Re: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work.
I think you are right, Eric, What I do for my main box is have the caching nameserver on it and use as forwarders the default that came with the caching name server (djbdns) and added the name servers of my ISP (the box is COLO, so even that is really fast when it comes to lookups). Those also are the authoritative ones for my domains. I have always had great experience when splitting caching and auth name servers. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 mar...@waschbuesch.de http://martin.waschbuesch.de Am 14.02.2011 um 20:58 schrieb Eric Shubert: Hey Marek, Using Bind is fine, but using a single server/process for both authoritative and resolver purposes is not a good practice. It can be done, but I would try very hard to keep them separate before endeavoring to put them together. It can be done, but it's a bit tricky to do well (accurately and securely). If at all possible, I would use an authoritative DNS server that's external to QMT, then simply install the caching-nameserver package on QMT to use as a resolver. You should also modify the resolver's configuration to use forwarders, but that's not absolutely necessary. caching-nameserver configuration should work ok as is. Martin, do you have anything to add? (Sorry for jumping in again) -- -Eric 'shubes' On 02/14/2011 12:14 PM, d...@demod.pl wrote: Thank You for advice. I think, I must learn about DNS much more as I thought before i wrote these emails. I'm using BIND (named). Yes it's authoritative DNS server and i think it's a local resolver. Now I understand it's wrong practice? Now i'm going to try apply you advices and read something more about DNS server. I will let you know about my progress regards Marek - Original Message - From: Eric Shubert e...@shubes.net To: qmailtoaster-list@qmailtoaster.com Sent: Monday, February 14, 2011 4:24 PM Subject: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work. I agree whole heartedly with Martin (whatever that's worth). Two key questions which haven't been answered yet by Marek: 1) which software is he using (bind or djbdns) 2) is he using the local resolver as an authoritative DNS server as well? (I would hope not, but you never know). I gotta chuckle regarding Marek's name, as there is a commercial email server called Marek Mail. :) Thanks, Martin. I'll let you finish up with this one. -- -Eric 'shubes' On 02/14/2011 01:39 AM, Martin Waschbüsch wrote: Seeing as it does not work right now, I don't know where the servers are listed on his system. Clearly there must be some configuration issue. But at the same time, IMHO it is the best solution to ensure there is a properly configured local DNS server. Such a local DNS server has a config where you can list forwarding DNS servers and that is where his name servers should be configured. Imagine resolv.conf lists the two outside DNS servers directly. Let's assume that the first entry (will be queried first) is down. Although the system tries to send 50 individual mails to some...@googlemail.com, the mail server will experience a timeout for the first name server and only then query the secondary server. All that happens 50 times(!) Now, if you have a working caching DNS server, as soon as the first timeout happened and the secondary DNS server was queried, the local server has the DNS entry stored and the remaining 49 messages do not encounter any timeout at all. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 mar...@waschbuesch.de http://martin.waschbuesch.de Am 14.02.2011 um 09:06 schrieb Tony White: Hi, So what/where are the two dns servers Marek says he is using? On 14/02/2011 7:02 PM, Martin Waschbüsch wrote: That is not correct! If localhost runs a caching DNS server, it will fetch DNS information from forwarding DNS servers, which can be the ISP's, Google's, whatever. The whole point of having a local caching DNS server is that it not only takes care of using all DNS servers it knows about to fetch data, but also to store that data and prevent DNS-lookup-heavy applications (like E-Mail servers) to generate lots of additional traffic and overhead. So, if Marek runs a local DNS server and still gets problems, then we need to look at that config. If not, he really should install a caching DNS server (named, djbdns, etc.) In any case, resolv.conf is just fine only pointing to the local server. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 mar...@waschbuesch.de http://martin.waschbuesch.de Am 14.02.2011 um 07:59 schrieb Bruno De
Re: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work.
