Threaded Mode | Linear Mode

**kilburn** · 05-05-2009 12:09 AM

vtech101 Wrote:Firstly, when you say "postmap the former file", presumably that means run the command
postmap /etc/postfix/ispcp/domains
... is that correct?

Yeah

vtech101 Wrote:Then reload Postfix is
/etc/init.d/postfix reload

right!

vtech101 Wrote:Then the system will accept mails, but will have nowhere local to deliver them and so will just forward them on?

Precisely.

vtech101 Wrote:# MTA Managment Domains List;
#
# Please do NOT edit it manually;
#

At the top...

If I do edit them manually, does that mean that after every new domain added to the list throguh the web panel, I'll have to edit this again?

This is why you also must update the "/etc/ispcp/postfix/working/domains" file. The panel uses this one as the base when adding (append the domain to the end of this file) or removing (grep out the domain from this file) domains. Therefore, if you also edited this file the domain won't magically re-appear in the postfix's configuration Smile

vetch101 · 05-05-2009 12:13 AM

(05-05-2009 12:09 AM)kilburn Wrote:
vtech101 Wrote:Firstly, when you say "postmap the former file", presumably that means run the command
postmap /etc/postfix/ispcp/domains
... is that correct?
Yeah

vtech101 Wrote:Then reload Postfix is
/etc/init.d/postfix reload
right!

vtech101 Wrote:Then the system will accept mails, but will have nowhere local to deliver them and so will just forward them on?
Precisely.

vtech101 Wrote:# MTA Managment Domains List;
#
# Please do NOT edit it manually;
#

At the top...

If I do edit them manually, does that mean that after every new domain added to the list throguh the web panel, I'll have to edit this again?
This is why you also must update the "/etc/ispcp/postfix/working/domains" file. The panel uses this one as the base when adding (append the domain to the end of this file) or removing (grep out the domain from this file) domains. Therefore, if you also edited this file the domain won't magically re-appear in the postfix's configuration

You sir, are a genius...

I thank you kindly for your time!

... To the command line!

Jx

(05-03-2009 11:56 PM)sci2tech Wrote: Yes it was added today but was not tested enough. Seems to work ok, but can`t recomand for productive servers. If you want you can add it manually in /var/cache/bind/domain.tld.db

Sorry - one more...

If I manually edit the domain.tld.db will that be changed by the control panel... or will it stay as I edit it?

Many thanks,

Jx

**kilburn** · 05-05-2009 12:52 AM

Guess what: there's a /etc/ispcp/bind/working/domain.tld.db file that the panel won't overwrite. See the pattern? Wink

vetch101 · 05-05-2009 12:54 AM

(05-05-2009 12:52 AM)kilburn Wrote: Guess what: there's a /etc/ispcp/bind/working/domain.tld.db file that the panel won't overwrite. See the pattern?

Lol - yup!

So that's where all the template files come from...

Makes sense... Useful to know!

Cheers,

Jx

vetch101 · 05-11-2009 09:00 PM

(05-05-2009 12:52 AM)kilburn Wrote: Guess what: there's a /etc/ispcp/bind/working/domain.tld.db file that the panel won't overwrite. See the pattern?

Sorry - me again...

I'm just wondering about the SPF tags...
All sending will be going from one of three IP addresses.
None of these will be on the server.

What should I change the spf record to in order to ensure that the DNS records display the correct info?

It is currently:-

domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADD.RE.SS ~all"

where IP.ADD.RE.SS is the server ip address...

Can I add in three lines there with:-
domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADD.RE.SS1 ~all"
domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADD.RE.SS2 ~all"
domain.tld. IN TXT "v=spf1 a mx:domain.dyndns.org ~all"

where IP.ADD.RE.SS1 is the main sender IP address, IP.ADD.RE.SS2 is the 2nd, and domain.dyndns.org is fqdn of the dyndns.org entry for one of the IP addresses?

Or is there a better way to do it?

Can I say any IP address/DNS entry specifically referenced in these files is authorised to send?

