Re: getting mail to work
Jeffrey Goldberg wrote: On Mar 13, 2007, at 8:17 PM, jekillen wrote: On Mar 12, 2007, at 5:14 PM, RW wrote: Just as long as you understand the distinction between forward and reverse DNS. Based on the whois record for for your IP address, at the moment you appear to have the following reverse DNS for the address range 75.7.236.224 - 75.7.236.231: $ for i in `jot 8 224` ; do dig +short -x 75.7.236.$i ; done adsl-75-7-236-224.dsl.irvnca.sbcglobal.net. adsl-75-7-236-225.dsl.irvnca.sbcglobal.net. adsl-75-7-236-226.dsl.irvnca.sbcglobal.net. adsl-75-7-236-227.dsl.irvnca.sbcglobal.net. adsl-75-7-236-228.dsl.irvnca.sbcglobal.net. adsl-75-7-236-229.dsl.irvnca.sbcglobal.net. adsl-75-7-236-230.dsl.irvnca.sbcglobal.net. adsl-75-7-236-231.dsl.irvnca.sbcglobal.net. OK, It appears that it is the ISPs name servers who are responding. When I call up my sights I get to the machines they are on according to my present DNS setup. But that is what the public sees. If (which I strongly doubt) your own internal nameservers give a different result to $ dig +short -x 75.7.236.224 then it still makes no difference to the rest of the world which, when doing a *reverse* lookup on your IP address doesn't get anything that looks like your domain name. try www.brushandbard.com That's not the question. RW was (correctly) talking about *reverse* DNS, aka DNS PTR records. That is we are looking at the translation *from* number *to* name. If you look up one of my statically IP addresses $ dig +short -x 72.64.118.115 n115.ewd.goldmark.org. you get that instead of static-72-64-118-115.dllstx.fios.verizon.net It took me many unpleasant hours on the phone to Verizon to get the reverse look up the way it is now. I spent those hours on the phone specifically because I did want to run my own direct to MX mailserver. # I just got this above problem cleared up with the Nework that supplies my lines and IP addresses. Is this a common practice that the static IP you get from a Network Provider will reflect the Network Providers ID not yours? I guess then you have to include what you expect in your order for a line/s and IP/s. for running mail servers. Al Plant NetOpsCenter hdk5.net # My mailserver sends out mail as being from lists.shepard-families.org (in the envelope and header froms) but identifies itself as gecko.ewd.goldmark.org a regular look up of either of those returns 72.64.118.115 A reverse of that turns up n115.ewd.goldmark.org which when you do a regular lookup gets you 72.64.118.115 So my machine is claiming to be in goldmark.org, and doing a reverse lookup on its IP address points you back to goldmark.org. So that strongly suggests that when it identifies itself as goldmark.org, it is doing so with the consent not only of the person who controls the goldmark.org domain, but also with the consent of the person (in this case Verizon) who controls the IP address of the machine. If mail from my machine failed this IP -- name1 -- IP -- name2 -- IP test (the test being that name1 and name2 are in the same domain and that IP is the same IP throughout), then mail from my machine would get a high spam score by most systems. I really don't want to sound harsh with this, but if you aren't fully clear on concepts like reverse and forward DNS and authoritative servers for each, you really should be looking for a solution that doesn't involve you running a direct to MX system. You can still run your own mailserver which you can integrate with your webserver, but have it relay all of the outgoing mail to your ISP's SMTP host which is set up for the purpose. Also if you post your queries to the postfix mailing list (I think I recall that you were using postfix) you will probably find lots of pointers to information explaining about configuration. The Book of Postfix (ISBN 1-59327-001-1) has a good discussion of the need for other hosts being able to reverse resolve the IP of your mail hub. -j -- ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + [EMAIL PROTECTED] + + http://internetohana.org - Supporting - FreeBSD 6.* - 7.* + All that's really worth doing is what we do for others.- Lewis Carrol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 12, 2007, at 5:14 PM, RW wrote: On Mon, 12 Mar 2007 16:36:41 -0800 jekillen [EMAIL PROTECTED] wrote: On Mar 12, 2007, at 9:05 AM, RW wrote: The important thing is really your reverse DNS, if you have control of it and looks like a real server name, e.g. mail.example.com, you can stay off the dynamic lists. It doesn't help to have a static address if your reverse dns looks like 12-43-545-example.net Thank you for your reply; One of my machines (the one I use all the time and use to send and receive e-mai) does have an ISP assigned name. But the others are FQDN's that I have registered. One even has .net as the top level domain and that is one I am planning on using for the mail server. Just as long as you understand the distinction between forward and reverse DNS. Based on the whois record for for your IP address, at the moment you appear to have the following reverse DNS for the address range 75.7.236.224 - 75.7.236.231: $ for i in `jot 8 224` ; do dig +short -x 75.7.236.