Exactly, for djbdns, I have (in /var/djbdns/dnscache/root/servers/@): 80.254.130.4 80.254.140.9 198.41.0.4 128.9.0.107 192.33.4.12 128.8.10.90 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 The first two are the ones of my ISP. The rest came with the djbdns config and can be extended to use whatever else you want to add. This way, too, the local box will get answers for DNS requests from the first server that responds. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 mar...@waschbuesch.de http://martin.waschbuesch.de Am 15.02.2011 um 02:23 schrieb Eric Shubert: On 02/14/2011 01:57 PM, Scott Hughes wrote: I use a caching name server on my QMT server. Here is what I have in my /etc/resolv.conf file: nameserver 127.0.0.1 nameserver 4.2.2.3 nameserver 4.2.2.4 This way if it does not resolve it locally, it will resolve it using one of the other DNS servers listed. Once it is resolved once, my local server will hold onto it for a period of time so that future look-ups will be faster. I don't believe that's quite right, Scott. I believe it will only cache hits that are satisfied by the localhost (127.0.0.1) resolver. I think it would be better to specify forwarders in the named.conf file. Then, indeed, hits from alternate resolvers would be cached. This is what I have in my named.conf: // // named.conf // options { forward first; forwarders { 205.171.3.25; 208.67.222.220; 205.171.2.25; 208.67.222.222; }; }; logging { category lame-servers { null; }; }; These IPs are for my ISP (Qwest) and OpenDNS. I think that by specifying forwarders, it relieves some stress on the root name servers, which is a good thing. Martin, am I off base on this? I could be. Hope this helps. Scott On Mon, Feb 14, 2011 at 1:58 PM, Eric Shubert e...@shubes.net mailto:e...@shubes.net wrote: Hey Marek, Using Bind is fine, but using a single server/process for both authoritative and resolver purposes is not a good practice. It can be done, but I would try very hard to keep them separate before endeavoring to put them together. It can be done, but it's a bit tricky to do well (accurately and securely). If at all possible, I would use an authoritative DNS server that's external to QMT, then simply install the caching-nameserver package on QMT to use as a resolver. You should also modify the resolver's configuration to use forwarders, but that's not absolutely necessary. caching-nameserver configuration should work ok as is. Martin, do you have anything to add? (Sorry for jumping in again) -- -Eric 'shubes' On 02/14/2011 12:14 PM, d...@demod.pl mailto:d...@demod.pl wrote: Thank You for advice. I think, I must learn about DNS much more as I thought before i wrote these emails. I'm using BIND (named). Yes it's authoritative DNS server and i think it's a local resolver. Now I understand it's wrong practice? Now i'm going to try apply you advices and read something more about DNS server. I will let you know about my progress regards Marek - Original Message - From: Eric Shubert e...@shubes.net mailto:e...@shubes.net To: qmailtoaster-list@qmailtoaster.com mailto:qmailtoaster-list@qmailtoaster.com Sent: Monday, February 14, 2011 4:24 PM Subject: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work. I agree whole heartedly with Martin (whatever that's worth). Two key questions which haven't been answered yet by Marek: 1) which software is he using (bind or djbdns) 2) is he using the local resolver as an authoritative DNS server as well? (I would hope not, but you never know). I gotta chuckle regarding Marek's name, as there is a commercial email server called Marek Mail. :) Thanks, Martin. I'll let you finish up with this one. -- -Eric 'shubes' On 02/14/2011 01:39 AM, Martin Waschbüsch wrote: Seeing as it does not work right now, I don't know where the servers are listed on his system. Clearly there must be some configuration issue. But at the same time, IMHO it is the best solution to ensure there is a properly configured local DNS server. Such a local DNS server has a config where you can list forwarding
[qmailtoaster] Re: DNS temporary failure if one DNS server dont work.
