qmail & dns
hello friends sorry for asking you too many silly questions , but its just bcoz i want to know more about qmail so these questions just keep popping up , how qmail will send the message from one domain say a [EMAIL PROTECTED] to someother domain say [EMAIL PROTECTED] when DNS comes in to the picture , is qmail it self starts query authorative dns server for that domain or its a job of some other programme bundled with qmail-1.03 thanks once again , with warmest regards Prashant Desai
qmail & DNS
hello guys sorry for asking you too many silly questions , but its just bcoz i want to know more about qmail so these questions just keep popping up , how qmail will send the message from one domain say a [EMAIL PROTECTED] to someother domain say [EMAIL PROTECTED] when DNS comes in to the picture , is qmail it self starts query authorative dns server for that domain or its a job of some other programme bundled with qmail-1.03 thanks once again , with warmest regards Prashant Desai
Qmail & DNS
I am setting up a mail router here at work, I realise that the box I am running qmail on needs also to be running DNS. Is it okay for this to be a name-caching only server with forwards to my ISP's DNS server? TIA Jon.
qmail & DNS
Just a quickie. Does qmail use resolv.conf to to its DNS lookups? If not, then what's the process? Simon Rae
Re: qmail & dns
On Mon, Jul 31, 2000 at 11:47:49AM +0300, [EMAIL PROTECTED] wrote: !when DNS comes in to the picture , is qmail it self starts query ! authorative dns server for that domain or its a job of some other programme ! bundled with qmail-1.03 qmail-1.03 uses BIND's libresolv to do the actual resolution. See dns.c. Most of the action occurs in the resolve() function. ---Chris K. -- Chris, the Young One |_ If you can't afford a backup system, you can't Auckland, New Zealand |_ afford to have important data on your computer. http://cloud9.hedgee.com/ |_ ---Tracy R. Reed PGP: 0xCCC6114E/0x706A6AAD |_
RE: qmail & dns
Take a look at the DNS-HOWTO (linux) and read about MX records. That'll be easier than waiting here. Brett Manager InterPlanetary Solutions http://ipsware.com/ > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 31, 2000 9:48 PM > To: [EMAIL PROTECTED] > Subject: qmail & dns > > > hello friends > > sorry for asking you too many silly questions , but its just bcoz > i want to > know more about qmail > > >so these questions just keep popping up , > > > how qmail will send the message from one domain > > say a [EMAIL PROTECTED] to someother domain say [EMAIL PROTECTED] > > >when DNS comes in to the picture , is qmail it self starts query > authorative dns server for that domain or its a job of some other > programme > bundled with qmail-1.03 > > thanks once again , > with warmest regards > Prashant Desai > >
Re: Qmail & DNS
On Wed, Sep 06, 2000 at 11:35:38AM +0100, Jonathan Fanti wrote: > I am setting up a mail router here at work, I realise that the box I am > running qmail on needs also to be running DNS. Is it okay for this to be > a name-caching only server with forwards to my ISP's DNS server? Hi Jon, The DNS server doesn't *need* to be on the same machine, but it'll big a big help if it is. Excessive DNS latency can be a real pain. That said, using a forwarder would work fine. Regards, james -- James Raftery (JBR54) - Programmer Hostmaster - IE TLD Hostmaster IE Domain Registry - www.domainregistry.ie - (+353 1) 706 2375 "Managing 4000 customer domains with BIND has been a lot like herding cats." - Mike Batchelor, on [EMAIL PROTECTED]
Re: Qmail & DNS