$i ; done adsl-75-7-236-224.dsl.irvnca.sbcglobal.net. adsl-75-7-236-225.dsl.irvnca.sbcglobal.net. adsl-75-7-236-226.dsl.irvnca.sbcglobal.net. adsl-75-7-236-227.dsl.irvnca.sbcglobal.net. adsl-75-7-236-228.dsl.irvnca.sbcglobal.net. adsl-75-7-236-229.dsl.irvnca.sbcglobal.net. adsl-75-7-236-230.dsl.irvnca.sbcglobal.net. adsl-75-7-236-231.dsl.irvnca.sbcglobal.net. OK, It appears that it is the ISPs name servers who are responding. When I call up my sights I get to the machines they are on according to my present DNS setup. try www.brushandbard.com Jeff K ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 13, 2007, at 8:17 PM, jekillen wrote: On Mar 12, 2007, at 5:14 PM, RW wrote: Just as long as you understand the distinction between forward and reverse DNS. Based on the whois record for for your IP address, at the moment you appear to have the following reverse DNS for the address range 75.7.236.224 - 75.7.236.231: $ for i in `jot 8 224` ; do dig +short -x 75.7.236.$i ; done adsl-75-7-236-224.dsl.irvnca.sbcglobal.net. adsl-75-7-236-225.dsl.irvnca.sbcglobal.net. adsl-75-7-236-226.dsl.irvnca.sbcglobal.net. adsl-75-7-236-227.dsl.irvnca.sbcglobal.net. adsl-75-7-236-228.dsl.irvnca.sbcglobal.net. adsl-75-7-236-229.dsl.irvnca.sbcglobal.net. adsl-75-7-236-230.dsl.irvnca.sbcglobal.net. adsl-75-7-236-231.dsl.irvnca.sbcglobal.net. OK, It appears that it is the ISPs name servers who are responding. When I call up my sights I get to the machines they are on according to my present DNS setup. But that is what the public sees. If (which I strongly doubt) your own internal nameservers give a different result to $ dig +short -x 75.7.236.224 then it still makes no difference to the rest of the world which, when doing a *reverse* lookup on your IP address doesn't get anything that looks like your domain name. try www.brushandbard.com That's not the question. RW was (correctly) talking about *reverse* DNS, aka DNS PTR records. That is we are looking at the translation *from* number *to* name. If you look up one of my statically IP addresses $ dig +short -x 72.64.118.115 n115.ewd.goldmark.org. you get that instead of static-72-64-118-115.dllstx.fios.verizon.net It took me many unpleasant hours on the phone to Verizon to get the reverse look up the way it is now. I spent those hours on the phone specifically because I did want to run my own direct to MX mailserver. My mailserver sends out mail as being from lists.shepard-families.org (in the envelope and header froms) but identifies itself as gecko.ewd.goldmark.org a regular look up of either of those returns 72.64.118.115 A reverse of that turns up n115.ewd.goldmark.org which when you do a regular lookup gets you 72.64.118.115 So my machine is claiming to be in goldmark.org, and doing a reverse lookup on its IP address points you back to goldmark.org. So that strongly suggests that when it identifies itself as goldmark.org, it is doing so with the consent not only of the person who controls the goldmark.org domain, but also with the consent of the person (in this case Verizon) who controls the IP address of the machine. If mail from my machine failed this IP -- name1 -- IP -- name2 -- IP test (the test being that name1 and name2 are in the same domain and that IP is the same IP throughout), then mail from my machine would get a high spam score by most systems. I really don't want to sound harsh with this, but if you aren't fully clear on concepts like reverse and forward DNS and authoritative servers for each, you really should be looking for a solution that doesn't involve you running a direct to MX system. You can still run your own mailserver which you can integrate with your webserver, but have it relay all of the outgoing mail to your ISP's SMTP host which is set up for the purpose. Also if you post your queries to the postfix mailing list (I think I recall that you were using postfix) you will probably find lots of pointers to information explaining about configuration. The Book of Postfix (ISBN 1-59327-001-1) has a good discussion of the need for other hosts being able to reverse resolve the IP of your mail hub. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
