Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Thu, Aug 24, 2017 at 03:17 Matus UHLAR - fantomas 
wrote:
...


> I suggest
> - replace X.TLD. with "@" (BIND uses this as current origin)
>
> the result is:
>
> @   IN  A   142.54.186.2
> @   IN  MX  10  mail.example.com.
> @   IN  TXT "v=spf1 mx -all"


Thanks, Matus.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Matus UHLAR - fantomas]

On 23.08.17 19:28, Tom Browder wrote:

I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains.  I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).



From referring to "DNS and BIND" and previous discusssions here and on the
postfix users list I have re-examined my domain DNS records to see if I can
cover my requirements more easily.

Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:

# For each domain X.TLD:
X.TLD.  INA 142.54.186.2.
*.X.TLD.IN   CNAME   X.TLD.
X.TLD.  INMX  10   142.54.186.2.
X.TLD.  INTXT "v=spf1 mx -all"


as other suggested:
- get rid of the wildcard whenever possible
- get rid of the trailing dot in A record
- point MX to canonical name of theserver

I suggest
- replace X.TLD. with "@" (BIND uses this as current origin)

the result is:

@   IN  A   142.54.186.2
@   IN  MX  10  mail.example.com.
@   IN  TXT "v=spf1 mx -all"


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 24.08.2017 um 04:57 schrieb Grant Taylor:

On 08/23/2017 07:50 PM, Reindl Harald wrote:

which means again: additional dns lookups while ip-adresses and ranges
are done with a single lookup


Yes, it does mean additional lookups, which there are a finite number of.


besides it's not true because SPF has nothing to do with PTR and they
won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
how is that related to the topic at all?


It's my understanding that some SPF implementations will do a reverse
DNS lookup on the connecting IP and test the name from the PTR record
against the SPF record of the purported sending domain.


that's not the job of SPF at all and at least no sane implementation 
talkin g about mailservers and DNS is using just the PTR without verify 
it against the A-recrd *because* you can't froge both but you may 
control the PTR records of a random network like we do for our public /24



Thus the ability for Evil Spammer to arrange for the PTR record of their
server to return a name that is allowed via SPF


but again: SPF is not about dns names
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 24.08.2017 um 04:26 schrieb John Levine:

This has nothing to do with BIND, but anyway.

In article  you write:

I would personally try to use -all for new domains from the word go.


Only if you want your mail to mysteriously disappear.  There are a lot
of perfectly legitimate ways to send and route mail that SPF cannot
describe.  Unless your name is Paypal or you are otherwise a giant
phish target, -all is not want you want


sorry but that is FUD

we are hosting some hundret domains and have for *every* domain -all 
over *8 years* while the peak of hosted addresses was 25000

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Grant Taylor]

On 08/23/2017 08:26 PM, John Levine wrote:
> Only if you want your mail to mysteriously disappear.  There are a lot
> of perfectly legitimate ways to send and route mail that SPF cannot
> describe.  Unless your name is Paypal or you are otherwise a giant
> phish target, -all is not want you want.

Yes, there are a number of ways that SPF's -all can bite you if you're
not aware of them and / or don't account for them.

I've been using SPF's -all for about 10 years and have had extremely few
problems because of it.

I've had FAR (multiple orders of magnitude) more problems with other
people breaking their SPF record and not able to send me email because
my SPF filter honored what they published.

Despite the potential gotchas, I still believe that enabling SPF's -all
from the get go is a LOT easier than trying to retroactively enable it
after things are already in place.



-- 
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Grant Taylor]

On 08/23/2017 07:50 PM, Reindl Harald wrote:
> which means again: additional dns lookups while ip-adresses and ranges
> are done with a single lookup

Yes, it does mean additional lookups, which there are a finite number of.

> besides it's not true because SPF has nothing to do with PTR and they
> won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
> how is that related to the topic at all?

It's my understanding that some SPF implementations will do a reverse
DNS lookup on the connecting IP and test the name from the PTR record
against the SPF record of the purported sending domain.

Thus the ability for Evil Spammer to arrange for the PTR record of their
server to return a name that is allowed via SPF.



-- 
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[John Levine]

This has nothing to do with BIND, but anyway.

In article  you write:
>I would personally try to use -all for new domains from the word go.

