gmane.mail.postfix.user

Andrea Soracchi | 14 May 14:24

Picon

Mx lookup

Hi,

I have installed postfix 2.5.1.

If I use the opendns service:
resolv.conf
nameserver 208.67.222.222
nameserver 208.67.220.220

the email that I try to send to unreal domain (i.e. yrcwed4r.it) go to  
the queue with
connection time out:
   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
                                          soracchi <at> yrcwed4r.it

If I use the other DNS (my service provider) the email is bounced to  
sender correctly
(Host or domain name not found. Name service error for  
name=yrcwed4r.it type=AAAA: Host
found but no data record of requested type).

The problem seems to be in opendns service.

Can you help me.

Regards,

-- NETBUILDER S.R.L.
Andrea Soracchi- System Engineer
Tel. 0521-247791

(Continue reading)

Mark Blackman | 14 May 14:29

Re: Mx lookup


On 14 May 2008, at 13:25, Andrea Soracchi wrote:

> Hi,
>
> I have installed postfix 2.5.1.
>
> If I use the opendns service:
> resolv.conf
> nameserver 208.67.222.222
> nameserver 208.67.220.220
>
> the email that I try to send to unreal domain (i.e. yrcwed4r.it) go  
> to the queue with
> connection time out:
>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>                                          soracchi <at> yrcwed4r.it
>
> If I use the other DNS (my service provider) the email is bounced  
> to sender correctly
> (Host or domain name not found. Name service error for  
> name=yrcwed4r.it type=AAAA: Host
> found but no data record of requested type).
>
> The problem seems to be in opendns service.
>
> Can you help me.

Yes, don't use opendns for MX lookups.

(Continue reading)

Charles Marcus | 14 May 14:53

Re: Mx lookup

On 5/14/2008 8:29 AM, Mark Blackman wrote:
>> If I use the opendns service:
>> resolv.conf
>> nameserver 208.67.222.222
>> nameserver 208.67.220.220
>>
>> the email that I try to send to unreal domain (i.e. yrcwed4r.it) go to
>> the queue with
>> connection time out:
>>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>>                                          soracchi <at> yrcwed4r.it
>>
>> If I use the other DNS (my service provider) the email is bounced to
>> sender correctly
>> (Host or domain name not found. Name service error for
>> name=yrcwed4r.it type=AAAA: Host
>> found but no data record of requested type).
>>
>> The problem seems to be in opendns service.
>>
>> Can you help me.

> Yes, don't use opendns for MX lookups.

Bad answer... opendns works really well for me and has been for a long
time, on numerous systems.

Just log into your OpenDNS account and disable 'Typo Corrections' and
you're good to go...

(Continue reading)

Arturo 'Buanzo' Busleiman | 14 May 15:06

Picon

Re: Mx lookup


Charles Marcus wrote:
| Bad answer... opendns works really well for me and has been for a long
| time, on numerous systems.

It works perfectly. But he could also run his own caching-only nameserver to speed up things.

--
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/

Sahil Tandon | 14 May 16:13

Re: Mx lookup

* Arturo 'Buanzo' Busleiman <buanzo <at> buanzo.com.ar> [05-14-2008]:

> It works perfectly. But he could also run his own caching-only nameserver 
> to speed up things.

Yep, look into djbdns for that.

--

-- 
Sahil Tandon <sahil <at> tandon.net>

Mark Blackman | 14 May 15:29

Re: Mx lookup


On 14 May 2008, at 13:53, Charles Marcus wrote:

> On 5/14/2008 8:29 AM, Mark Blackman wrote:
>>> If I use the opendns service:
>>> resolv.conf
>>> nameserver 208.67.222.222
>>> nameserver 208.67.220.220
>>>
>>> the email that I try to send to unreal domain (i.e. yrcwed4r.it)  
>>> go to
>>> the queue with
>>> connection time out:
>>>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>>>                                          soracchi <at> yrcwed4r.it
>>>
>>> If I use the other DNS (my service provider) the email is bounced to
>>> sender correctly
>>> (Host or domain name not found. Name service error for
>>> name=yrcwed4r.it type=AAAA: Host
>>> found but no data record of requested type).
>>>
>>> The problem seems to be in opendns service.
>>>
>>> Can you help me.
>
>> Yes, don't use opendns for MX lookups.
>
> Bad answer... opendns works really well for me and has been for a long
> time, on numerous systems.

