of sounds like you have either managed to enter one of the 
Google MX hosts' IP addresses as your domain root A record, or have an 
extra MX record somewhere, or just have the domain root A record pointed 
somewhere outside Google, but without more information it's really hard 
to tell what they're even checking for.


-kgd

G Suite mx checker complains "do not configure the mail service on the only domain name."

2018-11-13 Thread Poliman - Serwis 
 Hello. I have used G Suite MX checker available here
https://toolbox.googleapps.com/apps/checkmx/ and I have message: "The
address of the mail server in the domain record A can cause poorly visible
and difficult to diagnose errors manifested by "disappearing" e-mails in
the event of problems with the DNS server. This problem can be diagnosed by
entering a command *telnet your.do.main 25* [..]". How can I resolve this?

In dns zone I have:
ASPMX.L.GOOGLE.COM . with priority 1
ALT1.ASPMX.L.GOOGLE.COM . with priority 5
ALT2.ASPMX.L.GOOGLE.COM . with priority 5
ALT3.ASPMX.L.GOOGLE.COM . with priority 10
ALT4.ASPMX.L.GOOGLE.COM . with priority 10

and I also configured SPF, DKIM, DMARC for my domain.

Does anybody know what to do to resolve this? I know it's not exactly
postfix issue but here are mail related specialists.

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*