It'd be nice if there was a wiki page for DNS that explained all of this. There's a little info on the Domainkeys page (which should probably be marked deprecated), but it's woefully incomplete with regards to setting up DNS. Would someone care to get a DNS page going? The content on this thread would help to make a good start. Thanks. -- -Eric 'shubes' On 02/15/2011 02:16 AM, Martin Waschbüsch wrote: Exactly, for djbdns, I have (in /var/djbdns/dnscache/root/servers/@): 80.254.130.4 80.254.140.9 198.41.0.4 128.9.0.107 192.33.4.12 128.8.10.90 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 The first two are the ones of my ISP. The rest came with the djbdns config and can be extended to use whatever else you want to add. This way, too, the local box will get answers for DNS requests from the first server that responds. Martin -- Martin Waschbüsch IT-Dienstleistungen Lautensackstr. 16 80687 München Telefon: +49 89 57005708 Fax: +49 89 57868023 Mobil: +49 170 2189794 mar...@waschbuesch.de http://martin.waschbuesch.de Am 15.02.2011 um 02:23 schrieb Eric Shubert: On 02/14/2011 01:57 PM, Scott Hughes wrote: I use a caching name server on my QMT server. Here is what I have in my /etc/resolv.conf file: nameserver 127.0.0.1 nameserver 4.2.2.3 nameserver 4.2.2.4 This way if it does not resolve it locally, it will resolve it using one of the other DNS servers listed. Once it is resolved once, my local server will hold onto it for a period of time so that future look-ups will be faster. I don't believe that's quite right, Scott. I believe it will only cache hits that are satisfied by the localhost (127.0.0.1) resolver. I think it would be better to specify forwarders in the named.conf file. Then, indeed, hits from alternate resolvers would be cached. This is what I have in my named.conf: // // named.conf // options { forward first; forwarders { 205.171.3.25; 208.67.222.220; 205.171.2.25; 208.67.222.222; }; }; logging { category lame-servers { null; }; }; These IPs are for my ISP (Qwest) and OpenDNS. I think that by specifying forwarders, it relieves some stress on the root name servers, which is a good thing. Martin, am I off base on this? I could be. Hope this helps. Scott On Mon, Feb 14, 2011 at 1:58 PM, Eric Shuberte...@shubes.net mailto:e...@shubes.net wrote: Hey Marek, Using Bind is fine, but using a single server/process for both authoritative and resolver purposes is not a good practice. It can be done, but I would try very hard to keep them separate before endeavoring to put them together. It can be done, but it's a bit tricky to do well (accurately and securely). If at all possible, I would use an authoritative DNS server that's external to QMT, then simply install the caching-nameserver package on QMT to use as a resolver. You should also modify the resolver's configuration to use forwarders, but that's not absolutely necessary. caching-nameserver configuration should work ok as is. Martin, do you have anything to add? (Sorry for jumping in again) -- -Eric 'shubes' On 02/14/2011 12:14 PM, d...@demod.plmailto:d...@demod.pl wrote: Thank You for advice. I think, I must learn about DNS much more as I thought before i wrote these emails. I'm using BIND (named). Yes it's authoritative DNS server and i think it's a local resolver. Now I understand it's wrong practice? Now i'm going to try apply you advices and read something more about DNS server. I will let you know about my progress regards Marek - Original Message - From: Eric Shubert e...@shubes.netmailto:e...@shubes.net To:qmailtoaster-list@qmailtoaster.com mailto:qmailtoaster-list@qmailtoaster.com Sent: Monday, February 14, 2011 4:24 PM Subject: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work. I agree whole heartedly with Martin (whatever that's worth). Two key questions which haven't been answered yet by Marek: 1) which software is he using (bind or djbdns) 2) is he using the local resolver as an authoritative DNS server as well? (I would hope not, but you never know). I gotta chuckle regarding Marek's name, as there is a commercial email server called Marek Mail. :) Thanks, Martin. I'll let you finish up with this one. -- -Eric 'shubes' On 02/14/2011 01:39 AM, Martin Waschbüsch wrote: Seeing as it does not work right now, I don't know where the servers are listed on
Re: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work.
