Shorewall is setup to only allow ports 53, 80, 25, 123, 443
FYI, on the Shorewall site, in the "contrib" directory, there is a very simply Mini-HOWTO I wrote on using Portsentry in combination with Shorewall to dynamic, real-time blocking of Bad People [tm] who touch certain ports on your server. I highly recommend it in reducing the threat level from some types of hackers and script kiddies.
For example, on my business webserver, I absolutely 100% KNOW (with total certainty) that anyone who pokes around ports 23, 515, 631, 1080, 1433/1434, or 8080 is looking for trouble since no one in his right bloody mind would expect those ports to be open or available. So anyone who pokes even a single SYN packet at any of those ports gets instantly blackholed for three days. The three-day limitation means that any dial-up IP addresses used to poke at me don't get locked out forever, ensures that less hand-maintenance is necessary, and ensures that my iptables rules don't scale rapidly to infinity.
The host name is set to webserver1.maindomain.com and I have mail1.maindomain.com setup in dns as the mx record for each of the domains.
The first question I have is how can I get sendmail to use the name mail1 instead of webserver1.
You _are_ aware that there is no technical need for this, right? I don't actually know the answer to your question, but if you're concerned about functionality, let me reassure you that there is no problem. We run about 100 small domains on one box, and everyone is told to use "mail.theirdomain.com" as SMTP/POP server. However, all mail sent from the server comes from "rita.anotherdomain.com". No one has cared yet.
I am about to mail the colo company where this server lives to request that the reverse dns entries be added. the mail server is pretty much the only thing that runs on the ip that it is on call it 123.123.123.2 there will be a ssl enabled website on 123.123.123.1 and the apache vhosts running on 123.123.123.3 btw the master dns server (forward) is running on 123.123.123.3 also.
Suggest you keep the .1 address for all "his" stuff, the .2 address for all the vhosts, and the .3 for the SSL-enabled site. Why? From then on, all your SSL sites will be "from 3 to 10" and you will have less chance of error and stuffing something onto the wrong IP by mistake. However, this is just a trifle... my own personal sense of mental order. It does not matter how you order them.
should I request that all the various names like www.domain1.com and www.domain2.com and dns1.maindomain.com be added to the reverse mapping for 123.123.123.3?
Good Lord, no.
For starters, that's not even possible in the sense you mean it. You _can_ have:
me.domain.com IN A 123.123.123.2 you.domain.com IN A 123.123.123.2
But you _cannot_ have:
123.123.123.2 IN PTR me.domain.com 123.123.123.2 IN PTR you.domain.com
Maybe you can do it if reverse-round-robin-DNS exists, but so far as I know it doesn't and, in any case, you would get any name at random from that list for every request anyway, which is not what you want. Simply set the reverse DNS to something that makes sense to YOU: 99.99% the only check that is made for reverse DNS is that it exists, not that it matches with forward DNS in any way.
Again, our 100 domains run on about 30 IP addresses, and the reverse DNS on all 30 addresses is the same: "rita.otherdomain.com". No one has yet cared.
-- Rodolfo J. Paiz [EMAIL PROTECTED]
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
