NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2007-12

Re: [Old box, Newbie] Undelivered Mail Returned to Sender

From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Thu Dec 13 2007 - 14:30:04 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 13, 2007 at 11:43:38AM -0800, Paul Rogers wrote:

> --- Victor Duchovni <Victor.DuchovniMorganStanley.com> wrote:
> > (missing) firewall. Please report:
> > # dig +noall +ans -t mx yahoo.com
> > # su nobody -c 'dig +noall +ans -t mx yahoo.com'
> >
> > If none return the expected MX records: toy DNS
> > If only root sees MX records: config file permission issues
> > In both see MX records: run "smtp -v -v" to log detailed DNS lookups.
> >
>
> Prefix: I remember reading a recommendation to use bind-9.x, didn't
> like
> bind-8.x, liked RedHat's resolver even less. I've got
> libresolv-2.1.2.so
> from RHL-6.1 & kinda doubt a compatible rpm for bind-9 is available at
> this late date.

The currently recommended BIND caching server is 9.3.4-P1 or
9.4.2. Earlier versions have various known security issues.

Your upstream ISP DNS server is a toy DNS server, not suitable for
running an MTA. You can't just use your resolver libraries against
that, a real DNS server is required.

All you need is a root.cache file, and two primary zones:

    "root.cache" (recently updated, I hope everyone has good root.cache files)
        ;
        ; $Id: root.cache 1245 2007-11-07 02:14:10Z viktor $
        ;
        ;; ANSWER SECTION:
        . 518400 IN NS A.ROOT-SERVERS.NET.
        . 518400 IN NS B.ROOT-SERVERS.NET.
        . 518400 IN NS C.ROOT-SERVERS.NET.
        . 518400 IN NS D.ROOT-SERVERS.NET.
        . 518400 IN NS E.ROOT-SERVERS.NET.
        . 518400 IN NS F.ROOT-SERVERS.NET.
        . 518400 IN NS G.ROOT-SERVERS.NET.
        . 518400 IN NS H.ROOT-SERVERS.NET.
        . 518400 IN NS I.ROOT-SERVERS.NET.
        . 518400 IN NS J.ROOT-SERVERS.NET.
        . 518400 IN NS K.ROOT-SERVERS.NET.
        . 518400 IN NS L.ROOT-SERVERS.NET.
        . 518400 IN NS M.ROOT-SERVERS.NET.

        ;; ADDITIONAL SECTION:
        A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
        B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
        C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
        D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
        E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
        F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
        G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
        H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
        I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
        J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
        K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
        L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
        M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33

    "localhost" zone file (localhost):
        $TTL 2D ; Default TTL
        ;
         IN SOA localhost. Postmaster.localhost. (
                                2007121200 ; Serial
                                10800 ; Refresh after 3 hours
                                3600 ; Retry after 1 hour
                                604800 ; Expire after 1 week
                                3600 ) ; Minimum TTL of 1 hour
         IN NS localhost.
         IN A 127.0.0.1

    "127.in-addr.arpa" zone file (127):
         IN SOA localhost. Postmaster.localhost. (
                                2007121201 ; Serial
                                10800 ; Refresh after 3 hours
                                3600 ; Retry after 1 hour
                                604800 ; Expire after 1 week
                                86400 ) ; Minimum TTL of 1 day
                IN NS localhost.
        1.0.0 IN PTR localhost.

add named.conf (listen on 127.1 and only recurse for 127.1):

    options {
      directory "/var/named/data";
      pid-file "/var/run/named/named.pid";
      allow-transfer { 127.0.0.1; };
      listen-on { 127.0.0.1/32; };
      notify no;
    };

    logging {
      category lame-servers { null; };
      category delegation-only { null; };
    };

    controls {
      inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
    };

    zone "." in {
      type hint;
      file "root.cache";
    };

    zone "127.in-addr.arpa" in {
      type master;
      file "127";
    };

    zone "localhost" in {
      type master;
      file "localhost";
    };

    zone "ac" { type delegation-only; };
    zone "cc" { type delegation-only; };
    zone "com" { type delegation-only; };
    zone "cx" { type delegation-only; };
    zone "museum" { type delegation-only; };
    zone "net" { type delegation-only; };
    zone "nu" { type delegation-only; };
    zone "ph" { type delegation-only; };
    zone "sh" { type delegation-only; };
    zone "tm" { type delegation-only; };
    zone "ws" { type delegation-only; };

and rndc.conf:

    options {
            default-server localhost;
            default-key "rndc-key";
    };

    server localhost {
            key "rndc-key";
    };

include "/etc/rndc.key";

and generate an rndc key. You are done.

Don't use opendns.com for an MTA, this has been discussed before.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]