Only if you want your mail to mysteriously disappear.  There are a lot
of perfectly legitimate ways to send and route mail that SPF cannot
describe.  Unless your name is Paypal or you are otherwise a giant
phish target, -all is not want you want.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 24.08.2017 um 03:31 schrieb bind-us...@gtaylor.tnetconsulting.net:

On 08/23/2017 05:47 PM, Reindl Harald wrote:
arrakis.thelounge.net.  86399   IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


prometheus.thelounge.net. 86399 IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


otherwise only @example.com *itself* is protected from forging, our 
homegrown DNS backend automatcially publishes SPF records for every 
hostname in every domain


This might be a case to use the include so that each host can include 
(read: pull in) the SPF record for the parent domain.


which means again: additional dns lookups while ip-adresses and ranges 
are done with a single lookup



Obviously it depends on how your infrastructure is configured.


in case that stuff is generated - see above


also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for 
free, the MX is not relevant on the destination server when receive 
email as long as you force the lookup by careless SPF records


I think that it may be possible for someone to publish a PTR record in 
their IP space that reverse resolves to a name of one of your MX 
servers.  There by allowing their bogus server to send email as you


besides it's not true because SPF has nothing to do with PTR and they 
won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS 
how is that related to the topic at all?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Grant Taylor]

On 08/23/2017 07:31 PM, bind-us...@gtaylor.tnetconsulting.net wrote:
I think that it may be possible for someone to publish a PTR record in 
their IP space that reverse resolves to a name of one of your MX 
servers.  There by allowing their bogus server to send email as you.


It is conceptually possible for SPF filters to do a Forward Confirmation 
of a Reverse DNS lookup (a.k.a. FCrDNS), but I wouldn't hold my breath 
for such.




--
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[bind-users]

On 08/23/2017 05:47 PM, Reindl Harald wrote:
arrakis.thelounge.net.  86399   IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


prometheus.thelounge.net. 86399 IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


otherwise only @example.com *itself* is protected from forging, our 
homegrown DNS backend automatcially publishes SPF records for every 
hostname in every domain


This might be a case to use the include so that each host can include 
(read: pull in) the SPF record for the parent domain.


Obviously it depends on how your infrastructure is configured.


also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for 
free, the MX is not relevant on the destination server when receive 
email as long as you force the lookup by careless SPF records


I think that it may be possible for someone to publish a PTR record in 
their IP space that reverse resolves to a name of one of your MX 
servers.  There by allowing their bogus server to send email as you.




--
Grant. . . .
unix || die




--
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 23.08.2017 um 22:59 schrieb Tom Browder:

On Wed, Aug 23, 2017 at 2:28 PM, Tom Browder  wrote:
...

I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains.  I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).

Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:


Based on all the comments, I've modified the OP list to this:

# For each domain X.TLD:
X.TLD.  IN   A   142.54.186.2.
*.X.TLD.IN   CNAME X.TLD.
X.TLD.  IN   MX10 X.TLD.
X.TLD.  IN   TXT   "v=spf1 mx ?all"

How's that set?


terrible - the wildcard would allow forged mail with "@a.x.tld", 
"@b.x.tld" and so on and the "?all" SPF is completly useless


why it is important to not allow random hostnames?

beause you should have SPF records for every valid hostname
http://www.openspf.org/FAQ/Common_mistakes
http://www.openspf.org/FAQ/Common_mistakes#helo

arrakis.thelounge.net.  86399   IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


prometheus.thelounge.net. 86399 IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


otherwise only @example.com *itself* is protected from forging, our 
homegrown DNS backend automatcially publishes SPF records for every 
hostname in every domain


also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for 
free, the MX is not relevant on the destination server when receive 
email as long as you force the lookup by careless SPF records

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Reindl Harald]

Am 23.08.2017 um 21:58 schrieb John Miller:

Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with.  What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail server to
send, you're better off with "~all" or "?all" to begin with


for the sake of god don't use "?all"
in that case you can skip SPF completly

why?

because a receiver can't use whitelist based on SPF because 
whitelist_auth in SpamAssassin just skip a "i do not care about SPF" 
record while "~all" qualifies for SPF_PASS and whitelisting while the 
scoring of a SPF_SOFT_FAIL is much lower than SPF_FAIL


"?all" is the same as not have a SPF record at all in reality

and in 2017 people *have* to use the submission server which belongs to 
a domain and not any random one while any random one should not allow to 
send mail with a foreign envelope to start with - all that crap sevrers 
shoukd be banned from the internet and spamfiltering would become so 
much easier

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 17:32 Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
...

> I would encourage you to contemplate adding DNSSEC support.  DNSSEC will
> enable multiple other options down the road.


I plan to do all that, including running my own nameservers with bind. But
that is down the road a bit. This a hobby and I can only put so much time
in with each kitchen pass!

Thanks.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 17:25 Alan Clegg  wrote:

> Now you broke the A record.  Get rid of the trailing dot.
>

Done.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Grant Taylor via bind-users]

On 08/23/2017 01:28 PM, Tom Browder wrote:
Given such a configuration described in the first paragraph, does the 
following set of DNS records for a domain look look appropriate:


# For each domain X.TLD:
X.TLD.  INA 142.54.186.2.
*.X.TLD.IN   CNAME   X.TLD.
X.TLD.  INMX  10   142.54.186.2.
X.TLD.  INTXT "v=spf1 mx -all"


I would encourage you to contemplate adding DNSSEC support.  DNSSEC will 
enable multiple other options down the road.


Further, BIND makes it trivial to have it manage most of DNSSEC for you.

Don't forget your obligatory SOA and NS records for the zones themselves.

You may end up adding TXT records to authenticate your site for various 
Google services.


Depending on what you're doing for SSL certificates, you may be 
interested in CAA records to publish which CA is allowed to issue 
certificates for you.  Possibly DNS based authentication for Let's 
Encrypt via TXT records at the _acme-challenge.example.com name.


You may end up creating various additional TXT records for things like 
DMARC / DKIM.


Finally, I personally like to use Tarbaby from Junk Email Filter as a 
high order MX (99) to help cut down on spam.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Grant Taylor]

On 08/23/2017 02:59 PM, Tom Browder wrote:

Based on all the comments, I've modified the OP list to this:

# For each domain X.TLD:
X.TLD.  IN   A   142.54.186.2.
*.X.TLD.IN   CNAME X.TLD.
X.TLD.  IN   MX10 X.TLD.
X.TLD.  IN   TXT   "v=spf1 mx ?all"

How's that set?


I would suggest that you point your MX record(s) to a hostname and not 
the domain name itself.


Using the hostname will allow you to move email if (read: when) you ever 
need to move it to another server.  -  I.e. you can move 
mail.example.com to a different server without having to worry about 
reconfiguring everything that was using example.com.


Similarly, I always used smtp.example.com for outgoing and 
pop3.example.com and / or imap.example.com for incoming email servers.


Start with something that will be flexible and allow you to change as 
you grow in the future.  -  Even if growth is simply replacing the aging 
server in five  years with it's new counterpart.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Grant Taylor via bind-users]

On 08/23/2017 01:58 PM, John Miller wrote:

Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with.  What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail server to
send, you're better off with "~all" or "?all" to begin with.


I agree that ~all or ?all is good advice for existing domains.

I would personally try to use -all for new domains from the word go.

Band new domains give you the unique opportunity of doing things 
correctly without any legacy ... cruft ... to support / be compatible with.


So if you want to end up with a -all, I'd suggest starting with it.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[John Levine]

In article  you write:
>> X.TLD   IN   MX   10 mail.example.com.
>>
>> is perfectly valid, and quite common for people who don't host their own 
>> e-mail.
>
>Okay, but for now each domain will have its one mail server.

If you have one host with one IP, I hope you have one mail server
since only one process can listen on port 25 on a single IP.  Any
normal mail server can host mail for many domains.  My little 1U
server handles 140 different mail domains and it certainly isn't
listening on 140 IPs.

>> Also, why the wildcard CNAME record?  It's definitely not essential to
>> your example.
>
>I believe it will be needed for my wild card TLS certificates.

Nope.  You can have a *.example.com certificate and set up your DNS
and web server for specific names foo.example.com and bar.example.com
and however many others you actually use.

Unless you have special coding in your web sites to handle arbitrary
random domain names, you will probably give people a lot of mysterious
404 pages when they try names you haven't configured.

>Good point, I'll change to "?all" instead.

Right, -all is asking for trouble.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 2:28 PM, Tom Browder  wrote:
...
> I have a single remote server with one IP address (142.54.186.2) I am using
> it to host multiple, independent domains.  I am working on configuring a
> single postfix instance to serve mail for all domains (assuming I can
> successfully rewrite appropriate parts of mail in and out).
>
> Given such a configuration described in the first paragraph, does the
> following set of DNS records for a domain look look appropriate:

Based on all the comments, I've modified the OP list to this:

# For each domain X.TLD:
X.TLD.  IN   A   142.54.186.2.
*.X.TLD.IN   CNAME X.TLD.
X.TLD.  IN   MX10 X.TLD.
X.TLD.  IN   TXT   "v=spf1 mx ?all"

How's that set?

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 2:58 PM, John Miller  wrote:
> Hi Tom,
>
> You'll want to change your MX records to point to the name, rather
> than the IP, of your mail server.  Note that your MX target does _not_
> have to be in the same domain as the one it's serving mail for.  For
> example:
>
> X.TLD   IN   MX   10 mail.example.com.
>
> is perfectly valid, and quite common for people who don't host their own 
> e-mail.

Okay, but for now each domain will have its one mail server.

> If you give us some specific domain names that you're hosting for,
> we'll be able to help further.

Okay, I'll do that if necessary.

> Also, why the wildcard CNAME record?  It's definitely not essential to
> your example.

I believe it will be needed for my wild card TLS certificates.