Hola Jon If you haven`t a reliable connection, better use a slave DNS server on your box. It will fetch the DNS tables from your ISP. - Original Message - From: "James Raftery" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 06, 2000 1:02 PM Subject: Re: Qmail & DNS > On Wed, Sep 06, 2000 at 11:35:38AM +0100, Jonathan Fanti wrote: > > I am setting up a mail router here at work, I realise that the box I am > > running qmail on needs also to be running DNS. Is it okay for this to be > > a name-caching only server with forwards to my ISP's DNS server? > > Hi Jon, > > The DNS server doesn't *need* to be on the same machine, but it'll big a > big help if it is. Excessive DNS latency can be a real pain. > That said, using a forwarder would work fine. > > > Regards, > > james > -- > James Raftery (JBR54) - Programmer Hostmaster - IE TLD Hostmaster >IE Domain Registry - www.domainregistry.ie - (+353 1) 706 2375 > "Managing 4000 customer domains with BIND has been a lot like >herding cats." - Mike Batchelor, on [EMAIL PROTECTED]
Re: Qmail & DNS
> running qmail on needs also to be running DNS. Is it okay for this to be > a name-caching only server with forwards to my ISP's DNS server? Install dnscache on localhost. You can get it at http://cr.yp.to/djbdns.html Regards, Frank
Re: Qmail & DNS
Jonathan Fanti <[EMAIL PROTECTED]> wrote: >I am setting up a mail router here at work, I realise that the box I am >running qmail on needs also to be running DNS. No, it only needs *access* to the DNS (i.e., /etc/resolv.conf, /etc/nsswitch.conf, etc.) -Dave
Re: Qmail & DNS
Jonathan Fanti wrote: > > I am setting up a mail router here at work, I realise that the box I am > running qmail on needs also to be running DNS. Is it okay for this to be > a name-caching only server with forwards to my ISP's DNS server? Sure that would work. It would also work to not forward to your ISP's dns, but to go directly to the root servers. If you like to experiment, try installing Dan Bernstiens local caching dns software: http://cr.yp.to/djbdns Ken Jones
qmail/dns resolution
Lame question time... qmail stopped delivering outbound mail, and is echoing error messages like this: Jun 19 09:26:08 fromagerie qmail: 929798768.674689 delivery 1307: deferral: Sorry,_I_couldn't_find_any_host_by_that_name._(#4.1.2)/ However, all the nameservers defined in resolv.conf on this box *are* able to resolve this properly. Any advice/insight would be greatly appreciated. Thanks, -a
Re: qmail & DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Does qmail use resolv.conf to to its DNS lookups? If not, then what's the > process? It does - at least it has to know what the nameserver's IP is! (It doesn't use /etc/hosts etc. but that's a different fairy-tale.) -BEGIN PGP SIGNATURE- Version: PGP 6.0.2 -- QDPGP 2.60 Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBN6mI7FMwP8g7qbw/EQKm+gCg5hjvcx5exDnZK9DbOHmvxHjK784An1Q7 VawZbjUpcpaQuAGul8oRD5Cw =lHzj -END PGP SIGNATURE- -- Petr Novotny, ANTEK CS [EMAIL PROTECTED] http://www.antek.cz PGP key ID: 0x3BA9BC3F -- Don't you know there ain't no devil there's just God when he's drunk. [Tom Waits]
Re: qmail/dns resolution
Adam Rothschild wrote: > > Lame question time... > > qmail stopped delivering outbound mail, and is echoing error messages like > this: > > Jun 19 09:26:08 fromagerie qmail: 929798768.674689 delivery 1307: > deferral: Sorry,_I_couldn't_find_any_host_by_that_name._(#4.1.2)/ > > However, all the nameservers defined in resolv.conf on this box *are* able > to resolve this properly. Any advice/insight would be greatly > appreciated. chmod o+r /etc/resolv.conf maybe? -Mikko Hyvärinen
Re: qmail/dns resolution
On Sat, Jun 19, 1999 at 03:02:46PM +, Mikko Hyvarinen wrote: > chmod o+r /etc/resolv.conf maybe? Already done. -a
Re: qmail/dns resolution
On Sat, Jun 19, 1999 at 10:27:08AM -0400, Adam Rothschild wrote: > Lame question time... > > qmail stopped delivering outbound mail, and is echoing error messages like > this: > > Jun 19 09:26:08 fromagerie qmail: 929798768.674689 delivery 1307: > deferral: Sorry,_I_couldn't_find_any_host_by_that_name._(#4.1.2)/ > > However, all the nameservers defined in resolv.conf on this box *are* able > to resolve this properly. Any advice/insight would be greatly > appreciated. What host name is it failing on? Greetz, Peter -- | 'He broke my heart,| Peter van Dijk | I broke his neck' | [EMAIL PROTECTED] | nognikz - As the sun |Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh |
qmail dns related question