of SPF (Sender Policy Framewokr) would immediately identify it as a spoof, and will be blocked. To learn more about this system, see http://www.openspf.org/ if the same machine is for sending and receiving mail simply putting IN TXT v=spf1 mx -all is OK and enough ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Sun, 11 Mar 2007 17:27:52 -0800 jekillen [EMAIL PROTECTED] wrote: If you will allow me to break in on this exchange; Does this advise apply if you have static ip service The important thing is really your reverse DNS, if you have control of it and looks like a real server name, e.g. mail.example.com, you can stay off the dynamic lists. It doesn't help to have a static address if your reverse dns looks like 12-43-545-example.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 12, 2007, at 9:05 AM, RW wrote: On Sun, 11 Mar 2007 17:27:52 -0800 jekillen [EMAIL PROTECTED] wrote: If you will allow me to break in on this exchange; Does this advise apply if you have static ip service The important thing is really your reverse DNS, if you have control of it and looks like a real server name, e.g. mail.example.com, you can stay off the dynamic lists. It doesn't help to have a static address if your reverse dns looks like 12-43-545-example.net Thank you for your reply; One of my machines (the one I use all the time and use to send and receive e-mai) does have an ISP assigned name. But the others are FQDN's that I have registered. One even has .net as the top level domain and that is one I am planning on using for the mail server. Thanks again Jeff K ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 12, 2007, at 12:01 AM, Wojciech Puchar wrote: of SPF (Sender Policy Framewokr) would immediately identify it as a spoof, and will be blocked. To learn more about this system, see http://www.openspf.org/ if the same machine is for sending and receiving mail simply putting IN TXT v=spf1 mx -all is OK and enough Thanks for the info, I think I can use all the knowledgeable help I can get with this. I did set up my DNS servers successfully. But I have had more trouble trying to get Apache configured correctly. Mail servers look like a whole 'nother world to me but I still have a little hair left to tear. Jeffk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 11, 2007, at 5:53 PM, Jeffrey Goldberg wrote: On Mar 11, 2007, at 8:27 PM, jekillen wrote: If you will allow me to break in on this exchange; Does this advise [don't run your own direct to MX mail server] apply if you have static ip service and are running web servers from these addresses, with the ISP's blessing? (meaning you also have at least two name servers running for the registered sites) Wow, thanks, most or what you mention in the way of pluses and negatives I am either aware of or have had some experience with, E.G. I had someone attacking a machine I have one of my sites on and the secondary DNS server. The site has .net as the top level domain and I supposed that the attack was because some one assumed I was using it to run a mail server. Anyhow I was getting requests for - - so often that it was causing Apache to run out of memory and kill processes. I caught it in process and shut down and rebooted the machine. But to tell you the truth, I am not sure if that was causing Apache to run out of memory, it is just guilt by association. Since all this machine really does is serve as my secondary DNS server I shut down Apache, not really needing to have the site up at this time. I am itching to get mail service running as it will perform some important functions for my sites. But I have some serious learning to do. Every bit of knowledgeable input helps and this is a serious tutorial. Thanks again. Jeff K. First let's separate questions. One is dealing with your own incoming mail. The other is with sending mail out direct to MX. These two can (and often should) be separated. For the question of hosting your own MX there are positives and negatives. Here is a list off of the top of my head. It is far from complete. Positive: (1) You get to fully control your rejection/acceptance policy from the beginning. (2) You get the learn about running such a system. (3) You dramatically reduce your lock-in with an ISP (who can change their email policy or practice at any time. (4) You don't have to pay for some outside service (I use fastmail.fm) for hosting your incoming mail if you want something better than the free email service your ISP provides. Negatives: (a) You have to maintain what is really a surprisingly complex system for such a simple protocol. (b) You have to defend your system against attacks it otherwise wouldn't receive, including DoS attacks. (c) Damage of being overwhelmed (either by deliberate attack or spam blowback) may be harder to contain. (d) Your system needs to fail appropriately. For example, if you use something like LDAP to maintain username or email address information, you need to make sure that if your LDAP service fails your mail server fails in an appropriate way (say a complete shutdown) or issuing temporary (4xx) rejections instead of in an inappropriately issuing 5xx for mail that would be accepted normally. If (1) (or (2)) is really important to you, then go ahead. But probably the best way to see whether (1) really matters is to ask yourself what things you would like to do that you couldn't do unless you ran your own MX. For example, if you have strong feelings about whether DNSbls should be used prior to content filtering or as part of it. Or whether you want spam and