DNS RBL error
in [Postfix]
|
From: donovan jeffrey j on 19 Apr 2010 21:03 On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: > > Rather test with: > 2.0.0.127.zen.spamhaus.org > > which should return: > 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 > 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 > 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 yes this is working now. question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 or am i fine leaving it behind the NAT ? to help fix the dns problem i want to run a cache only dns on the primary mx. Not sure i wanted that inside or outside. i'm leaning to outside. tips flames welcome -j
From: "Steve" on 19 Apr 2010 21:22 -------- Original-Nachricht -------- > Datum: Mon, 19 Apr 2010 21:03:51 -0400 > Von: donovan jeffrey j <donovan(a)beth.k12.pa.us> > An: Ralf Hildebrandt <Ralf.Hildebrandt(a)charite.de> > CC: Postfix users <postfix-users(a)postfix.org> > Betreff: Re: DNS RBL error > > On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: > > > > Rather test with: > > 2.0.0.127.zen.spamhaus.org > > > > which should return: > > 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 > > 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 > > 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 > > yes this is working now. > > question on my setup. my primary MX server sits inside my network, with a > NATed IP. my postfix config references only the inside network. > should i move this MX server outside and use it's public address in the > config ? inbound mail gets checked and relayed to a content filter on another > server. > > mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 > > or am i fine leaving it behind the NAT ? > to help fix the dns problem i want to run a cache only dns on the primary > mx. Not sure i wanted that inside or outside. i'm leaning to outside. > tips flames welcome > You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: ------------------------------------------ zone "spamhaus.org" in { type forward; allow-query { 127.0.0.1; }; forwarders { 82.94.216.239; // ns8.spamhaus.org 194.82.174.6; // ns20.ja.net 149.20.58.65; // ns.dns-oarc.net 194.109.9.101; // ns3.xs4all.nl 207.241.224.5; // ns2.spamhaus.org 192.150.94.200; // ns3.spamhaus.org 195.169.124.71; // ns3.surfnet.nl }; ------------------------------------------ Keep in mind that the NS list for spamhaus.org could change in the future. If that happens then you need to update that forwarders list from above. Keep in mind that if you put out that server on the net that you update the list of IPs allowed to query that zone by updating allow-query. Most likely you will not need to do anything because you are not authoritative for that domain/zone but god only knows what else you will add to your named.conf so limiting additionally inside the zone will not do any harm. > -j > // Steve -- GRATIS f�r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
From: donovan jeffrey j on 19 Apr 2010 21:42 On Apr 19, 2010, at 9:22 PM, Steve wrote: > You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. > thanks for the reply. this is where i get upside down. if im caching only on localhost 127.0.0.1, and I point my OS to use local dns, it will query root servers correct ? but sitting on the inside behind aNATed ip , how then does it resolv internal hosts if Im resolving from root servers ? i guess i could pull secondary from internal dns server, but I do not want addresses to bleed over.- sorry i know " not a postfix thread issue. just trying make sure my requests are coming out correctly. -j > If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: > ------------------------------------------ > zone "spamhaus.org" in { > type forward; > allow-query { 127.0.0.1; }; > forwarders { > 82.94.216.239; // ns8.spamhaus.org > 194.82.174.6; // ns20.ja.net > 149.20.58.65; // ns.dns-oarc.net > 194.109.9.101; // ns3.xs4all.nl > 207.241.224.5; // ns2.spamhaus.org > 192.150.94.200; // ns3.spamhaus.org > 195.169.124.71; // ns3.surfnet.nl > }; > ------------------------------------------ > i will keep this handy. i could have used this snippit this morning. :) > Keep in mind that the NS list for spamhaus.org could change in the future. If that happens then you need to update that forwarders list from above. > as in most things these days. thanks. > Keep in mind that if you put out that server on the net that you update the list of IPs allowed to query that zone by updating allow-query. Most likely you will not need to do anything because you are not authoritative for that domain/zone but god only knows what else you will add to your named.conf so limiting additionally inside the zone will not do any harm.
From: Noel Jones on 19 Apr 2010 21:52 On 4/19/2010 8:22 PM, Steve wrote: > > -------- Original-Nachricht -------- >> Datum: Mon, 19 Apr 2010 21:03:51 -0400 >> Von: donovan jeffrey j<donovan(a)beth.k12.pa.us> >> An: Ralf Hildebrandt<Ralf.Hildebrandt(a)charite.de> >> CC: Postfix users<postfix-users(a)postfix.org> >> Betreff: Re: DNS RBL error > >> >> On Apr 19, 2010, at 3:07 PM, Ralf Hildebrandt wrote: >>> >>> Rather test with: >>> 2.0.0.127.zen.spamhaus.org >>> >>> which should return: >>> 2.0.0.127.zen.spamhaus.org has address 127.0.0.2 >>> 2.0.0.127.zen.spamhaus.org has address 127.0.0.4 >>> 2.0.0.127.zen.spamhaus.org has address 127.0.0.10 >> >> yes this is working now. >> >> question on my setup. my primary MX server sits inside my network, with a >> NATed IP. my postfix config references only the inside network. >> should i move this MX server outside and use it's public address in the >> config ? inbound mail gets checked and relayed to a content filter on another >> server. >> >> mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 >> >> or am i fine leaving it behind the NAT ? >> to help fix the dns problem i want to run a cache only dns on the primary >> mx. Not sure i wanted that inside or outside. i'm leaning to outside. >> tips flames welcome >> > You can run that caching DNS where ever you want as long as you secure that DNS. If you use BIND and are using forwarders to your ISP name servers then that caching will not necessarily help much if your ISP's NS are the problem. > > If this would be the case then instruct your BIND to forward queries for spamhaus.org directly to their name servers instead going over your ISP's name servers. Something like that here below might be helpful to you: > ------------------------------------------ > zone "spamhaus.org" in { > type forward; > allow-query { 127.0.0.1; }; > forwarders { > 82.94.216.239; // ns8.spamhaus.org > 194.82.174.6; // ns20.ja.net > 149.20.58.65; // ns.dns-oarc.net > 194.109.9.101; // ns3.xs4all.nl > 207.241.224.5; // ns2.spamhaus.org > 192.150.94.200; // ns3.spamhaus.org > 195.169.124.71; // ns3.surfnet.nl > }; > ------------------------------------------ > Much simpler to just turn off forwarding for that zone. Bind can figure it out itself without you having to update manually. zone "spamhaus.org" in { type forward; forwarders {}; }; -- Noel Jones
From: Noel Jones on 19 Apr 2010 22:02 On 4/19/2010 8:03 PM, donovan jeffrey j wrote: > question on my setup. my primary MX server sits inside my network, with a NATed IP. my postfix config references only the inside network. > should i move this MX server outside and use it's public address in the config ? inbound mail gets checked and relayed to a content filter on another server. > > mynetworks = 127.0.0.1/32,192.168.0.10/32,10.135.0.0/16 > > or am i fine leaving it behind the NAT ? Postfix will work just dandy behind a NAT device, assuming a sane NAT configuration that allows postfix to log the real remote client IP and not the NAT device IP You should add your external IP to the proxy_interfaces parameter. Postfix uses that for loop detection and to accept mail to postmaster@[external.IP] http://www.postfix.org/postconf.5.html#proxy_interfaces # main.cf proxy_interfaces = public.ip.address.here -- Noel Jones
First
|
Prev
|
Pages: 1 2 3 4 5 Prev: ADV: SMTP clustering solution - Proto Balance Mail Next: postfix loop detection |