I have a 1.25 book on DNS. I'll lend it to anyone who wants to read it and compile some wiki notes on DNS. DNS is very complex in itself and you need to read much more than good be put on a wiki to get a full understanding of the complexities. On 02/15/2011 06:22 AM, Eric Shubert wrote: It'd be nice if there was a wiki page for DNS that explained all of this. There's a little info on the Domainkeys page (which should probably be marked deprecated), but it's woefully incomplete with regards to setting up DNS. Would someone care to get a DNS page going? The content on this thread would help to make a good start. Thanks. -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: DNS temporary failure if one DNS server dont work.
Am 15.02.2011 um 16:06 schrieb Maxwell Smart: I have a 1.25 book on DNS. I'll lend it to anyone who wants to read it and compile some wiki notes on DNS. DNS is very complex in itself and you need to read much more than good be put on a wiki to get a full understanding of the complexities. Very true. Personally, I find that the information given on the wikipedia page http://en.wikipedia.org/wiki/Domain_Name_System plus the long (but by no means exhaustive) list of links on the subject at the bottom of the article are a good starting point for online reading. Martin - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] QMT as gateway SMTP
That's all there is to it. Setup QMT as you would normally and for those that you are relaying, add them to the smtproutes. The mail will still run the same gauntlet that the local delivery gets but when they pop out of the scanners they are routed to the outside instead of falling into a mailbox. I need QMT+spamdike (WAN) work as relay SMTP for Microsoft Exchange (in LAN), there are any handbook ? I understand QMT and Exchange routes (/var/qmail/control/smtproutes) , thats all ??
Re: [qmailtoaster] QMT as gateway SMTP
Thanks, but chkuser work in this box ? 2011/2/15 Phil Leinhauser p...@teqknow.com That's all there is to it. Setup QMT as you would normally and for those that you are relaying, add them to the smtproutes. The mail will still run the same gauntlet that the local delivery gets but when they pop out of the scanners they are routed to the outside instead of falling into a mailbox. I need QMT+spamdike (WAN) work as relay SMTP for Microsoft Exchange (in LAN), there are any handbook ? I understand QMT and Exchange routes (/var/qmail/control/smtproutes) , thats all ??
Re: [qmailtoaster] QMT as gateway SMTP
I have 2 Qmail servers doing this currently. One is mine it does both pass thru as well as hosting domains, both on public IP's. My second one takes email, and passes it through to a exchange server on the local lan. As the domain doesn't exist on the server it doesn't use chkuser, just scans the e-mail and passes it through. click this link to see how to set it up. http://wiki.qmailtoaster.com/index.php/Scanning_External_non_locally_hosted_domains Steve Sills SolvingIT, Lead Technician (403) 668-1589 x 1000 http://www.solvingit.ca On 2011-02-15, at 10:50 AM, Carlos Herrera Polo wrote: Thanks, but chkuser work in this box ? 2011/2/15 Phil Leinhauser p...@teqknow.commailto:p...@teqknow.com That's all there is to it. Setup QMT as you would normally and for those that you are relaying, add them to the smtproutes. The mail will still run the same gauntlet that the local delivery gets but when they pop out of the scanners they are routed to the outside instead of falling into a mailbox. I need QMT+spamdike (WAN) work as relay SMTP for Microsoft Exchange (in LAN), there are any handbook ? I understand QMT and Exchange routes (/var/qmail/control/smtproutes) , thats all ??
[qmailtoaster] Re: DNS temporary failure if one DNS server dont work.
On 02/15/2011 09:35 AM, Martin Waschbüsch wrote: Am 15.02.2011 um 16:06 schrieb Maxwell Smart: I have a 1.25 book on DNS. I'll lend it to anyone who wants to read it and compile some wiki notes on DNS. DNS is very complex in itself and you need to read much more than good be put on a wiki to get a full understanding of the complexities. Very true. Personally, I find that the information given on the wikipedia page http://en.wikipedia.org/wiki/Domain_Name_System plus the long (but by no means exhaustive) list of links on the subject at the bottom of the article are a good starting point for online reading. Martin - I was hoping for a condensed version, that wouldn't cover the whole subject, but simply what pertains to administering a QMT host. A reference section containing these links would be quite appropriate to include. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com