Cheers,

Jx

(05-11-2009 09:00 PM)vetch101 Wrote:
(05-05-2009 12:52 AM)kilburn Wrote: Guess what: there's a /etc/ispcp/bind/working/domain.tld.db file that the panel won't overwrite. See the pattern?

Sorry - me again...

I'm just wondering about the SPF tags...
All sending will be going from one of three IP addresses.
None of these will be on the server.

What should I change the spf record to in order to ensure that the DNS records display the correct info?

It is currently:-

domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADD.RE.SS ~all"

where IP.ADD.RE.SS is the server ip address...

Can I add in three lines there with:-
domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADD.RE.SS1 ~all"
domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADD.RE.SS2 ~all"
domain.tld. IN TXT "v=spf1 a mx:domain.dyndns.org ~all"

where IP.ADD.RE.SS1 is the main sender IP address, IP.ADD.RE.SS2 is the 2nd, and domain.dyndns.org is fqdn of the dyndns.org entry for one of the IP addresses?

Or is there a better way to do it?

Can I say any IP address/DNS entry specifically referenced in these files is authorised to send?

Cheers,

Jx

Hmmmm.... based on this:- http://www.openspf.org/SPF_Record_Syntax

Looks like I could use:-

"The "all" mechanism (edit)

all

This mechanism always matches. It usually goes at the end of the SPF record.

Examples:

"v=spf1 mx -all"
Allow domain's MXes to send mail for the domain, prohibit all others."

Alongside:-

"The "mx" mechanism (edit)

mx
mx/<prefix-length>
mx:<domain>
mx:<domain>/<prefix-length>

All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.

If domain is not specified, the current-domain is used.

The A records have to match the client IP exactly, unless a prefix-length is provided, in which case each IP address returned by the A lookup will be expanded to its corresponding CIDR prefix, and the client IP will be sought within that subnet.

Examples:

"v=spf1 mx mx:deferrals.domain.com -all"
Perhaps a domain sends mail through its MX servers plus another set of servers whose job is to retry mail for deferring domains.

"v=spf1 mx/24 mx:offsite.domain.com/24 -all"
Perhaps a domain's MX servers receive mail on one IP address, but send mail on a different but nearby IP address."

So, I'd add my MX records into the DNS like this:-

domain.tld. IN MX 10 mail.domain.tld.
domain.tld. IN MX 20 mailgate.domain.tld.
domain.tld. IN MX 30 domain.dyndns.org.
domain.tld. IN MX 50 relay.domain.tld.

then have records for:-

mail IN A IP.ADD.RE.SS1
mailgate IN A IP.ADD.RE.SS2
relay IN A IP.ADDRESS.OF.SERVER

and then add something like:-

domain.tld. IN TXT "v=spf1 mx ~all"

Hmmmm.... looking at it, the default is...:-

domain.tld. IN TXT "v=spf1 a mx ip4:IP.ADDRESS.OF.SERVER ~all"

I think that says allow all a records and mx records and the IP Address of the server to send...
... so as long as I've added in the MX records and A records properly, I don't need to worry about SPF1...?

Is that correct?

Cheers,

Jx

**kilburn** · 05-11-2009 11:42 PM

Yeah, it is correct, but I wouldn't recommend you to set MX records for unexistant mail servers. We (company.tld) solved this issue by adding a dns record mailers.company.tld that resolves to all our managed IP's:

Code:

...

mailers.company.tld.     IN    A     IP.OF.SRV.1

mailers.company.tld.     IN    A     IP.OF.SRV.2

mailers.company.tld.     IN    A     IP.OF.SRV.3

...