> Finally, be _very_ careful about using the SPF qualifier "-all" to
> start out with.  What you're saying there is that the only server
> authorized to _send_ mail for X.TLD is the one listed in the MX.
> Unless people are always logging directly into the mail server to
> send, you're better off with "~all" or "?all" to begin with.

Good point, I'll change to "?all" instead.

Thanks, John.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 2:54 PM, Alan Clegg  wrote:
> MX record needs a name and not an IP address.  Beyond that, seems fine.

Thanks, Alan.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 3:01 PM,   wrote:
> MX records cannot point to an IP address.  try this:
>
> x.tld   MX  10  x.tld.

Thanks, William!

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

On Wed, Aug 23, 2017 at 14:54 McDonald, Daniel (Dan)
 wrote:
>
> I don’t believe you can use an IP address in an MX record.  You should use 
> X.TLD instead, or more likely whatever the main address of the server is 
> (whatever the reverse address resolves to)'
...
> You don’t have an SOA record, or NS records.  Those are also required,

I should have been a little clearer about the DNS server: I'm using
Namecheap so some things like SOA and NS records are done using their
entry form.

I'll change the MX record.

Thanks, Dan!

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[wbrown]

MX records cannot point to an IP address.  try this:

x.tld   MX  10  x.tld.

--
William Brown
Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285

"bind-users" <bind-users-boun...@lists.isc.org> wrote on 08/23/2017 
03:28:12 PM:

> From: Tom Browder <tom.brow...@gmail.com>
> To: bind-users@lists.isc.org
> Date: 08/23/2017 03:29 PM
> Subject: Need DNS records help for single server (and IP), and 
> multi-domain mail server.
> Sent by: "bind-users" <bind-users-boun...@lists.isc.org>
> 
> I have a single remote server with one IP address (142.54.186.2) I 
> am using it to host multiple, independent domains.  I am working on 
> configuring a single postfix instance to serve mail for all domains 
> (assuming I can successfully rewrite appropriate parts of mail in and 
out).
> 
> From referring to "DNS and BIND" and previous discusssions here and 
> on the postfix users list I have re-examined my domain DNS records 
> to see if I can cover my requirements more easily.
> 
> Given such a configuration described in the first paragraph, does 
> the following set of DNS records for a domain look look appropriate:
> 
> # For each domain X.TLD:
> X.TLD.  INA 142.54.186.2. 
> *.X.TLD.IN   CNAME   X.TLD.
> X.TLD.  INMX  10   142.54.186.2.
> X.TLD.  INTXT "v=spf1 mx -all"
> 
> Thanks.
> 
> With warmest regards,
> 
> -Tom
> 
> Stream: WBROWN

> 
> Spam
> Not spam
> Forget previous vote___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

[John Miller]

Hi Tom,

You'll want to change your MX records to point to the name, rather
than the IP, of your mail server.  Note that your MX target does _not_
have to be in the same domain as the one it's serving mail for.  For
example:

X.TLD   IN   MX   10 mail.example.com.

is perfectly valid, and quite common for people who don't host their own e-mail.

If you give us some specific domain names that you're hosting for,
we'll be able to help further.

Also, why the wildcard CNAME record?  It's definitely not essential to
your example.

Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with.  What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail server to
send, you're better off with "~all" or "?all" to begin with.

John

On Wed, Aug 23, 2017 at 3:28 PM, Tom Browder  wrote:
> I have a single remote server with one IP address (142.54.186.2) I am using
> it to host multiple, independent domains.  I am working on configuring a
> single postfix instance to serve mail for all domains (assuming I can
> successfully rewrite appropriate parts of mail in and out).
>
> From referring to "DNS and BIND" and previous discusssions here and on the
> postfix users list I have re-examined my domain DNS records to see if I can
> cover my requirements more easily.
>
> Given such a configuration described in the first paragraph, does the
> following set of DNS records for a domain look look appropriate:
>
> # For each domain X.TLD:
> X.TLD.  INA 142.54.186.2.
> *.X.TLD.IN   CNAME   X.TLD.
> X.TLD.  INMX  10   142.54.186.2.
> X.TLD.  INTXT "v=spf1 mx -all"
>
> Thanks.
>
> With warmest regards,
>
> -Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Need DNS records help for single server (and IP), and multi-domain mail server.

[Tom Browder]

I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains.  I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).

>From referring to "DNS and BIND" and previous discusssions here and on the
postfix users list I have re-examined my domain DNS records to see if I can
cover my requirements more easily.

Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:

# For each domain X.TLD:
X.TLD.  INA 142.54.186.2.
*.X.TLD.IN   CNAME   X.TLD.
X.TLD.  INMX  10   142.54.186.2.
X.TLD.  INTXT "v=spf1 mx -all"

Thanks.

With warmest regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users