On Thu, 30 Sep 1999, Dave Sill wrote: Sorry for a noise.. I read the following in the FAQ: Answer: The SMTP standard does not permit aliased hostnames, so qmail has to do a CNAME lookup in DNS for every recipient host. If the relevant DNS server is down, qmail defers the message. It will try again soon. Does this mean that I can't set up local (my LAN only) domain with MX set to real dns name and I have to add non-real domain to /var/qmail/control/locals ? I.e. I've mynet.org that is for masqueraded mashines only & I resolve as vgsn.glasnet.ru. If I then write in named configs "mynet.org CNAME vgsn.glasnet.ru." do I have to add "mynet.org" to /var/qmail/control/locals ? Bye.Olli. //System administrator of "Russia Young" internet group. Any info around "Russia Young" & Boris Nemtsov: http://www.rosmol.ru , http://www.nemtsov.ru , http://www.boris.nemtsov.ru
Qmail + DNS for bogus domain
Hello all I know this list is using Qmail with EZMLM. I am trying to install Qmail on my system. The prerequite for this is to have a working DNS. My home LAN has a bogus domainname. It uses the private (10.x.x.x ) addressing scheme. Would Qmail work with a bogus domainname? Will it translate the bogus domainname to my ISP's name? Any experiences and advice appreciated. Thank you in advance. Subba Rao [EMAIL PROTECTED] == Disclaimer - I question and speak for myself.
Re: qmail dns related question
On Mon, 01 Nov 1999 at 21:03:03 -0300, olli wrote: > On Thu, 30 Sep 1999, Dave Sill wrote: > > Sorry for a noise.. I read the following in the FAQ: > > Answer: The SMTP standard does not permit aliased hostnames, so qmail > has to do a CNAME lookup in DNS for every recipient host. If the > relevant DNS server is down, qmail defers the message. It will try again > soon. > > > Does this mean that I can't set up local (my LAN only) domain with MX set > to real dns name and I have to add non-real domain to > /var/qmail/control/locals ? > > I.e. I've mynet.org that is for masqueraded mashines only & I resolve as > vgsn.glasnet.ru. If I then write in named configs > "mynet.org CNAME vgsn.glasnet.ru." do I have to add "mynet.org" to > /var/qmail/control/locals ? If I understand your question correctly: _yes_. Even if a DNS record for mynet.org points to your server, it (your server) will _not_ accept mail addressed to [EMAIL PROTECTED] if mynet.org is not present in (rcpthosts AND (locals OR virtualdomains)). The above is a little simplified. In fact, sometimes a domain _can_ be only in rcpthost and not in locals nor in virtualdomains. When you agree to be an additional MX for the domain (you accept mail for them and keep it in your spool (not deliver to local users) when the main MX is down or unreachable. BTW, a domain should _not_ be in locals AND virtualdomain at the same time, only in one of these files. > Bye.Olli. > //System administrator of "Russia Young" internet group. > > Any info around "Russia Young" & Boris Nemtsov: > http://www.rosmol.ru , http://www.nemtsov.ru , http://www.boris.nemtsov.ru -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
qmail, DNS, and relaying for a hidden host
I'm quoting Timothy Mayo from his March 2 message titled "Re: DNS & /etc/hosts" >No, qmail does NOT use the resolver. Yes it makes direct DNS requests. ... >qmail NEVER uses /etc/hosts, period. It only uses DNS, regardless of how >you have set up your resolver. The only way to override the use of DNS is >by using /var/qmail/control/smtproutes. How does Qmail act as an outbound relay for a host who is not listed in DNS? I'm setting up a network which has two Qmail mail relays on the DMZ, and the mail server (mail store) on the internal network. The firewall allows the mail store to talk to the mail relays (and vice versa), and the mail relays to talk to the Internet (and vice versa). The mail relays are in DNS with MX values of 10 and 20. The mail store is not listed in Internet-accessible DNS, a standard security precaution. The mail relays use our ISP's DNS servers for all their resolution. Our ISP hosts our primary and secondary