On Sun, May 29, 2011 at 12:50:50PM +0100, Ronald MacDonald wrote: > Hello, > > Just been having a look through my config. I've an obscure > case, where I've added a domain to the alias/lookup tables but > the customer has not yet changed her DNS settings. > > In this case, when I'm waiting for a client to update DNS, I > still need to be able to get in touch with them.
You'll also have the same problem when a client changes DNS to a new provider without telling you. Hopefully that doesn't happen too often :-) This is a classic problem for service providers. The classic answer is to have seperate instances for MSA and MX. (copy-n-paste from a blurb I've already written) MX receives mail from the Internet for local domains only. It binds to port 25 only. It needs access to the mail spool, and the list of user e-mails, but not auth info. It probably needs to run AS/AV software to protect your users. MSA receives mail from authentified clients only, with any destination address. It doesn't need to bind to port 25, it does not need to have any local domains at all, and it does not need to access the backend mail spool. It just needs to have access to the database of users with auth info in order to authorize users to relay. Anti-spam and antivirus are only in order to prevent your users from annoying the world, and as such it should have lots less hits than the MX. You could watch it more closely (every hit is an incident) or simply turn it off, it depends on your user base. POP/IMAP is usually different software, and needs access to the mail spool and to the database of users. (end copy-n-paste) In a small setup, all three can run on a single machine. The only problem is that MSA might balk if the MX for the destination domain is the same IP as the one the MSA is running on. In a bigger setup, you'd have several seperate machines for each function. The same basic reasons lead service providers to have seperate authoritative and resolving name servers. Hope this helps!