Re: OT: DNS restrictions for a mail server
Daniel J McDonald wrote: On Wed, 2008-10-22 at 23:59 +0200, Jonas Eckerman wrote: Matus UHLAR - fantomas wrote: In my understanding, these are different concepts. In particular, RMX doesn't hijack the TXT record, which is one of the major sins of SPF. Yes, but they both were designed to do the same work. SPF however can do more. TXT was used because nothing else could, at least I think so. They could have used a prefix host to avoid hijacking the main TXT record. (So you'd query the TXT record for __spf__.domain.tld or something like that instead of the TXT record for domain.tld when checking SPF. Could of, but underscores are not a legal character in domain names. no, they are perfectly legal in domain names. They are being used in DKIM. don't confuse with hostnames. And now BIND 9.4 supports the SPF RR type, so we just have to wait a decade or two until everyone still running bind 4.0 has a chance to upgrade ;-) and a century until everyone has a chance to upgrade their mail software to use the new record ;-p
Re: OT: DNS restrictions for a mail server
Matus UHLAR - fantomas wrote: In my understanding, these are different concepts. In particular, RMX doesn't hijack the TXT record, which is one of the major sins of SPF. Yes, but they both were designed to do the same work. SPF however can do more. TXT was used because nothing else could, at least I think so. They could have used a prefix host to avoid hijacking the main TXT record. (So you'd query the TXT record for __spf__.domain.tld or something like that instead of the TXT record for domain.tld when checking SPF. /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: OT: DNS restrictions for a mail server
On Wed, 2008-10-22 at 23:59 +0200, Jonas Eckerman wrote: Matus UHLAR - fantomas wrote: In my understanding, these are different concepts. In particular, RMX doesn't hijack the TXT record, which is one of the major sins of SPF. Yes, but they both were designed to do the same work. SPF however can do more. TXT was used because nothing else could, at least I think so. They could have used a prefix host to avoid hijacking the main TXT record. (So you'd query the TXT record for __spf__.domain.tld or something like that instead of the TXT record for domain.tld when checking SPF. Could of, but underscores are not a legal character in domain names. And now BIND 9.4 supports the SPF RR type, so we just have to wait a decade or two until everyone still running bind 4.0 has a chance to upgrade ;-) -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com
Re: OT: DNS restrictions for a mail server
On Wed, 2008-10-22 at 23:59 +0200, Jonas Eckerman wrote: Matus UHLAR - fantomas wrote: In my understanding, these are different concepts. In particular, RMX doesn't hijack the TXT record, which is one of the major sins of SPF. Yes, but they both were designed to do the same work. SPF however can do more. TXT was used because nothing else could, at least I think so. They could have used a prefix host to avoid hijacking the main TXT record. (So you'd query the TXT record for __spf__.domain.tld or something like that instead of the TXT record for domain.tld when checking SPF. On 28.10.08 07:01, Daniel J McDonald wrote: Could of, but underscores are not a legal character in domain names. in _host_ names. they are being tested in other DNS names, like SRV -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name.
Re: OT: DNS restrictions for a mail server
# host mail.example.com mail.example.com is an alias for hostname.example.com. hostname.example.com has address 1.2.3.4 Wrong. The MX record has to point to an A name, not a CNAME. On 22.10.08 21:21, Len Conrad wrote: what? MX record's data field is a domain name That domain name owns one or more A records. With mail, the shortest resolution path is always best practice, and resolving through a CNAME is not the shortest. Isn't that exactly what Joseph Brennan said/wrote? Similarly, an MX's IP should have only one PTR record, whose domain name in the data field matches with an A record: This is not so important, unless they are used for outgoing mail. I don't know of anybody who checks for validity of reverse RRs of named MX records point to (why to check that? to refuse delivering mail to provided address? what will it tell the sender?), and I know of domains where MXes do not have PTR records and nothing happens. d.c.b.a.in-addr.arpa. PTR label.domain.tld. label.domain.tld. A a.b.c.d This should apply for everyone who wants to use any remote services, which is not the MX case (the MX indicate inbound, not outbound servers). -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: OT: DNS restrictions for a mail server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sebastian