Am 23.08.2017 um 22:59 schrieb Tom Browder:
On Wed, Aug 23, 2017 at 2:28 PM, Tom Browder <[email protected]> wrote:
...
I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains. I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).
Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:
Based on all the comments, I've modified the OP list to this:
# For each domain X.TLD:
X.TLD. IN A 142.54.186.2.
*.X.TLD. IN CNAME X.TLD.
X.TLD. IN MX 10 X.TLD.
X.TLD. IN TXT "v=spf1 mx ?all"
How's that set?
terrible - the wildcard would allow forged mail with "@a.x.tld",
"@b.x.tld" and so on and the "?all" SPF is completly useless
why it is important to not allow random hostnames?
beause you should have SPF records for every valid hostname
http://www.openspf.org/FAQ/Common_mistakes
http://www.openspf.org/FAQ/Common_mistakes#helo
arrakis.thelounge.net. 86399 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
prometheus.thelounge.net. 86399 IN SPF "v=spf1 a
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"
otherwise only @example.com *itself* is protected from forging, our
homegrown DNS backend automatcially publishes SPF records for every
hostname in every domain
also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for
free, the MX is not relevant on the destination server when receive
email as long as you force the lookup by careless SPF records
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
