Slightly OT - MX RR Santity Check requested...
Mark_Andrews at isc.org
Thu Mar 29 03:03:34 UTC 2007
> I'm starting to think that I'm just not explaining this well. The strategy
> I'm trying to explain came straight out of the ORA book, "Building Internet
> Firewalls"....albeit years ago. It's on my list of things to do to
> configure SMTP server v-hosting transports under Postfix and then we really
> won't need to use MX RRs the way we do. But until that time, this is the way
> we do it.
We understand exactly what you are doing. ORA got this
*wrong* as it is not guaranteed to work. We are quoting
the relevent parts of the RFCs which prove that ORA got
What ORA suggest works 99.9% of the time. It doesn't work
*all* of the time (as you have discovered).
There are a number of fixes suggested already. The one
thing they all have in common is that, to the Internet at
large, the DMZ mail server is the lowest preference MX and
that the firewalled mail server does not appear in the MX
How mail gets from the DMZ mail server to the firewalled mail
server is a private matter for you to workout.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users