Then we modified the templates so the spf record is statically set to:

Code:

v=spf1 a:mailers.company.tld -all

This way, all -and only- our servers are automatically authorized to send mails for all our managed domains. The great thing about this is that we just need to add/remove the corresponding A entry when we add a new server or remove an old one, without worrying about the actual domain's configuration.

vetch101 · 05-11-2009 11:46 PM

(05-11-2009 11:42 PM)kilburn Wrote: Yeah, it is correct, but I wouldn't recommend you to set MX records for unexistant mail servers. We (company.tld) solved this issue by adding a dns record mailers.company.tld that resolves to all our managed IP's:

Code:

... mailers.company.tld. IN A IP.OF.SRV.1 mailers.company.tld. IN A IP.OF.SRV.2 mailers.company.tld. IN A IP.OF.SRV.3 ...

Then we modified the templates so the spf record is statically set to:

Code:

v=spf1 a:mailers.company.tld -all

This way, all -and only- our servers are automatically authorized to send mails for all our managed domains. The great thing about this is that we just need to add/remove the corresponding A entry when we add a new server or remove an old one, without worrying about the actual domain's configuration.

Hmmm.... That sounds like a good best practice...

I'll implement that...

Once again, the help is much appreciated...

Many thanks,

Jx

vetch101 · 05-25-2009 06:58 PM

(05-05-2009 12:09 AM)kilburn Wrote:
vetch101 Wrote:Then the system will accept mails, but will have nowhere local to deliver them and so will just forward them on?
Precisely.

Hi Kilburn,

You'd have thought I would have resolved this by now, wouldn't you...

Sorry for the constant questions...

I set this up, and tested it by shuting down the main mailserver, sending the mail and then switching it back on...
The mail came direct from the originating server (gmail)...

I thought this was odd, so I thought I'd check the relaying, by putting the

domain.tld. IN MX 5 relay.domain.tld.
domain.tld. IN MX 10 mail.domain.tld.

I thought this would test to see if the mail went into the relay and then got forwarded on to the secondary...

But gmail stated "No relay access"...
Thinking about it, surely if I'm commenting the domain from postfix, unless I'm an open relay, it's going to be blocked?
How do I set the server to be a relay, but only for the specific domain?

Thanks again for all your help!

Cheers,

Jx

**kilburn** · 05-25-2009 07:25 PM

It was my fault, not yours. You are missing a proper "relay_domains" map, something like:

/etc/postfix/main.cf

Code:

...

relay_domains = hash:/etc/postfix/relay_domains

...

/etc/postfix/relay_domains

Code:

domain1.tld       OK

domain2.tld       OK

...

Remember to postmap the relay_domains file and reload postfix config. This way postfix will relay things about these domains but not about any others Smile

vetch101 · 05-25-2009 07:28 PM

(05-25-2009 07:25 PM)kilburn Wrote: It was my fault, not yours. You are missing a proper "relay_domains" map, something like:

/etc/postfix/main.cf

Code:

... relay_domains = hash:/etc/postfix/relay_domains ...

/etc/postfix/relay_domains

Code:

domain1.tld OK domain2.tld OK ...

Remember to postmap the relay_domains file and reload postfix config. This way postfix will relay things about these domains but not about any others

You're an absolute star!

I'll try it now and let you know...

BTW - temporarily setting the relay domain as IN MX 5 relay.domain.tld. in DNS...
Is that a valid test? It should then forward on...

Cheers,

Jx

(05-25-2009 07:28 PM)vetch101 Wrote:
(05-25-2009 07:25 PM)kilburn Wrote: It was my fault, not yours. You are missing a proper "relay_domains" map, something like:

/etc/postfix/main.cf

Code:

... relay_domains = hash:/etc/postfix/relay_domains ...

/etc/postfix/relay_domains

Code:

domain1.tld OK domain2.tld OK ...

Remember to postmap the relay_domains file and reload postfix config. This way postfix will relay things about these domains but not about any others

You're an absolute star!

I'll try it now and let you know...

BTW - temporarily setting the relay domain as IN MX 5 relay.domain.tld. in DNS...
Is that a valid test? It should then forward on...

Cheers,

Jx

Ah ha - well, it seems to work now with the backup domain as MX 5...
I'll give it another go with the main server down for a while...

Cheers,

Jx

Threaded Mode \| Linear Mode Setup Secondary Mail Relay
Author	Message