DNS servers as far as the Internet is concerned; our internal network has its own "primary" and "secondary" which provide DNS for internal hosts and which slave to the ISP's DNS servers for all else (as allowed by the firewall). When the internal host tried to send out via the relay (Yes, I've got RELAYCLIENT set via tcpserver), the relay complained that it couldn't find the mail store in DNS and therefore wouldn't accept the mail (I don't have a copy of the exact error message, but can get it if that makes a difference). Adding the internal mail store machine to /etc/hosts didn't help (as Timothy's message above would indicate). So what's the solution for this? 1) Add the mail store to Internet-available DNS? Security guidelines say not to do this, in order to deny information to attackers, but that's always seemed a pretty weak argument to me (once someone is in a position to use the information, they're in a position to gather the information pretty easily). 2) Set the firewall to allow the mail relays to query the INTERNAL DNS servers, which will know about this host and will forward other requests back out the firewall to the ISP's DNS server? Seems inefficient, and presumably is as bad or worse than #1 security wise (cracker need only break DMZ to get all DNS info, as opposed to breaking onto the internal network). 3) Set up a forwarding DNS server on the DMZ which knows about the internal mail store, but doesn't pass that info on to the Internet? 4) Entering an [dotted quad] into smtproutes fixes this on the inbound relay case. Is there a similar fax for the outbound relay case? 5) Everything else I haven't thought of ;> Surely I can't be the only one who's tried this. How do the rest of you handle this? Any help you can give is appreciated. I've got two weeks or more before this system needs to go live, so I can take the time to do the "right" solution rather than the expedient solution. -- gowen -- Greg Owen -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] Please note my new [EMAIL PROTECTED] address which will become my default address in March, and which works now.
Re: qmail, DNS, and relaying for a hidden host
Greg Owen {gowen} wrote:
> How does Qmail act as an outbound relay for a host who is not listed in
> DNS?
>
> I'm setting up a network which has two Qmail mail relays on the DMZ, and
> the mail server (mail store) on the internal network. The firewall allows
> the mail store to talk to the mail relays (and vice versa), and the mail
> relays to talk to the Internet (and vice versa).
Greg,
Check out the O'Reilly book "Building Internet Firewalls" (? may be
slightly wrong title). It has a lot of useful suggestions which may
help you.
I have a similar setup, ie mail is received by a "bastion host" on our
perimeter network (DMZ) and forwarded to the internal mail host on our
internal network through a router doing address translation, ie the
internal network uses 172.16.x.
I acually use QMQP to transfer mail from the bastion host to the
internal mail host. The bastion host runs qmail-smtpd to receive
incoming mail, and uses qmail-qmqpc to send it all through the firewall
to the internal mail host. No mail is delivered locally on the bastion
host; all locally generated system mail is delivered to the internal
mail host.
I don't bother using the bastion host as an outgoing relay; I send all
mail direct from the internal mail host. There's not really much more
of a security rick since you only have to open up the router for
outgoing packets (from what I can gather). Though it wouldn't be too
much trouble allowing the internal machine to use the bastion host as an
outgoing relay as the bastion host uses the "internal" DNS ie as
specified in resolv.conf.
> 1) Add the mail store to Internet-available DNS? Security guidelines
> say not to do this, in order to deny information to attackers, but that's
> always seemed a pretty weak argument to me (once someone is in a position to
> use the information, they're in a position to gather the information pretty
> easily).