virus rejections to occur at SMTP time or later. Whether you want SPF failures to generate immediate rejections. Whether you want to make use of sophisticated IMAP features that ISPs can't provide. If you don't have strong feelings about these sorts of questions, then I doubt that (1) applies to you. Now there is the second question about doing direct to MX for mail sending instead of going through your ISP or some third party service. Positives (i) You control queing and retry rates. (ii) For bulk mailing (mailing lists) there is an advantage of how out-going STMP session are organized. (iii) You are not as dependent on your ISP or a third party for getting your mail out, if they are slow or unreliable with mail (iv) If your ISP's mail server provide crappy bounce information and you need better information. (v) If your ISP adds junk to your mail or sends out mail in unfriendly so as to get itself on blacklists or leads to other forms of needless rejections. (vi) You get to learn about running such systems Negatives: (A) Even with a static IP address, your assigned address may look dynamic to other servers who may then reject mail coming directly from you. (B) Your ISP blocks/disallows this sort of thing (not a problem in your case) (C) The reverse DNS records for your IP need to correspond reasonably well to your domain name, otherwise lots of servers will reject mail from you. (D) You need to follow the RFCs and conventions strictly so that you don't get yourself
Re: getting mail to work
On Mon, 12 Mar 2007 16:36:41 -0800 jekillen [EMAIL PROTECTED] wrote: On Mar 12, 2007, at 9:05 AM, RW wrote: The important thing is really your reverse DNS, if you have control of it and looks like a real server name, e.g. mail.example.com, you can stay off the dynamic lists. It doesn't help to have a static address if your reverse dns looks like 12-43-545-example.net Thank you for your reply; One of my machines (the one I use all the time and use to send and receive e-mai) does have an ISP assigned name. But the others are FQDN's that I have registered. One even has .net as the top level domain and that is one I am planning on using for the mail server. Just as long as you understand the distinction between forward and reverse DNS. Based on the whois record for for your IP address, at the moment you appear to have the following reverse DNS for the address range 75.7.236.224 - 75.7.236.231: $ for i in `jot 8 224` ; do dig +short -x 75.7.236.$i ; done adsl-75-7-236-224.dsl.irvnca.sbcglobal.net. adsl-75-7-236-225.dsl.irvnca.sbcglobal.net. adsl-75-7-236-226.dsl.irvnca.sbcglobal.net. adsl-75-7-236-227.dsl.irvnca.sbcglobal.net. adsl-75-7-236-228.dsl.irvnca.sbcglobal.net. adsl-75-7-236-229.dsl.irvnca.sbcglobal.net. adsl-75-7-236-230.dsl.irvnca.sbcglobal.net. adsl-75-7-236-231.dsl.irvnca.sbcglobal.net. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
Ed Zwart [EMAIL PROTECTED] wrote: I use freebsd on an older computer in my home network to run a webserver, a few web apps (bugzilla, tikiwiki), and samba. I just installed postfix via the ports collection so I can use the mail functionality of bugzilla. Bugzilla does its part correctly; I can see the message in the mailq, but all messages time out. From the postfix site, I learned about the MTU black hole issue (http://www.postfix.org/faq.html#timeouts). After spending some time messing both with my bsd machine's hostname and my home network gateway's settings (domain name and mtu size), I got nowhere. But then I read somewhere (sorry, I don't have the reference) that the handshake that goes on between my MTA and the destination machine includes a check that I'm not spoofing a domain that I don't control. Makes sense! So, I figured that I don't have an MTU problem at all, but a hostname/domain name problem. What I'm a little weak on is understanding is this... I own my_domain.com. I've paid a hoster for the last couple years, but that's ending in a week or so. Meanwhile, I've used dyndns to point foo.homedns.org to my IP. Originally, I had left the gateway's domain as the default (something based on my isp's domain), and set the bsd machine's hostname to foo.my_domain.com. But that's why mail was failing (I think) because dns was reporting that my_domain.com was not the same as my IP. Is this correct? Also, what are valid entries then for hostname then? Anything I want, as long as it's not some domain already known in the dns? Does it matter if I change my domain name on my LAN router? Finally, what I'd really like to do is just manage all this myself. I'm not providing any services to anyone but myself. (I don't have users, and don't need to receive mail.) My plan had been to pay dyndns to handle pointing to my_domain.com for me, but now I'm wondering if I can't just do that too. So, last question: does setting up dns on my bsd box mean I can propogate my IP for my_domain.com myself? First, you need to figure out what the problem is. You're making a lot of guesses right now. However, I would suspect that your best bet would be to specify that all outgoing mail routes through your ISP. Their MTA should be configured to allow all mail from their customers to be sent. In postfix, define the relayhost parameter to be your ISP's outgoing server. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Sunday 11 March 2007 10:45, Ed Zwart wrote: I use freebsd on an older computer in my home network to run a webserver, a few web apps (bugzilla, tikiwiki), and samba. I just installed postfix via the ports collection so I can use the mail functionality of bugzilla. Bugzilla does its part correctly; I can see the message in the mailq, but all messages time out. From the postfix site, I learned about the MTU black hole issue (http://www.postfix.org/faq.html#timeouts). After spending some time messing both with my bsd machine's hostname and my home network gateway's settings (domain name and mtu size), I got nowhere. But then I read somewhere (sorry, I don't have the reference) that the handshake that goes on between my MTA and the destination machine includes a check that I'm not spoofing a domain that I don't control. Makes sense! So, I figured that I don't have an MTU problem at all, but a hostname/domain name problem. What I'm a little weak on is understanding is this... I own my_domain.com. I've paid a hoster for the last couple years, but that's ending in a week or so. Meanwhile, I've used dyndns to point foo.homedns.org to my IP. Originally, I had left the gateway's domain as the default (something based on my isp's domain), and set the bsd machine's hostname to foo.my_domain.com. But that's why mail was failing (I think) because dns was reporting that my_domain.com was not the same as my IP. Is this correct? Also, what are valid entries then for hostname then? Anything I want, as long as it's not some domain already known in the dns? Does it matter if I change my domain name on my LAN router? Finally, what I'd really like to do is just manage all this myself. I'm not providing any services to anyone but myself. (I don't have users, and don't need to receive mail.) My plan had been to pay dyndns to handle pointing to my_domain.com for me, but now I'm wondering if I can't just do that too. So, last question: does setting up dns on my bsd box mean I can propogate my IP for my_domain.com myself? Thanks in advance for help! e. Your ISP is probably just blocking outgoing connections to port 25...set postfix to use their smtp servers as a relayhost. -- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
[mailed and posted] On Mar 11, 2007, at 10:45 AM, Ed Zwart wrote: I own my_domain.com. I've paid a hoster for the last couple years, but that's ending in a week or so. Meanwhile, I've used dyndns to point foo.homedns.org to my IP. I am going to add my voice to those suggesting that you use your ISP's mail server for outgoing mail. There are a number of reasons. First of all, if you are on a dynamic IP, it is very likely that your ISP blocks outgoing STMP traffic that doesn't go via their own mail server. That is, they won't allow direct to MX mailing from dynamic addresses. Another reason is that it just isn't a good idea to run your own direct to MX mail system, unless you have some real expertise in how mail transport works. Professionally, I set up mail servers for small and medium sized businesses, and in more and more cases, I actually suggest that they use outside mail servers for their out going mail. (Generally, I think that ISPs tend to do really poor jobs with email and that it is best to avoid being locked into your ISP for much, so I recommend services like fastmail.fm.) Let me also add, that while I do set up and manage mail servers for others, I don't do direct to MX from home myself. (Well, I do for a mailing list server I run, but not for my normal everyday mailing.) So even with the expertise needed, I don't really recommend running your own MX (incoming) or own Direct to MX (outgoing) servers unless you have a specific need to fill. Anyway With postfix you just need to specify relayhost=YOUR-ISPS-OUTGOING-SMTP-SERVER-HERE in /usr/local/etc/postfix/main.cf and then run # postfix reload Then just send a test, eg $ mail -s test [EMAIL PROTECTED] /dev/null to see what happens. If your ISP wants authentication for handling your outgoing mail, look at http://macosx.com/tech-support/smtp-relay-host-authentication/938.html which describes how to configure postfix for that on Mac OS X. For FreeBSD just replace /private/etc/postfix/ in all of the paths mentioned with /usr/local/etc/postfix/ -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 11, 2007, at 2:28 PM, Jeffrey Goldberg wrote: [mailed and posted] On Mar 11, 2007, at 10:45 AM, Ed Zwart wrote: I own my_domain.com. I've paid a hoster for the last couple years, but that's ending in a week or so. Meanwhile, I've used dyndns to point foo.homedns.org to my IP. If you will allow me to break