DNS/MX cfg for private mail host

Kevin Darcy kcd at daimlerchrysler.com
Thu Aug 16 20:55:21 UTC 2001


MX wildcards can be really, *really* tricky at times. Is your "outside" box
configured to accept mail for *all* *.foo.bar destinations? If not, then it's
probably choking on the fact that the wildcard points back to itself. Either
you should get the outside box to accept all *.foo.bar mail unconditionally
(which would mean it would accept even illegitimate *.foo.bar destinations),
or you should list all of the internal foo.bar hosts as "aliases" for itself
(e.g. in "Cw"). Or, just ban the use of subdomains altogether and only accept
mail for @foo.bar. This is what we do. Then you wouldn't need the wildcard at
all.


- Kevin

Christopher Hubbell wrote:

> I've got a confusing config I need advice on...
>
> I have an internal host on a private LAN.  It is not resolveable through
> public DNS, and uses a private IP space.  Let's call it inside.foo.bar.
>
> I also have a dual-homed host called outside.foo.bar.  One of its
> interfaces is resolveable through public DNS, the other is private.
>
> "Inside"'s sendmail is set to use "outside" as it's smart relay, and
> "outside" is set to use /etc/aliases to send incoming mail to accounts on
> "inside".  Finally "outside" masquerades as "foo.bar".  This way, all
> outgoing mail looks like "user at foo.bar" but the "inside.foo.bar" machine
> is still in the headers as an originating machine.
>
> I set up my DNS MX record as *.foo.bar --> outside.foo.bar.  This way,
> any private host would resolve to the mail gateway, and I wouldn't need
> to make private machines a security risk.
>
> This allowed me to mail out of foo.bar, but now I seem to have a mail
> loop I can't track down.
>
> Does anyone have a pointer to an example of a similar configuration that
> works, or ambition to assist with our problem?  I'm on the verge of getting
> things working, but I could really use some wisdom.  This is for a
> non-profit site I volunteer at (Boy Scouts of America).





More information about the bind-users mailing list