Ries wrote: Hi there I just want to know some opinions on the following DNS Setup for a mail server: # host -t MX example.com example.com mail is handled by 100 mail.example.com. # host mail.example.com mail.example.com is an alias for hostname.example.com. hostname.example.com has address 1.2.3.4 # host 1.2.3.4 4.3.2.1.in-addr.arpa domain name pointer hostname.example.com. The mailserver (postfix) connects saying it is hostname.example.com. Should this be a correct setup? It looks like CNAME error. See RFC 974 ;; One partner we want to send mails to does BOUNCE mails with 554 5.7.1 DNS Blacklisted by in-addr.arpa (in reply to MAIL FROM command) Do you think this is correct? I think this also prevents from getting mail from googlemail: [EMAIL PROTECTED]:~$ host -t MX googlemail.com googlemail.com mail is handled by 5 gmail-smtp-in.l.google.com. googlemail.com mail is handled by 10 alt1.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 10 alt2.gmail-smtp-in.l.google.com. googlemail.com mail is handled by 50 gsmtp147.google.com. googlemail.com mail is handled by 50 gsmtp183.google.com. [EMAIL PROTECTED]:~$ host gmail-smtp-in.l.google.com. gmail-smtp-in.l.google.com has address 209.85.129.27 gmail-smtp-in.l.google.com has address 209.85.129.114 [EMAIL PROTECTED]:~$ host 209.85.129.27 27.129.85.209.in-addr.arpa domain name pointer fk-in-f27.google.com. Is this true? Google is true. That's basic rule of DNS ;; Regards Sebastian Ries -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkBS1kACgkQB00DNxnlnTarngCeI+GYTLl3iA0i/0p4xFEuiyor CYAAnApt9bzG2ng+MYmAmjHfphyJudBm =75AD -END PGP SIGNATURE-
Re: OT: DNS restrictions for a mail server
--On Tuesday, October 21, 2008 2:37 PM +0200 Sebastian Ries [EMAIL PROTECTED] wrote: # host -t MX example.com example.com mail is handled by 100 mail.example.com. # host mail.example.com mail.example.com is an alias for hostname.example.com. hostname.example.com has address 1.2.3.4 Wrong. The MX record has to point to an A name, not a CNAME. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: OT: DNS restrictions for a mail server
# host mail.example.com mail.example.com is an alias for hostname.example.com. hostname.example.com has address 1.2.3.4 Wrong. The MX record has to point to an A name, not a CNAME. what? MX record's data field is a domain name That domain name owns one or more A records. With mail, the shortest resolution path is always best practice, and resolving through a CNAME is not the shortest. Similarly, an MX's IP should have only one PTR record, whose domain name in the data field matches with an A record: d.c.b.a.in-addr.arpa. PTR label.domain.tld. label.domain.tld. A a.b.c.d Len __ IMGate OpenSource Mail Firewall www.IMGate.net
Re: OT: DNS restrictions for a mail server
Matus UHLAR - fantomas wrote: The point of MX is to point to hosts that receive mail, if you send mail to someone. The point of PTR is to provide host name when you receive mail from someone. The PTR has NOTHING to do with MX records and vice versa! So maybe there should be a new type of DNS record: MS (name suggestions welcomed :) ) to let everyone know the server is an _outbound_ only mail server: a server that sends mail for a domain that _may_ also receive mail for the domain. This is a lot simpler than having to parse a SPF record, which may also require additional DNS queries. DNS Configuration Examples: 1.- If a company has a single mail server for both inbound and outbound, it would be required for them to setup both an MX record and a MS record, i.e.: example.com IN MX 10 mail example.com IN MS 10 mail 2.- If a company has different servers for inbound and outbound mail, they could setup different records to allow for all servers to be specified: example.com IN MX 10 mail1 example.com IN MX 20 mail2 example.com IN MS 10 smtp1 example.com IN MS 20 smtp2 When a mail server gets a connection, it would ask for the PTR record in order to check HELO|EHLO argument and get the host's name; when the MAIL FROM: command is received, the domain part could be used to get the MS record and optionally reject the sender if the hostname from the connection is not listed in the MS record list. If we do allow the sender, that could later trigger a SpamAssassin rule that says that the envelope sender is sending mail from a host that is not allowed. whitelist_ms a.b.c.d/x configuration directives could be used to bypass the rule. Also, DNSBL could benefit from these records, as exceptions could be generated for these records in the same manner that MX records generate exceptions. I understand that any new type DNS record must be discussed, and this is not the proper list to do it in, but this discussion is probably appropiate since it's: OT. -- Jorge Valdes
