unique DNS for multiple SMTP servers setup 1

[wilson2468]

I need to have my ISP configure DNS for a failover scenario:

I have a CSS that will allow me to send mail to several different servers using the same IP address.

The CSS will take the mail from the outside and point it to my Virtual IP address. Depening on which server is active, is which server will get the inbound mail.

This is ok for inbound mail, but when the servers initiate sending mail from the inside out, it will come from the PIX NATed address rather than the CSS VIP.

I am not sure what to do about reverse lookups in this situation.

Can I have one MX record for the VIP address and have several PTR records point to the different servers for outbound mail?

For Example:

MX 199.99.99.99 smtp.mydomain.com

PTR 1.99.99.199 smtp.mydomain.com
PTR 2.99.99.199 smtp.mydomain.com
PTR 3.99.99.199 smtp.mydomain.com
PTR 4.99.99.199 smtp.mydomain.com

 

[elgrandeperro]

Okay, I will spill this in BIND format:

MX IN 10 smtp.mydomain.com.
smtp IN A 199.99.99.99

Some MTA checkers only check that the reverse and forward match, because the reverse is easily spoofed by anyone owning a domain. I don't think you want to reuse the smtp name, I would simply map each one to a separate similar name:

PTR 1.99.99.199 smtpout1.mydomain.com.
PTR 2.99.99.199 smtpout2.mydomain.com.
PTR 3.99.99.199 smtpout2.mydomain.com.
...
and the forward lookup

smtpout1 IN A 199.99.99.1
smtpout2 IN A 199.99.99.2
smtpout3 IN A 199.99.99.3
...

You COULD specify multiple A records for a single name, but I am not sure that most MTA mailers will decode that correctly when they do the reverse to forward checking, so why take that chance?

-egp

 

[dtrtel]

You're concerned about FCrDNS.

http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS

When I operated an ISP, we couldn't deny email based on
forward<->reverse queries not matching. We had too many
support calls and nothing we could say to non-technical
users about having their sysadmins fix their nameservers
made sense to them. They just wanted their email, dammit.

Most mail admins are tired of explaining this and fighting
over it, so they don't require FCrDNS in order to accept
mail. Some may require at least *something* from a reverse
lookup even if not FCrDNS. These are typically exceptions,
to the rule, mostly in very limited setups where you can
require it and get away with telling your users "tough
sh*t". Note that if you don't provide any PTR record at
all, the reverse lookup timeout can take longer than the
SMTP open session timeout, thus it closes before you
get a chance to talk. It's like answering the phone and
you ask who's calling but it takes too long for an
answer so you hang up on them.


--jeff

http://linkedin.com/in/JeffLynch

 

[wilson2468]

I did not take you advice, I instead made the PTR record the same for all IP Addresses pointing to popserver and this did not work.

Most domains worked fine, but there were a few that rejected us.

I was worried about the MX records.

Do you think that all I need is to have A records match the PTR records and not concern myself with the MX records at all for successful reverse lookups if the mail is only originating from the differnet addresses?

If so, is the MX record only used for inbound mail to us?

 

[TweakMYbox]

You are correct, MX records are only used for incoming mail. The sending SMTP server does an nslookup on your domain querying the MX record. Once it get's your MX record, it tries the SMTP servers in order of their weight (priority).



Mike Fegan, MCSA, MCSE

http://www.tweakmybox.com

Vote on the Babe of the Week, and talk shop with other techies at

http://www.tweakmybox.com!