in on this exchange; Does this advise apply if you have static ip service and are running web servers from these addresses, with the ISP's blessing? (meaning you also have at least two name servers running for the registered sites) This is important info for me, as I have that and am considering doing just that, run my own mail servers. I expect to have 5 machines doing various jobs, DNS web server(four registered web sites), mail server. I already have three of the four sites up and available from static ip addresses over ADSL. Thanks so much Jeff K. I am going to add my voice to those suggesting that you use your ISP's mail server for outgoing mail. There are a number of reasons. First of all, if you are on a dynamic IP, it is very likely that your ISP blocks outgoing STMP traffic that doesn't go via their own mail server. That is, they won't allow direct to MX mailing from dynamic addresses. Another reason is that it just isn't a good idea to run your own direct to MX mail system, unless you have some real expertise in how mail transport works. Professionally, I set up mail servers for small and medium sized businesses, and in more and more cases, I actually suggest that they use outside mail servers for their out going mail. (Generally, I think that ISPs tend to do really poor jobs with email and that it is best to avoid being locked into your ISP for much, so I recommend services like fastmail.fm.) Let me also add, that while I do set up and manage mail servers for others, I don't do direct to MX from home myself. (Well, I do for a mailing list server I run, but not for my normal everyday mailing.) So even with the expertise needed, I don't really recommend running your own MX (incoming) or own Direct to MX (outgoing) servers unless you have a specific need to fill. Anyway With postfix you just need to specify relayhost=YOUR-ISPS-OUTGOING-SMTP-SERVER-HERE in /usr/local/etc/postfix/main.cf and then run # postfix reload Then just send a test, eg $ mail -s test [EMAIL PROTECTED] /dev/null to see what happens. If your ISP wants authentication for handling your outgoing mail, look at http://macosx.com/tech-support/smtp-relay-host-authentication/938.html which describes how to configure postfix for that on Mac OS X. For FreeBSD just replace /private/etc/postfix/ in all of the paths mentioned with /usr/local/etc/postfix/ -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
On Mar 11, 2007, at 8:27 PM, jekillen wrote: If you will allow me to break in on this exchange; Does this advise [don't run your own direct to MX mail server] apply if you have static ip service and are running web servers from these addresses, with the ISP's blessing? (meaning you also have at least two name servers running for the registered sites) First let's separate questions. One is dealing with your own incoming mail. The other is with sending mail out direct to MX. These two can (and often should) be separated. For the question of hosting your own MX there are positives and negatives. Here is a list off of the top of my head. It is far from complete. Positive: (1) You get to fully control your rejection/acceptance policy from the beginning. (2) You get the learn about running such a system. (3) You dramatically reduce your lock-in with an ISP (who can change their email policy or practice at any time. (4) You don't have to pay for some outside service (I use fastmail.fm) for hosting your incoming mail if you want something better than the free email service your ISP provides. Negatives: (a) You have to maintain what is really a surprisingly complex system for such a simple protocol. (b) You have to defend your system against attacks it otherwise wouldn't receive, including DoS attacks. (c) Damage of being overwhelmed (either by deliberate attack or spam blowback) may be harder to contain. (d) Your system needs to fail appropriately. For example, if you use something like LDAP to maintain username or email address information, you need to make sure that if your LDAP service fails your mail server fails in an appropriate way (say a complete shutdown) or issuing temporary (4xx) rejections instead of in an inappropriately issuing 5xx for mail that would be accepted normally. If (1) (or (2)) is really important to you, then go ahead. But probably the best way to see whether (1) really matters is to ask yourself what things you would like to do that you couldn't do unless you ran your own MX. For example, if you have strong feelings about whether DNSbls should be used prior to content filtering or as part of it. Or whether you want spam and virus rejections to occur at SMTP time or later. Whether you want SPF failures to generate immediate rejections. Whether you want to make use of sophisticated IMAP features that ISPs can't provide. If you don't have strong feelings about these sorts of questions, then I doubt that (1) applies to you. Now there is the second question about doing direct to MX for mail sending instead of going through your ISP or some third party service. Positives (i) You control queing and retry rates. (ii) For bulk mailing (mailing lists) there is an advantage of how out-going STMP session are organized. (iii) You are not as dependent on your ISP or a third party for getting your mail out, if they are slow or unreliable with mail (iv) If your ISP's mail server provide crappy bounce information and you need better information. (v) If your ISP adds junk to your mail or sends out mail in unfriendly so as to get itself on blacklists or leads to other forms of needless rejections. (vi) You get to learn about running such systems Negatives: (A) Even with a static IP address, your assigned address may look dynamic to other servers who may then reject mail coming directly from you. (B) Your ISP blocks/disallows this sort of thing (not a problem in your case) (C) The reverse DNS records for your IP need to correspond reasonably well to your domain name, otherwise lots of servers will reject mail from you. (D) You need to follow the RFCs and conventions strictly so that you don't get yourself added to blacklists (E) It is probably a little less network efficient for you to talk directly to servers all over the planet when you could just talk to your ISPs server which will be much closer to you. Here again, if (vi) is your primary reason for wanting to run your own direct to MX system, then use it just for one of your minor domains. That way, if you mess up, you won't get your major domains blacklisted. If (i) and (ii) really matter for you, then go ahead, but I think that you should have a real reason beyond I can, therefore I ought if it is going to be your primary way of getting mail out. In the end it is a matter of individual taste and need. With good DSL or FiOS lines, along with a proper backup regime and Uninterruptible Power Supply hosting your own website makes plenty of sense. But mail is a tricker thing to maintain than apache, so my view remains that unless you have some specific need for the kind of control you can get by running your own, let someone else handle your mail
Re: getting mail to work
Thanks Bill, Josh and Jeffrey for answering my question. It was my ISP. (So easy, I wish I had thought of that. I somehow managed to figure out they were blocking 80 a month or so ago.) I'm still a little fuzzy on legal entries for hostname and domain. I set them to be mine, and it worked, and then for kicks, set it to google.com, and that worked too. I looked at the headers, and can see that the source can be traced back to my machine, but that still seems kind of easy to spoof. Anyway, it's not something I'm overly worried about; I'm just not clear on what I SHOULD be using for hostname and domain. Any words of wisdom appreciated. Otherwise, thanks again for the already super help! e. On 3/11/07, Jeffrey Goldberg [EMAIL PROTECTED] wrote: On Mar 11, 2007, at 8:27 PM, jekillen wrote: If you will allow me to break in on this exchange; Does this advise [don't run your own direct to MX mail server] apply if you have static ip service and are running web servers from these addresses, with the ISP's blessing? (meaning you also have at least two name servers running for the registered sites) First let's separate questions. One is dealing with your own incoming mail. The other is with sending mail out direct to MX. These two can (and often should) be separated. For the question of hosting your own MX there are positives and negatives. Here is a list off of the top of my head. It is far from complete. Positive: (1) You get to fully control your rejection/acceptance policy from the beginning. (2) You get the learn about running such a system. (3) You dramatically reduce your lock-in with an ISP (who can change their email policy or practice at any time. (4) You don't have to pay for some outside service (I use fastmail.fm) for hosting your incoming mail if you want something better than the free email service your ISP provides. Negatives: (a) You have to maintain what is really a surprisingly complex system for such a simple protocol. (b) You have to defend your system against attacks it otherwise wouldn't receive, including DoS attacks. (c) Damage of being overwhelmed (either by deliberate attack or spam blowback) may be harder to contain. (d) Your system needs to fail appropriately. For example, if you use something like LDAP to maintain username or email address information, you need to make sure that if your LDAP service fails your mail server fails in an appropriate way (say a complete shutdown) or issuing temporary (4xx) rejections instead of in an inappropriately issuing 5xx for mail that would be accepted normally. If (1) (or (2)) is really important to you, then go ahead. But probably the best way to see whether (1) really matters is to ask yourself what things you would like to do that you couldn't do unless you ran your own MX. For example, if you have strong feelings about whether DNSbls should be used prior to content filtering or as part of it. Or whether you want spam and virus rejections to occur at SMTP time or later. Whether you want SPF failures to generate immediate rejections. Whether you want to make use of sophisticated IMAP features that ISPs can't provide. If you don't have strong feelings about these sorts of questions, then I doubt that (1) applies to you. Now there is the second question about doing direct to MX for mail sending instead of going through your ISP or some third party service. Positives (i) You control queing and retry rates. (ii) For bulk mailing (mailing lists) there is an advantage of how out-going STMP session are organized. (iii) You are not as dependent on your ISP or a third party for getting your mail out, if they are slow or unreliable with mail (iv) If your ISP's mail server provide crappy bounce information and you need better information. (v) If your ISP adds junk to your mail or sends out mail in unfriendly so as to get itself on blacklists or leads to other forms of needless rejections. (vi) You get to learn about running such systems Negatives: (A) Even with a static IP address, your assigned address may look dynamic to other servers who may then reject mail coming directly from you. (B) Your ISP blocks/disallows this sort of thing (not a problem in your case) (C) The reverse DNS records for your IP need to correspond reasonably well to your domain name, otherwise lots of servers will reject mail from you. (D) You need to follow the RFCs and conventions strictly so that you don't get yourself added to blacklists (E) It is probably a little less network efficient for you to talk directly to servers all over the planet when you could just talk to your ISPs server which will be much closer to you. Here again, if (vi) is your primary reason for wanting to run your own direct to MX system, then use it just for one of your
Re: getting mail to work
[mailed and posted] On Mar 11, 2007, at 10:36 PM, Ed Zwart wrote: I'm still a little fuzzy on legal entries for hostname and domain. I set them to be mine, and it worked, and then for kicks, set it to google.com, and that worked too. I looked at the headers, and can see that the source can be traced back to my machine, but that still seems kind of easy to spoof. It is extremely easy to spoof, but google has taken steps to make it easy for mail servers to detect if mail is spoofed. So if you send mail from google.com without it coming from your network, than any server making use of SPF (Sender Policy Framewokr) would immediately identify it as a spoof, and will be blocked. To learn more about this system, see http://www.openspf.org/ Anyway, it's not something I'm overly worried about; I'm just not clear on what I SHOULD be using for hostname and domain. Well, what is a hostname for the machine that is sending the mail. Since you are now going through your ISPs mailserver, it doesn't need to be a hostname that can be looked up. So something like mailout.my.dom.ain should do fine. Use your real domain for the my.dom.ain part. The more correct information you provide, the less mail from your system will look like spam. But even localhost.local would be OK (though a useful domain name would be better). Using google.com would make it look like you are up to no good. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getting mail to work
Jeffrey, what you've suggested is what I've done. Thanks for the explanation! e. On 3/11/07, Jeffrey Goldberg [EMAIL PROTECTED] wrote: [mailed and posted] On Mar 11, 2007, at 10:36 PM, Ed Zwart wrote: I'm still a little fuzzy on legal entries for hostname and domain. I set them to be mine, and it worked, and then for kicks, set it to google.com, and that worked too. I looked at the headers, and can see that the source can be traced back to my machine, but that still seems kind of easy to spoof. It is extremely easy to spoof, but google has taken steps to make it easy for mail servers to detect if mail is spoofed. So if you send mail from google.com without it coming from your network, than any server making use of SPF (Sender Policy Framewokr) would immediately identify it as a spoof, and will be blocked. To learn more about this system, see http://www.openspf.org/ Anyway, it's not something I'm overly worried about; I'm just not clear on what I SHOULD be using for hostname and domain. Well, what is a hostname for the machine that is sending the mail. Since you are now going through your ISPs mailserver, it doesn't need to be a hostname that can be looked up. So something like mailout.my.dom.ain should do fine. Use your real domain for the my.dom.ain part. The more correct information you provide, the less mail from your system will look like spam. But even localhost.local would be OK (though a useful domain name would be better). Using google.com would make it look like you are up to no good. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