Nope.
>
> 2) Set the firewall to allow the mail relays to query the INTERNAL DNS
> servers, which will know about this host and will forward other requests
> back out the firewall to the ISP's DNS server? Seems inefficient, and
> presumably is as bad or worse than #1 security wise (cracker need only break
> DMZ to get all DNS info, as opposed to breaking onto the internal network).
This is what I do.
>
> 3) Set up a forwarding DNS server on the DMZ which knows about the
> internal mail store, but doesn't pass that info on to the Internet?
Nope. You seem to be confusing DNS server and DNS client. You can
specify that the bastion host uses the internal DNS to resolve names for
its own processes and run a DNS server on the same box containing
completely different information.
> 4) Entering an [dotted quad] into smtproutes fixes this on the inbound
> relay case. Is there a similar fax for the outbound relay case?
Why not send outgoing mail directly?
R.
--
Two rules to success in life:
1. Don't tell people everything you know.
-- Sassan Tat
Re: qmail, DNS, and relaying for a hidden host
>How does Qmail act as an outbound relay for a host who is not listed in >DNS? Ah, I think I just found my answer, on the qmail home page. "Dan Bernstein noted that qmail will skip dns queries for incoming mail with tcpserver -Hl your.host.name; and you can skip them for outgoing mail with control/smtproutes." I'll go check the tcpserver documentation, and if that doesn't clear it up I'll post any further questions. Sorry about that -- I searched the mailing list and the FAQ before posting, but didn't check the front qmail page. Maybe this should be in the FAQ? -- gowen -- Greg Owen -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] Please note my new [EMAIL PROTECTED] address which will become my default address in March, and which works now.
Re: qmail, DNS, and relaying for a hidden host
How are you starting qmail-smtpd? Are you using tcpserver or inetd? What
is the command syntax you user for what you use?
One possible solution, set up an outbound only relay machine in the DMZ
that only accepts SMTP connections from your mail store machine and does
not perform any DNS lookups on the IP connection. This can be done with
tcpserver quite easily.
On Wed, 17 Mar 1999, Greg Owen {gowen} wrote:
> I'm quoting Timothy Mayo from his March 2 message titled "Re: DNS &
> /etc/hosts"
>
> >No, qmail does NOT use the resolver. Yes it makes direct DNS requests.
> ...
> >qmail NEVER uses /etc/hosts, period. It only uses DNS, regardless of how
> >you have set up your resolver. The only way to override the use of DNS is
> >by using /var/qmail/control/smtproutes.
>
> How does Qmail act as an outbound relay for a host who is not listed in
> DNS?
>
> I'm setting up a network which has two Qmail mail relays on the DMZ, and
> the mail server (mail store) on the internal network. The firewall allows
> the mail store to talk to the mail relays (and vice versa), and the mail
> relays to talk to the Internet (and vice versa).
>
> The mail relays are in DNS with MX values of 10 and 20.
>
> The mail store is not listed in Internet-accessible DNS, a standard
> security precaution. The mail relays use our ISP's DNS servers for all
> their resolution. Our ISP hosts our primary and secondary DNS servers as
> far as the Internet is concerned; our internal network has its own "primary"
> and "secondary" which provide DNS for internal hosts and which slave to the
> ISP's DNS servers for all else (as allowed by the firewall).
>
> When the internal host tried to send out via the relay (Yes, I've got
> RELAYCLIENT set via tcpserver), the relay complained that it couldn't find
> the mail store in DNS and therefore wouldn't accept the mail (I don't have a
> copy of the exact error message, but can get it if that makes a difference).
> Adding the internal mail store machine to /etc/hosts didn't help (as
> Timothy's message above would indicate).
>
> So what's the solution for this?
>
> 1) Add the mail store to Internet-available DNS? Security guidelines
> say not to do this, in order to deny information to attackers, but that's
> always seemed a pretty weak argument to me (once someone is in a position to
> use the information, they're in a position to gather the information pretty
> easily).
>
> 2) Set the firewall to allow the mail relays to query the INTERNAL DNS
> servers, which will know about this host and will forward other requests
> back out the firewall to the ISP's DNS server? Seems inefficient, and
> presumably is as bad or worse than #1 security wise (cracker need only break
> DMZ to get all DNS info, as opposed to breaking onto the internal network).
>
> 3) Set up a forwarding DNS server on the DMZ which knows about the
> internal mail store, but doesn't pass that info on to the Internet?
>
> 4) Entering an [dotted quad] into smtproutes fixes this on the inbound
> relay case. Is there a similar fax for the outbound relay case?
>
> 5) Everything else I haven't thought of ;>
>
>
> Surely I can't be the only one who's tried this. How do the rest of you
> handle this?
>
> Any help you can give is appreciated. I've got two weeks or more before
> this system needs to go live, so I can take the time to do the "right"
> solution rather than the expedient solution.
>
> --
> gowen -- Greg Owen -- [EMAIL PROTECTED] -- [EMAIL PROTECTED]
>
> Please note my new [EMAIL PROTECTED] address which will
> become my default address in March, and which works now.
>
>
-
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior Systems Administrator
localconnect(sm)
http://www.localconnect.net/
The National Business Network Inc. http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA 15146
(412) 810- Phone
(412) 810-8886 Fax
Re: qmail, DNS, and relaying for a hidden host
On Wed, 17 Mar 1999, Greg Owen {gowen} wrote:
> > How does Qmail act as an outbound relay for a host who is not listed
> > in DNS?
>
> Ah, I think I just found my answer, on the qmail home page.
>
> "Dan Bernstein noted that qmail will skip dns queries for incoming mail with
> tcpserver -Hl your.host.name; and you can skip them for outgoing mail with
> control/smtproutes."
>
> I'll go check the tcpserver documentation, and if that doesn't clear it
> up I'll post any further questions.
Okay, I've gotten to the bottom of my problem, and here's what
I've done to fix the problem.
First of all, the DNS lookup that was failing was not on the
bastion host, but at the final recipient, which looked up the header From:
and couldn't find the host. But the only reason the host was on that line
and not the domain (which resolves just fine, thank you very much) was
that I sent my mail from 'root', which is on sendmail's "don't masquerade
this user" list. Sending from normal users works just fine, because their
"From:" header uses "[EMAIL PROTECTED]" rather than
"[EMAIL PROTECTED]", where "mailhost" is the internal mail server
not found under DNS.
Presumably the "RELAYCLIENT" setting of tcp wrappers was
satisfying qmail, and I just misread the logs the first time around.
Secondly, by using tcp wrappers control file (/etc/tcp.smtp.cdb),
I'm now setting TCPREMOTEHOST and TCPREMOTEIP to values that do not give
away information about our internal layout. This changes the "Received"
lines on the mail. So, mail actually comes from "mailhost.scansoft.com"
at 4.17.150.119, but the headers say it came from "mail.scansoft.com" at
"192.168.0.1" (an RFC address). The only thing these mail headers are
used for is debugging, and debugging the steps that include these hosts is
only usefully done by us, so presumably this won't mess things up.
Sendmail on the interior host also munges to use
"mail.scansoft.com" in the "Received" headers.
This means mail from non-masquerading users (root and daemon) may
never get delivered if final hosts try to match the name, but frankly,
mail to the outside world should be by accountable users only.
All this achieves my goal of sending mail from an internal host
not listed in DNS without having to reveal information about that internal
host.
Can anyone let me know if munging the Received headers in a
controlled way like this breaks anything? I wouldn't think so from my
knowledge of most mail systems, but you never know...
--
gowen -- Greg Owen -- [EMAIL PROTECTED] -- [EMAIL PROTECTED]
Please note my new [EMAIL PROTECTED] address which will
become my default address in March, and which works now.
