Re: Exchange, SBS and Reverse DNS - Best Practices??
- From: "Bryan L" <blinton@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 5 Feb 2008 10:46:20 -0600
To clarify, I am not hosting a public website nor their DNS on the SBS.
Their public website and DNS hosting are both hosted elsewere. Sorry if my
post wasn't clear on those points.
Bryan
"Claus" <cjobes@xxxxxxxxxxxxx> wrote in message
news:OgjXqzrZIHA.4172@xxxxxxxxxxxxxxxxxxxxxxx
I would insist that the web developer fixes his/her issues. It's plain bad
coding.
It is a very very bad idea to host a public website on the SBS. Lots of
security risks. Now, with certain setups you could still achieve having
website and mail going to the same public IP without hosting it on the
SBS.
Place a second box into the DMZ on your router and then forward incoming
traffic on port 80 to that box. SBS doesn't need (and shouldn't get) port
80 traffic. If you need SSL traffic directed to your website, you are out
of luck or you will loose part of the SBS functionality.
--
Claus
"Alan" <alan@xxxxxxxxx> wrote in message
news:O8NvPerZIHA.4332@xxxxxxxxxxxxxxxxxxxxxxx
"Bryan L" <rand59@xxxxxxxxxxxxxxxx> wrote in message
news:e5tV4NrZIHA.4160@xxxxxxxxxxxxxxxxxxxxxxx
This may be slightly OT, so please direct me elsewhere if you know of a
more appropriate place to post. And thanks in advance for reading a
long post.
I'm an IT professional who's come to appreciate SBS 2003 in my own
workplace, so I recommended it for a family member's business. They
like their new SBS network, which we planned and implemented about a
year ago. They are now hosting their own email, but for a while they had
troubles sending email to certain domains (AOL and a number of others).
As I worked the problem, it appeared that the trouble was related to
their DNS setup. Their email server's DNS records would pass normal
reverse lookup checking, but a reverse lookup of their second-level
domain name would resolve to another IP address; in fact, the IP address
of their website. It appeared that some organizations were taking a
more aggressive stance against spam and were using those "conflicting"
lookup results as evidence that their server wasn't who it said it was,
and were consequently blocking their email.
In discussing the issue with their website admin -- who also happened to
be controlling their DNS -- he either disagreed with my assessment, or
didn't understand me, and was reluctant to make any changes to their
DNS. We finally agreed that he would turn over hosting of their DNS to
me. The DNS hosting transfer took place several months ago and went
smoothly. (The SBS is not hosting their public DNS - it's now placed
with a large, reputable hosting company.) Of course I configured "www"
to resolve to the same IP as always, but I configured their DNS so that
reverse lookups of "mail.domain.com" and "domain.com" resolved to the
same IP. Since that time I've heard no complaints about outgoing emails
being blocked or returned.
However, there is a now a problem with the shopping cart feature of
their website. In looking at the notes provided by their website admin,
I think the problem is that in their shopping cart configuration, the
URLs "www.domain.com" and "domain.com" were probably used
interchangeably. It worked before the DNS move because at that time,
both lookups resolved to the IP of the website -- now only "www"
resolves to the website, while the second-level domain name resolves to
the IP of the SBS.
They way I see it, there are two solutions: have the website admin
configure all URLs within the website shopping cart setup to use the
correct FQDN of the website -- OR -- reconfigure the DNS on their
second-level domain name to again resolve to the website's IP. But
before I stick to my guns with the website admin, I want to be sure I'm
not in the wrong. So my questions are these:
1) I understood that using reverse DNS to combat spam was limited to
checking IP > DNSHostName, then DNSHostName > IP. Is it true and/or
accepted that admins may also check DNSDomainName > IP for another
match?
2) What do best practices say about setting "domain.com" to resolve to
the same IP as the MX record? Do they say anything about how to
configure the second-level domain name resolution?
3) Have I made any horrendous mistakes here? I feel I acted
responsibly in a step-by-step, thorough manner, but if I've gone awry
somewhere please don't hesitate to point it out.
Incidentally, the website admin believes that I actually moved the
website hosting in addition to the DNS, which I did not -- the IP of the
website has not changed. He showed me the results of a tracert that are
supposed to "prove" this, but the tracert was not performed on "www",
but on the domain name itself -- which of course resolved to the WAN IP
of the SBS, which he does not recognize.
Thanks again for reading a long post, and thanks in advance for any
replies.
Bryan
Hi Bryan,
This is my 'take' on it - not necessarily what the RFCs say or what most
people do.
1) The website admin should definately re-write any URLs that do not
specify the server, and only contain the domain name.
2) You should configure a proper SPF record in the DNS records as I am
guessing that might help in resolving your issues with third party mail
servers that are doing reverse DNS lookups.
3) Where should your DNS record point the domain IP address to? The
right answer, as far as I am concerned is 'nowhere' since it is not a
computer. HOWEVER, given that so many people *expect* to be able to type:
domainname.com into their web browser and connect to a machine that is
serving http requests, the best (commercial) answer is probably to point
it at the website.
Of course, if (2) does not solve the problem with email, then you really
have a sticky problem. In that case....
4) Consider hosting the website on the same IP address?? Not a pretty
option I grant you!
I wonder if you can find out *specifically and definitively* why AOL was
bouncing the emails? That might inform your decision making?
HTH, and Good Luck in a difficult situation!
--
Alan.
The views expressed are my own, and not those of my employer or anyone
else associated with me.
My current valid email address is:
1bupdvc02@xxxxxxxxxxxxxx
This is valid as is. It is not munged, or altered at all.
It will be valid for AT LEAST one month from the date of this post.
If you are trying to contact me after that time,
it MAY still be valid, but may also have been
deactivated due to spam. If so, and you want
to contact me by email, try searching for a
more recent post by me to find my current
email address.
The following is a (probably!) totally unique
and meaningless string of characters that you
can use to find posts by me in a search engine:
ewygchvboocno43vb674b6nq46tvb
.
- References:
- Exchange, SBS and Reverse DNS - Best Practices??
- From: Bryan L
- Re: Exchange, SBS and Reverse DNS - Best Practices??
- From: Claus
- Exchange, SBS and Reverse DNS - Best Practices??
- Prev by Date: Re: Backups, ASR and Disastor Planning
- Next by Date: Re: SBS2K3 Std - POP3 Connectors
- Previous by thread: Re: Exchange, SBS and Reverse DNS - Best Practices??
- Next by thread: Re: Exchange, SBS and Reverse DNS - Best Practices??
- Index(es):
Relevant Pages
|