(Continue reading)

Charles Marcus | 14 May 16:34

Re: Mx lookup

>> Just log into your OpenDNS account and disable 'Typo Corrections' and
>> you're good to go...

> Thanks, I certainly didn't realize that option existed, but
> how does that deal with malicious conflicting IP entries?
> 
> i.e.
> user A declares they do queries from IP A and turn off typo correction
> user B declares they do queries from IP A *as well* and turn *on* typo
> correction.

? What do users have to do with it? This is on a server. If you have
your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
need to have an account with them (free), which is associated with your
IP address(es) in the 'Networks' section.

> They do appear to go to some effort to confirm you're an actual user of
> that IP address, but for multiple machines on a NAT, they can't distinguish
> those cases. The case where you might get two conflicting users at the
> same IP address is small, but not vanishingly so.

? I'm not sure why you are talking about clients/users.

Set up your local caching server / DNS server to use OpenDNS as a
forwarder... tell your Clients to use your DNS server... done.

> In any case, the general point is that openDNS is aimed primarily at
> web clients and so they'll always do a better job for that case
> rather than mx lookups.

(Continue reading)

Mark Blackman | 14 May 16:41

Re: Mx lookup


On 14 May 2008, at 15:34, Charles Marcus wrote:

>>> Just log into your OpenDNS account and disable 'Typo Corrections'  
>>> and
>>> you're good to go...
>
>> Thanks, I certainly didn't realize that option existed, but
>> how does that deal with malicious conflicting IP entries?
>>
>> i.e.
>> user A declares they do queries from IP A and turn off typo  
>> correction
>> user B declares they do queries from IP A *as well* and turn *on*  
>> typo
>> correction.
>
> ? What do users have to do with it? This is on a server. If you have
> your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
> need to have an account with them (free), which is associated with  
> your
> IP address(es) in the 'Networks' section.

I don't think it's uncommon to have a postfix system sitting behind
a NAT IP address with a public IP address shared by web clients
in the same office. First person to sign up with that *shared* public IP
address controls the settings as far as I can tell and that might not be
the system administrator.

- Mark

(Continue reading)

Charles Marcus | 14 May 16:46

Re: Mx lookup

> I don't think it's uncommon to have a postfix system sitting behind
> a NAT IP address with a public IP address shared by web clients
> in the same office. First person to sign up with that *shared* public IP
> address controls the settings as far as I can tell and that might not be
> the system administrator.

In other words, no solution is a one size fits all - yes, I agree...

--

-- 

Best regards,

Charles

Blake Hudson | 14 May 16:53

Re: Mx lookup

-------- Original Message  --------
Subject: Re: Mx lookup
From: Mark Blackman <mark <at> exonetric.com>
To: Charles Marcus <CMarcus <at> Media-Brokers.com>
Date: Wednesday, May 14, 2008 9:41:51 AM
>
> On 14 May 2008, at 15:34, Charles Marcus wrote:
>
>>>> Just log into your OpenDNS account and disable 'Typo Corrections' and
>>>> you're good to go...
>>
>>> Thanks, I certainly didn't realize that option existed, but
>>> how does that deal with malicious conflicting IP entries?
>>>
>>> i.e.
>>> user A declares they do queries from IP A and turn off typo correction
>>> user B declares they do queries from IP A *as well* and turn *on* typo
>>> correction.
>>
>> ? What do users have to do with it? This is on a server. If you have
>> your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
>> need to have an account with them (free), which is associated with your
>> IP address(es) in the 'Networks' section.
>
> I don't think it's uncommon to have a postfix system sitting behind
> a NAT IP address with a public IP address shared by web clients
> in the same office. First person to sign up with that *shared* public IP
> address controls the settings as far as I can tell and that might not be
> the system administrator.
>

