Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Thu, Aug 24, 2017 at 03:17 Matus UHLAR - fantomaswrote: ... > I suggest > - replace X.TLD. with "@" (BIND uses this as current origin) > > the result is: > > @ IN A 142.54.186.2 > @ IN MX 10 mail.example.com. > @ IN TXT "v=spf1 mx -all" Thanks, Matus. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 23.08.17 19:28, Tom Browder wrote: I have a single remote server with one IP address (142.54.186.2) I am using it to host multiple, independent domains. I am working on configuring a single postfix instance to serve mail for all domains (assuming I can successfully rewrite appropriate parts of mail in and out). From referring to "DNS and BIND" and previous discusssions here and on the postfix users list I have re-examined my domain DNS records to see if I can cover my requirements more easily. Given such a configuration described in the first paragraph, does the following set of DNS records for a domain look look appropriate: # For each domain X.TLD: X.TLD. INA 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. INMX 10 142.54.186.2. X.TLD. INTXT "v=spf1 mx -all" as other suggested: - get rid of the wildcard whenever possible - get rid of the trailing dot in A record - point MX to canonical name of theserver I suggest - replace X.TLD. with "@" (BIND uses this as current origin) the result is: @ IN A 142.54.186.2 @ IN MX 10 mail.example.com. @ IN TXT "v=spf1 mx -all" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
Am 24.08.2017 um 04:57 schrieb Grant Taylor: On 08/23/2017 07:50 PM, Reindl Harald wrote: which means again: additional dns lookups while ip-adresses and ranges are done with a single lookup Yes, it does mean additional lookups, which there are a finite number of. besides it's not true because SPF has nothing to do with PTR and they won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS how is that related to the topic at all? It's my understanding that some SPF implementations will do a reverse DNS lookup on the connecting IP and test the name from the PTR record against the SPF record of the purported sending domain. that's not the job of SPF at all and at least no sane implementation talkin g about mailservers and DNS is using just the PTR without verify it against the A-recrd *because* you can't froge both but you may control the PTR records of a random network like we do for our public /24 Thus the ability for Evil Spammer to arrange for the PTR record of their server to return a name that is allowed via SPF but again: SPF is not about dns names ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
Am 24.08.2017 um 04:26 schrieb John Levine: This has nothing to do with BIND, but anyway. In articleyou write: I would personally try to use -all for new domains from the word go. Only if you want your mail to mysteriously disappear. There are a lot of perfectly legitimate ways to send and route mail that SPF cannot describe. Unless your name is Paypal or you are otherwise a giant phish target, -all is not want you want sorry but that is FUD we are hosting some hundret domains and have for *every* domain -all over *8 years* while the peak of hosted addresses was 25000 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 08:26 PM, John Levine wrote: > Only if you want your mail to mysteriously disappear. There are a lot > of perfectly legitimate ways to send and route mail that SPF cannot > describe. Unless your name is Paypal or you are otherwise a giant > phish target, -all is not want you want. Yes, there are a number of ways that SPF's -all can bite you if you're not aware of them and / or don't account for them. I've been using SPF's -all for about 10 years and have had extremely few problems because of it. I've had FAR (multiple orders of magnitude) more problems with other people breaking their SPF record and not able to send me email because my SPF filter honored what they published. Despite the potential gotchas, I still believe that enabling SPF's -all from the get go is a LOT easier than trying to retroactively enable it after things are already in place. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 07:50 PM, Reindl Harald wrote: > which means again: additional dns lookups while ip-adresses and ranges > are done with a single lookup Yes, it does mean additional lookups, which there are a finite number of. > besides it's not true because SPF has nothing to do with PTR and they > won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS > how is that related to the topic at all? It's my understanding that some SPF implementations will do a reverse DNS lookup on the connecting IP and test the name from the PTR record against the SPF record of the purported sending domain. Thus the ability for Evil Spammer to arrange for the PTR record of their server to return a name that is allowed via SPF. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
This has nothing to do with BIND, but anyway. In articleyou write: >I would personally try to use -all for new domains from the word go. Only if you want your mail to mysteriously disappear. There are a lot of perfectly legitimate ways to send and route mail that SPF cannot describe. Unless your name is Paypal or you are otherwise a giant phish target, -all is not want you want. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
Am 24.08.2017 um 03:31 schrieb bind-us...@gtaylor.tnetconsulting.net: On 08/23/2017 05:47 PM, Reindl Harald wrote: arrakis.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" prometheus.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" otherwise only @example.com *itself* is protected from forging, our homegrown DNS backend automatcially publishes SPF records for every hostname in every domain This might be a case to use the include so that each host can include (read: pull in) the SPF record for the parent domain. which means again: additional dns lookups while ip-adresses and ranges are done with a single lookup Obviously it depends on how your infrastructure is configured. in case that stuff is generated - see above also avoid "v=spf1 mx" - why? because it's a useless DNS lookup on the receiver publish ip-adresses whenever possible - the connecting IP is known for free, the MX is not relevant on the destination server when receive email as long as you force the lookup by careless SPF records I think that it may be possible for someone to publish a PTR record in their IP space that reverse resolves to a name of one of your MX servers. There by allowing their bogus server to send email as you besides it's not true because SPF has nothing to do with PTR and they won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS how is that related to the topic at all? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 07:31 PM, bind-us...@gtaylor.tnetconsulting.net wrote: I think that it may be possible for someone to publish a PTR record in their IP space that reverse resolves to a name of one of your MX servers. There by allowing their bogus server to send email as you. It is conceptually possible for SPF filters to do a Forward Confirmation of a Reverse DNS lookup (a.k.a. FCrDNS), but I wouldn't hold my breath for such. -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 05:47 PM, Reindl Harald wrote: arrakis.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" prometheus.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" otherwise only @example.com *itself* is protected from forging, our homegrown DNS backend automatcially publishes SPF records for every hostname in every domain This might be a case to use the include so that each host can include (read: pull in) the SPF record for the parent domain. Obviously it depends on how your infrastructure is configured. also avoid "v=spf1 mx" - why? because it's a useless DNS lookup on the receiver publish ip-adresses whenever possible - the connecting IP is known for free, the MX is not relevant on the destination server when receive email as long as you force the lookup by careless SPF records I think that it may be possible for someone to publish a PTR record in their IP space that reverse resolves to a name of one of your MX servers. There by allowing their bogus server to send email as you. -- Grant. . . . unix || die -- Grant. . . . unix || die ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
Am 23.08.2017 um 22:59 schrieb Tom Browder: On Wed, Aug 23, 2017 at 2:28 PM, Tom Browderwrote: ... I have a single remote server with one IP address (142.54.186.2) I am using it to host multiple, independent domains. I am working on configuring a single postfix instance to serve mail for all domains (assuming I can successfully rewrite appropriate parts of mail in and out). Given such a configuration described in the first paragraph, does the following set of DNS records for a domain look look appropriate: Based on all the comments, I've modified the OP list to this: # For each domain X.TLD: X.TLD. IN A 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. IN MX10 X.TLD. X.TLD. IN TXT "v=spf1 mx ?all" How's that set? terrible - the wildcard would allow forged mail with "@a.x.tld", "@b.x.tld" and so on and the "?all" SPF is completly useless why it is important to not allow random hostnames? beause you should have SPF records for every valid hostname http://www.openspf.org/FAQ/Common_mistakes http://www.openspf.org/FAQ/Common_mistakes#helo arrakis.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" prometheus.thelounge.net. 86399 IN SPF "v=spf1 a ip4:91.118.73.0/24 ip4:95.129.202.170 -all" otherwise only @example.com *itself* is protected from forging, our homegrown DNS backend automatcially publishes SPF records for every hostname in every domain also avoid "v=spf1 mx" - why? because it's a useless DNS lookup on the receiver publish ip-adresses whenever possible - the connecting IP is known for free, the MX is not relevant on the destination server when receive email as long as you force the lookup by careless SPF records ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
Am 23.08.2017 um 21:58 schrieb John Miller: Finally, be _very_ careful about using the SPF qualifier "-all" to start out with. What you're saying there is that the only server authorized to _send_ mail for X.TLD is the one listed in the MX. Unless people are always logging directly into the mail server to send, you're better off with "~all" or "?all" to begin with for the sake of god don't use "?all" in that case you can skip SPF completly why? because a receiver can't use whitelist based on SPF because whitelist_auth in SpamAssassin just skip a "i do not care about SPF" record while "~all" qualifies for SPF_PASS and whitelisting while the scoring of a SPF_SOFT_FAIL is much lower than SPF_FAIL "?all" is the same as not have a SPF record at all in reality and in 2017 people *have* to use the submission server which belongs to a domain and not any random one while any random one should not allow to send mail with a foreign envelope to start with - all that crap sevrers shoukd be banned from the internet and spamfiltering would become so much easier ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 17:32 Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: ... > I would encourage you to contemplate adding DNSSEC support. DNSSEC will > enable multiple other options down the road. I plan to do all that, including running my own nameservers with bind. But that is down the road a bit. This a hobby and I can only put so much time in with each kitchen pass! Thanks. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 17:25 Alan Cleggwrote: > Now you broke the A record. Get rid of the trailing dot. > Done. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 01:28 PM, Tom Browder wrote: Given such a configuration described in the first paragraph, does the following set of DNS records for a domain look look appropriate: # For each domain X.TLD: X.TLD. INA 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. INMX 10 142.54.186.2. X.TLD. INTXT "v=spf1 mx -all" I would encourage you to contemplate adding DNSSEC support. DNSSEC will enable multiple other options down the road. Further, BIND makes it trivial to have it manage most of DNSSEC for you. Don't forget your obligatory SOA and NS records for the zones themselves. You may end up adding TXT records to authenticate your site for various Google services. Depending on what you're doing for SSL certificates, you may be interested in CAA records to publish which CA is allowed to issue certificates for you. Possibly DNS based authentication for Let's Encrypt via TXT records at the _acme-challenge.example.com name. You may end up creating various additional TXT records for things like DMARC / DKIM. Finally, I personally like to use Tarbaby from Junk Email Filter as a high order MX (99) to help cut down on spam. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 02:59 PM, Tom Browder wrote: Based on all the comments, I've modified the OP list to this: # For each domain X.TLD: X.TLD. IN A 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. IN MX10 X.TLD. X.TLD. IN TXT "v=spf1 mx ?all" How's that set? I would suggest that you point your MX record(s) to a hostname and not the domain name itself. Using the hostname will allow you to move email if (read: when) you ever need to move it to another server. - I.e. you can move mail.example.com to a different server without having to worry about reconfiguring everything that was using example.com. Similarly, I always used smtp.example.com for outgoing and pop3.example.com and / or imap.example.com for incoming email servers. Start with something that will be flexible and allow you to change as you grow in the future. - Even if growth is simply replacing the aging server in five years with it's new counterpart. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On 08/23/2017 01:58 PM, John Miller wrote: Finally, be _very_ careful about using the SPF qualifier "-all" to start out with. What you're saying there is that the only server authorized to _send_ mail for X.TLD is the one listed in the MX. Unless people are always logging directly into the mail server to send, you're better off with "~all" or "?all" to begin with. I agree that ~all or ?all is good advice for existing domains. I would personally try to use -all for new domains from the word go. Band new domains give you the unique opportunity of doing things correctly without any legacy ... cruft ... to support / be compatible with. So if you want to end up with a -all, I'd suggest starting with it. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
In articleyou write: >> X.TLD IN MX 10 mail.example.com. >> >> is perfectly valid, and quite common for people who don't host their own >> e-mail. > >Okay, but for now each domain will have its one mail server. If you have one host with one IP, I hope you have one mail server since only one process can listen on port 25 on a single IP. Any normal mail server can host mail for many domains. My little 1U server handles 140 different mail domains and it certainly isn't listening on 140 IPs. >> Also, why the wildcard CNAME record? It's definitely not essential to >> your example. > >I believe it will be needed for my wild card TLS certificates. Nope. You can have a *.example.com certificate and set up your DNS and web server for specific names foo.example.com and bar.example.com and however many others you actually use. Unless you have special coding in your web sites to handle arbitrary random domain names, you will probably give people a lot of mysterious 404 pages when they try names you haven't configured. >Good point, I'll change to "?all" instead. Right, -all is asking for trouble. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 2:28 PM, Tom Browderwrote: ... > I have a single remote server with one IP address (142.54.186.2) I am using > it to host multiple, independent domains. I am working on configuring a > single postfix instance to serve mail for all domains (assuming I can > successfully rewrite appropriate parts of mail in and out). > > Given such a configuration described in the first paragraph, does the > following set of DNS records for a domain look look appropriate: Based on all the comments, I've modified the OP list to this: # For each domain X.TLD: X.TLD. IN A 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. IN MX10 X.TLD. X.TLD. IN TXT "v=spf1 mx ?all" How's that set? -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 2:58 PM, John Millerwrote: > Hi Tom, > > You'll want to change your MX records to point to the name, rather > than the IP, of your mail server. Note that your MX target does _not_ > have to be in the same domain as the one it's serving mail for. For > example: > > X.TLD IN MX 10 mail.example.com. > > is perfectly valid, and quite common for people who don't host their own > e-mail. Okay, but for now each domain will have its one mail server. > If you give us some specific domain names that you're hosting for, > we'll be able to help further. Okay, I'll do that if necessary. > Also, why the wildcard CNAME record? It's definitely not essential to > your example. I believe it will be needed for my wild card TLS certificates. > Finally, be _very_ careful about using the SPF qualifier "-all" to > start out with. What you're saying there is that the only server > authorized to _send_ mail for X.TLD is the one listed in the MX. > Unless people are always logging directly into the mail server to > send, you're better off with "~all" or "?all" to begin with. Good point, I'll change to "?all" instead. Thanks, John. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 2:54 PM, Alan Cleggwrote: > MX record needs a name and not an IP address. Beyond that, seems fine. Thanks, Alan. -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 3:01 PM,wrote: > MX records cannot point to an IP address. try this: > > x.tld MX 10 x.tld. Thanks, William! -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
On Wed, Aug 23, 2017 at 14:54 McDonald, Daniel (Dan)wrote: > > I don’t believe you can use an IP address in an MX record. You should use > X.TLD instead, or more likely whatever the main address of the server is > (whatever the reverse address resolves to)' ... > You don’t have an SOA record, or NS records. Those are also required, I should have been a little clearer about the DNS server: I'm using Namecheap so some things like SOA and NS records are done using their entry form. I'll change the MX record. Thanks, Dan! -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
MX records cannot point to an IP address. try this: x.tld MX 10 x.tld. -- William Brown Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 "bind-users" <bind-users-boun...@lists.isc.org> wrote on 08/23/2017 03:28:12 PM: > From: Tom Browder <tom.brow...@gmail.com> > To: bind-users@lists.isc.org > Date: 08/23/2017 03:29 PM > Subject: Need DNS records help for single server (and IP), and > multi-domain mail server. > Sent by: "bind-users" <bind-users-boun...@lists.isc.org> > > I have a single remote server with one IP address (142.54.186.2) I > am using it to host multiple, independent domains. I am working on > configuring a single postfix instance to serve mail for all domains > (assuming I can successfully rewrite appropriate parts of mail in and out). > > From referring to "DNS and BIND" and previous discusssions here and > on the postfix users list I have re-examined my domain DNS records > to see if I can cover my requirements more easily. > > Given such a configuration described in the first paragraph, does > the following set of DNS records for a domain look look appropriate: > > # For each domain X.TLD: > X.TLD. INA 142.54.186.2. > *.X.TLD.IN CNAME X.TLD. > X.TLD. INMX 10 142.54.186.2. > X.TLD. INTXT "v=spf1 mx -all" > > Thanks. > > With warmest regards, > > -Tom > > Stream: WBROWN > > Spam > Not spam > Forget previous vote___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
Hi Tom, You'll want to change your MX records to point to the name, rather than the IP, of your mail server. Note that your MX target does _not_ have to be in the same domain as the one it's serving mail for. For example: X.TLD IN MX 10 mail.example.com. is perfectly valid, and quite common for people who don't host their own e-mail. If you give us some specific domain names that you're hosting for, we'll be able to help further. Also, why the wildcard CNAME record? It's definitely not essential to your example. Finally, be _very_ careful about using the SPF qualifier "-all" to start out with. What you're saying there is that the only server authorized to _send_ mail for X.TLD is the one listed in the MX. Unless people are always logging directly into the mail server to send, you're better off with "~all" or "?all" to begin with. John On Wed, Aug 23, 2017 at 3:28 PM, Tom Browderwrote: > I have a single remote server with one IP address (142.54.186.2) I am using > it to host multiple, independent domains. I am working on configuring a > single postfix instance to serve mail for all domains (assuming I can > successfully rewrite appropriate parts of mail in and out). > > From referring to "DNS and BIND" and previous discusssions here and on the > postfix users list I have re-examined my domain DNS records to see if I can > cover my requirements more easily. > > Given such a configuration described in the first paragraph, does the > following set of DNS records for a domain look look appropriate: > > # For each domain X.TLD: > X.TLD. INA 142.54.186.2. > *.X.TLD.IN CNAME X.TLD. > X.TLD. INMX 10 142.54.186.2. > X.TLD. INTXT "v=spf1 mx -all" > > Thanks. > > With warmest regards, > > -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Need DNS records help for single server (and IP), and multi-domain mail server.
I have a single remote server with one IP address (142.54.186.2) I am using it to host multiple, independent domains. I am working on configuring a single postfix instance to serve mail for all domains (assuming I can successfully rewrite appropriate parts of mail in and out). >From referring to "DNS and BIND" and previous discusssions here and on the postfix users list I have re-examined my domain DNS records to see if I can cover my requirements more easily. Given such a configuration described in the first paragraph, does the following set of DNS records for a domain look look appropriate: # For each domain X.TLD: X.TLD. INA 142.54.186.2. *.X.TLD.IN CNAME X.TLD. X.TLD. INMX 10 142.54.186.2. X.TLD. INTXT "v=spf1 mx -all" Thanks. With warmest regards, -Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users