ian@newsserver.sfu.ca (Ian Reddy) (04/30/91)
Okay, I'm crying "uncle". I just don't see how to do the following with
MX records:
Rest of the World (aka "Internet")
|
|
mailserver.sfu.ca. (ie. central mailhost for Simon Fraser University)
1) aka whistler.sfu.ca.
2) has in DNS:
sfu.ca. IN MX 10 whistler.sfu.ca.
whistler.sfu.ca. IN MX 10 whistler.sfu.ca.
3) handles ultimately ALL incoming and outgoing mail for the campus
4) does allow some (sub)domains (ie. chem.sfu.ca) or hosts
(ie. charm.chem.sfu.ca) to receive/send mail as long as 3) is
obeyed (here is the problem part).
| | |
| | |
chem.sfu.ca. charm.chem.sfu.ca. blah.blah.sfu.ca.
^ ^ ^
| | |
--> What do I put in the DNS for these hosts' MX records?????
If I put in (for example):
charm.chem.sfu.ca. IN MX 5 charm.chem.sfu.ca.
charm.chem.sfu.ca. IN MX 10 whistler.sfu.ca.
then incoming mail for charm will be delivered straight to charm
rather than through whistler and if I put in:
charm.chem.sfu.ca. IN MX 10 whistler.sfu.ca.
charm.chem.sfu.ca. IN MX 15 charm.chem.sfu.ca
then whistler will discard both entries and suffer an "internal
error".
There must be a way to have a central mailhost for a site as far
as incoming mail is concerned and yet still allow for distribution
within the site to subsidiary hosts. What am I missing?
--
Ian Reddy, UNIX Systems Consultant Internet: Ian_Reddy@ucs.sfu.ca
Computing Services, AD1021 BITNET: USERIGR1@SFU
Simon Fraser University Telephone: (604) 291-3936
Burnaby, B.C. Canada V5A 1S6 Fax: (604) 291-4242rickert@mp.cs.niu.edu (Neil Rickert) (04/30/91)
In article <1991Apr29.235753.2639@newsserver.sfu.ca> ian@newsserver.sfu.ca (Ian Reddy) writes: >Okay, I'm crying "uncle". I just don't see how to do the following with >MX records: > > mailserver.sfu.ca. (ie. central mailhost for Simon Fraser University) > 1) aka whistler.sfu.ca. > 2) has in DNS: > sfu.ca. IN MX 10 whistler.sfu.ca. > whistler.sfu.ca. IN MX 10 whistler.sfu.ca. > 3) handles ultimately ALL incoming and outgoing mail for the campus > 4) does allow some (sub)domains (ie. chem.sfu.ca) or hosts > (ie. charm.chem.sfu.ca) to receive/send mail as long as 3) is > obeyed (here is the problem part). Where were you when I needed you? (Rhetorical question). Several weeks ago I suggested (in comp.protocols.tcp-ip.domains) some ideas for modestly extending MX records to handle just these sorts of problems. Unfortunately, although, the proposal was not warmly welcomed. A number of respondents who deal with mail problems agreed that there was a substantial need, but those who control the DNS definitions did not agree. I think the prevailing philosophy is that you shouldn't do this. You should let charm.chem.sfu.ca handle its own mail directly, and not insist on filtering it all through whistler.sfu.ca. > There must be a way to have a central mailhost for a site as far > as incoming mail is concerned and yet still allow for distribution > within the site to subsidiary hosts. What am I missing? The simple answer is that you are trying to do the impossible. As long as charm.chem.sfu.ca is talking to the network, and is running an smtp listener process, mail can always be sent directly. For example, if I mail to 'person@[128.189.40.1]', I will automatically bypass your MX records and send the mail directly. There are only two ways to prevent this - either don't run an SMTP listener (i.e. a sendmail daemon) on charm; or don't allow any packets from outside your campus to be forwarded to the smtp port on charm. Some routers permit packet filtering based on port and destination. Or, of course you can just not run 'routed' on charm, and not provide it any default route to communicate outside your local net. If you disable packet forwarding to charm, just give the best MX preference to charm. Mail from outside your campus will timeout on the attempt to talk to charm, then a second attempt will be made to talk to whistler, which will then forward it since it can talk to charm. If you wish to still follow your plan, and you don't mind that I can bypass it with direct Internet addressing, here are some approaches. One approach is to send the mail by Internet address yourself. In ruleset 0: R$*<@charm.chem.sfu.ca>$* $#tcp$@[128.189.40.1]$:$1<@charm.chem.sfu.ca>$2 A third approach, and perhaps the most flexible in the long run, is to just install the IDA version of sendmail. It will already do what you want. After it discards all the MX records it checks to see if there is still an A record, and uses that in preference to bouncing the mail. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940