Hi Sandy,
OK, I've got recursion back on, so now I get email again. I hate to think
how many complaints I'm going to have in the morning. Fortunately, most of
our clients aren't as aggressive as I am in deleting spam based on rating.
I understand what you're saying, and I thank you for the explanation. I'm
not real anxious to get into SimpleDNS (and I've read enough complaints
about BIND to be cautious) first, because of cost, and, second, because it's
one more complication. However, I was thinking about something else I read
here.
There was some discussion about running a cache-only DNS server for
IMail/Declude. I didn't read most of the thread, and I never saw how to
make the DNS serve cache only, but I was thinking that if I had a cache-only
server that is only available to the mail server, then I can leave on
recursion for it and it won't matter because it wouldn't be available to the
public. The public DNS servers I can then turn off their recursion feature.
What do you think?
Thanks again,
Ben
----- Original Message -----
From: "Sanford Whiteman" <[EMAIL PROTECTED]>
To: "IMail Admin" <Declude.JunkMail@declude.com>
Sent: Saturday, April 01, 2006 12:06 AM
Subject: Re: [Declude.JunkMail] recursion turned off causes higher JM
scores?
That's when the JM scores got so high. I'm testing a different
config now: allow recursion on the Forwarders tab, but disable it on
the Advanced tab. I won't know if this works until I get some
messages. In the meanwhile, can anyone explain this to me?
You _must_ allow recursion for the Declude server, or it will not be
able to resolve zones for which it is not authoritative (i.e. every
domain you do not own).
You do not need to allow recursion for the wild Internet, however.
But MS DNS has a weakness (not a security weakness exactly, but more
of a functional one) in that recursion is either on or off, globally,
for the DNS service. This means that if you are hosting authoritative
zones on the box, and thus need to expose the box to the outside
world, and that same box is providing recursive DNS to internal
servers or users, then you are effectively providing recursive DNS to
the outside world as well (if someone should choose to abuse you for
this purpose).
The way around this is to use SimpleDNS or BIND on the server you
expose to the outside, which both have means of limiting recursion
without completely disabling it. The simplest install, to my mind,
without a full migration off MS DNS (a full migration causing soluble,
but unfun, issues in AD domains), is to run SimpleDNS and MS DNS on
the same box by binding each one to a different IP. Expose SimpleDNS
without recursion and make it a secondary for the authoritative zones.
Keep MS DNS as your primary and as your internal recursive DNS. Done.
--Sandy
------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]
SpamAssassin plugs into Declude!
http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/
Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail
Aliases!
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
