Re: General DNS config questions

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

On May 30, 1:21 pm, "Michael Dragone" <no.e-mail=less_spam> wrote:
"Max C" <maxc...@xxxxxxxxx> wrote in message

news:1180545679.935626.60140@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Well, now hold on... you may be on to something. NSSCO_Spam is not in
our public DNS records at all. When an email arrives at our Firewall
heading for "Exchange" we divert it to "NSSCO_Spam" which is our spam
filter. The spam filter then forwards the email on to Exchange, the
original destination.

Are you saying that even though NSSCO_Spam is not the intended
destination, it should still be listed as a mail server with a MX
record?

Your MX record lists mail.nssco.com which resolves to your .37 IP address.
This IP address answers on port 25, but the SMTP banner states
"NSSCO_Spam.nssco.com."

Some mailers look to see if the SMTP banner hostname matches the MX hostname
(since it's what they expect). While there's nothing technically *wrong*
with your setup, you should consider adding both an MX (at priority 0) and
an A record for "nssco_spam" pointing to your .37 IP address. After a day or
so once DNS propagates around the Internet you can take out the MX and A
records for "mail."

OK. I'll give it a try on my test domain first. I'll give it a
couple of days to propagate and then test it out.

Of course, in my mind, that even further complicates the SPF record
issue. I'm already fuzzy on that issue.

An SPF record simply dictates which servers you declare are authorized to be
sending mail from your domain.

Take for example this SPF record:

v=spf1 mx -all

This means that all the IP addresses resolved from the MX record(s) for the
domain containing this TXT record are recognized by you as legitimate
senders of mail for your domain (the mx part of the SPF record). No other
servers are authorized by you to send mail from your domain (the -all part
of the SPF record).

Most SPF records contain ~all rather than -all since there are instances
where mail MAY be legitimate but not sent by a server you've authorized.
Using the "e-mail this article to a friend" link from the NY Times is one
example.

In your case, if your Exchange server submits outbound mail to your spam
filter box, then the SPF record above with either ~all or -all would likely
work well for your needs.

If however your Exchange server submits outbound mail directly to the
Internet, that SPF record would be incorrect.

That all being said, I prefer to setup SPF records with IP address when
possible to avoid extra DNS lookups. So if your Exchange server submits mail
directly itself and it's IP address is 1.2.3.4, the SPF record would be:

v=spf1 ip4:1.2.3.4 ~all

I hope this helped somewhat...

Well, it's now about as clear as mud, whereas before it was as clear
as tar. I'm sure there must be a web site I can look up to see an SPF
record defined. I'll look in to it.

All of my servers (including my Exchange server) have private IP
addresses. My firewall does 1to1 NAT for each of them. That's how
I'm able to route Exchange bound mail to NSSCO_Spam. For the moment,
mail going to the internet from the Exchange server goes to the
firewall and then out to the internet, but in the future we may change
it so that outbound email is also sent through the spam server.

Many thanks (yet again.)
Max.

.

Relevant Pages

  • Re: Administrator account hijacked?
    ... Best 2 minutes spent on an Exchange ... Non-delivery reports have a very legitimate purpose and are used to ... global white lists defined by mail server administrators. ... software does not attempt to filter non-delivery reports for spam ...
    (microsoft.public.windows.server.sbs)
  • Re: Non-Existing addresses
    ... Are you running any kind of spam filter gateway in front of your Exchange ... or is your Exchange server having to deal with it all? ...
    (microsoft.public.exchange.admin)
  • Re: Anyone succesfully stopped Reverse NDR Attacks in exchange 2000?
    ... to their filtering servers and the Spam stops filling your Exchange Queues ... and destined to an non existing address on your server. ... connecting addresses as there are spam sent. ...
    (microsoft.public.exchange2000.admin)
  • Re: SPAM Blocking Measures
    ... No need to configure a gateway. ... Exchange Server? ... I prefer Spam Soap at www.spamsoap.com, ... Exchange AV software) and Fail Safe Spooling in case your server is down ...
    (microsoft.public.exchange.admin)
  • Re: How does Symantec Multi-Tier v10.0 stack up?
    ... won't kill the server like some Symantec AV stuff does). ... >> Thanks for the reply - does the Mail Security for Exchange not come as part ... >> Seems like you are doing a good job of the Spam - I want to be able to this ...
    (microsoft.public.windows.server.sbs)