(Continue reading)

Mark Blackman | 14 May 17:00

Re: Mx lookup


On 14 May 2008, at 15:53, Blake Hudson wrote:

> -------- Original Message  --------
> Subject: Re: Mx lookup
> From: Mark Blackman <mark <at> exonetric.com>
> To: Charles Marcus <CMarcus <at> Media-Brokers.com>
> Date: Wednesday, May 14, 2008 9:41:51 AM
>>
>> On 14 May 2008, at 15:34, Charles Marcus wrote:
>>
>>>>> Just log into your OpenDNS account and disable 'Typo  
>>>>> Corrections' and
>>>>> you're good to go...
>>>
>>>> Thanks, I certainly didn't realize that option existed, but
>>>> how does that deal with malicious conflicting IP entries?
>>>>
>>>> i.e.
>>>> user A declares they do queries from IP A and turn off typo  
>>>> correction
>>>> user B declares they do queries from IP A *as well* and turn  
>>>> *on* typo
>>>> correction.
>>>
>>> ? What do users have to do with it? This is on a server. If you have
>>> your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
>>> need to have an account with them (free), which is associated  
>>> with your
>>> IP address(es) in the 'Networks' section.

(Continue reading)

Bill Cole | 14 May 17:32

Re: Mx lookup

At 3:41 PM +0100 5/14/08, Mark Blackman wrote:
>I don't think it's uncommon to have a postfix system sitting behind
>a NAT IP address with a public IP address shared by web clients
>in the same office. First person to sign up with that *shared* public IP
>address controls the settings as far as I can tell and that might not be
>the system administrator.

The potential for an OpenDNS settings squabble would not be the top 
item on most  lists of reasons to not share a NAT address between a 
mail server and desktop systems.

--

-- 
Bill Cole                                  
bill <at> scconsult.com

Noel Jones | 14 May 16:59

Re: Mx lookup

Mark Blackman wrote:
>>
>> Just log into your OpenDNS account and disable 'Typo Corrections' and
>> you're good to go...
> 
> Thanks, I certainly didn't realize that option existed, but
> how does that deal with malicious conflicting IP entries?
> 
> i.e.
> user A declares they do queries from IP A and turn off typo correction
> user B declares they do queries from IP A *as well* and turn *on* typo 
> correction.
> 

Only one user can register for a given IP.  As long as you're 
the first to register your IP there isn't a problem.  If one 
of your users already registered your NAT IP, prove to OpenDNS 
you're the admin and they'll bump the squatter off.

Not exactly perfect, but usable.

I've had very good results using OpenDNS as a bind forwarder 
on sites with high-latency connections.  Works great after 
typo correction is turned off.

And an alternative is to use check_sender_mx_access and reject 
anything that returns OpenDNS' search IP.

--

-- 
Noel Jones

(Continue reading)

Andrea Soracchi | 14 May 15:52

Picon

Re: Mx lookup

Thanks,

now it works fine.

Regards,

Def. Quota Charles Marcus <CMarcus <at> Media-Brokers.com>:

> On 5/14/2008 8:29 AM, Mark Blackman wrote:
>>> If I use the opendns service:
>>> resolv.conf
>>> nameserver 208.67.222.222
>>> nameserver 208.67.220.220
>>>
>>> the email that I try to send to unreal domain (i.e. yrcwed4r.it) go to
>>> the queue with
>>> connection time out:
>>>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>>>                                          soracchi <at> yrcwed4r.it
>>>
>>> If I use the other DNS (my service provider) the email is bounced to
>>> sender correctly
>>> (Host or domain name not found. Name service error for
>>> name=yrcwed4r.it type=AAAA: Host
>>> found but no data record of requested type).
>>>
>>> The problem seems to be in opendns service.
>>>
>>> Can you help me.
>

(Continue reading)

Return

Return to gmane.mail.postfix.user.

Advertisement

Project Web Page

Postfix MTA user discussion

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane