G Suite mx checker complains "do not configure the mail service on the only domain name."

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis
Hello. I have used G Suite MX checker available here https://toolbox.googleapps.com/apps/checkmx/ and I have message: "The address of the mail server in the domain record A can cause poorly visible and difficult to diagnose errors manifested by "disappearing" e-mails in the event of problems with the DNS server. This problem can be diagnosed by entering a command telnet your.do.main 25 [..]". How can I resolve this? 

In dns zone I have:
ASPMX.L.GOOGLE.COM. with priority 1
ALT1.ASPMX.L.GOOGLE.COM. with priority 5
ALT2.ASPMX.L.GOOGLE.COM. with priority 5
ALT3.ASPMX.L.GOOGLE.COM. with priority 10
ALT4.ASPMX.L.GOOGLE.COM. with priority 10

and I also configured SPF, DKIM, DMARC for my domain.

Does anybody know what to do to resolve this? I know it's not exactly postfix issue but here are mail related specialists.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Kris Deugau
Poliman - Serwis wrote:
> Hello. I have used G Suite MX checker available here
> https://toolbox.googleapps.com/apps/checkmx/

This seems to be a Google-specific tester for domains hosted with
Google, so it's difficult to compare with random other domains.

> and I have message: "The
> address of the mail server in the domain record A can cause poorly
> visible and difficult to diagnose errors manifested by "disappearing"
> e-mails in the event of problems with the DNS server. This problem can
> be diagnosed by entering a command*telnet your.do.main 25*[..]". How can
> I resolve this?


It would be helpful to know which domain you're testing so the rest of
us can read the entire report.

It sort of sounds like you have either managed to enter one of the
Google MX hosts' IP addresses as your domain root A record, or have an
extra MX record somewhere, or just have the domain root A record pointed
somewhere outside Google, but without more information it's really hard
to tell what they're even checking for.

-kgd
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis


2018-11-13 16:05 GMT+01:00 Kris Deugau <[hidden email]>:
Poliman - Serwis wrote:
Hello. I have used G Suite MX checker available here https://toolbox.googleapps.com/apps/checkmx/

This seems to be a Google-specific tester for domains hosted with Google, so it's difficult to compare with random other domains.

and I have message: "The address of the mail server in the domain record A can cause poorly visible and difficult to diagnose errors manifested by "disappearing" e-mails in the event of problems with the DNS server. This problem can be diagnosed by entering a command*telnet your.do.main 25*[..]". How can I resolve this?


It would be helpful to know which domain you're testing so the rest of us can read the entire report.

It sort of sounds like you have either managed to enter one of the Google MX hosts' IP addresses as your domain root A record, or have an extra MX record somewhere, or just have the domain root A record pointed somewhere outside Google, but without more information it's really hard to tell what they're even checking for.

-kgd

It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record in dns zone.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Wietse Venema
Poliman - Serwis:

> 2018-11-13 16:05 GMT+01:00 Kris Deugau <[hidden email]>:
>
> > Poliman - Serwis wrote:
> >
> >> Hello. I have used G Suite MX checker available here
> >> https://toolbox.googleapps.com/apps/checkmx/
> >>
> >
> > This seems to be a Google-specific tester for domains hosted with Google,
> > so it's difficult to compare with random other domains.
> >
> > and I have message: "The address of the mail server in the domain record A
> >> can cause poorly visible and difficult to diagnose errors manifested by
> >> "disappearing" e-mails in the event of problems with the DNS server. This
> >> problem can be diagnosed by entering a command*telnet your.do.main
> >> 25*[..]". How can I resolve this?
>
> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
> in dns zone.

You have both A and MX records for colonel.com.pl. Some SMTP systems
may try to send email using the A record, if those SMTP systems are
borked and if their DNS resolver is borked.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Bastian Blank-3
In reply to this post by Poliman - Serwis
On Tue, Nov 13, 2018 at 05:31:13PM +0100, Poliman - Serwis wrote:
> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
> in dns zone.

You missed that the point is called "There should not be a mail
exchanger set up on naked domain name."

Don't run an externally reachable SMTP server on colonel.com.pl.

| % nc colonel.com.pl 25  
| 220 s1.poliman.net ESMTP Postfix (Ubuntu)

Bastian

--
Men will always be men -- no matter where they are.
                -- Harry Mudd, "Mudd's Women", stardate 1329.8
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Viktor Dukhovni
In reply to this post by Wietse Venema
> On Nov 13, 2018, at 11:48 AM, Wietse Venema <[hidden email]> wrote:
>
>> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
>> in dns zone.
>
> You have both A and MX records for colonel.com.pl. Some SMTP systems
> may try to send email using the A record, if those SMTP systems are
> borked and if their DNS resolver is borked.

In other words, nothing to worry about.  There's no need to worry about
such broken systems in practice.  Real MTAs don't get this wrong (though
perhaps what I'm saying is that if there are some MTAs that get this wrong,
they are garbage that deserves to be ignored).

--
        Viktor.

[1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis


2018-11-13 18:24 GMT+01:00 Viktor Dukhovni <[hidden email]>:
> On Nov 13, 2018, at 11:48 AM, Wietse Venema <[hidden email]> wrote:
>
>> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A record
>> in dns zone.
>
> You have both A and MX records for colonel.com.pl. Some SMTP systems
> may try to send email using the A record, if those SMTP systems are
> borked and if their DNS resolver is borked.

In other words, nothing to worry about.  There's no need to worry about
such broken systems in practice.  Real MTAs don't get this wrong (though
perhaps what I'm saying is that if there are some MTAs that get this wrong,
they are garbage that deserves to be ignored).

--
        Viktor.

[1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem

Ok, thank you guys for answers and advices. Appreciate!

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Wietse Venema
Poliman - Serwis:

> 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni <[hidden email]>:
>
> > > On Nov 13, 2018, at 11:48 AM, Wietse Venema <[hidden email]>
> > wrote:
> > >
> > >> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A
> > record
> > >> in dns zone.
> > >
> > > You have both A and MX records for colonel.com.pl. Some SMTP systems
> > > may try to send email using the A record, if those SMTP systems are
> > > borked and if their DNS resolver is borked.
> >
> > In other words, nothing to worry about.  There's no need to worry about
> > such broken systems in practice.  Real MTAs don't get this wrong (though
> > perhaps what I'm saying is that if there are some MTAs that get this wrong,
> > they are garbage that deserves to be ignored).
> >
> > --
> >         Viktor.
> >
> > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
>
>
> Ok, thank you guys for answers and advices. Appreciate!

You man still want to turn off the SMTP listener on colonel.com.pl,
because it will never receive legitimate email.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis


2018-11-13 19:58 GMT+01:00 Wietse Venema <[hidden email]>:
Poliman - Serwis:
> 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni <[hidden email]>:
>
> > > On Nov 13, 2018, at 11:48 AM, Wietse Venema <[hidden email]>
> > wrote:
> > >
> > >> It's colonel.com.pl. Please check. I don't see anywhere MX's IP as A
> > record
> > >> in dns zone.
> > >
> > > You have both A and MX records for colonel.com.pl. Some SMTP systems
> > > may try to send email using the A record, if those SMTP systems are
> > > borked and if their DNS resolver is borked.
> >
> > In other words, nothing to worry about.  There's no need to worry about
> > such broken systems in practice.  Real MTAs don't get this wrong (though
> > perhaps what I'm saying is that if there are some MTAs that get this wrong,
> > they are garbage that deserves to be ignored).
> >
> > --
> >         Viktor.
> >
> > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
>
>
> Ok, thank you guys for answers and advices. Appreciate!

You man still want to turn off the SMTP listener on colonel.com.pl,
because it will never receive legitimate email.

        Wietse

Thank you for answer. I suppose I don't understand properly. How could I do this if this domain has MX on Google?

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

B. Reino
On 2018-11-14 08:21, Poliman - Serwis wrote:

> 2018-11-13 19:58 GMT+01:00 Wietse Venema <[hidden email]>:
>
>> You man still want to turn off the SMTP listener on colonel.com.pl,
>> because it will never receive legitimate email.
>>
>> Wietse
>
> Thank you for answer. I suppose I don't understand properly. How could
> I do this if this
> domain has MX on Google?

If your e-mail is handled by Google, then you should not have an SMTP
server running (listening) on colonel.com.pl.

So you should go (ssh) to colonel.com.pl and
disable/deinstall/firewall/etc. postfix so that it does not accept
incoming e-mails (e.g. ports 25, 465, 587).

If anyone wants to send you an e-mail, the MTA (sending server) will
lookup colonel.com.pl and find the relevant MX record pointing to
Google. The MTA will then send the e-mail to the Google server.

In severely broken situations an MTA might decide to try to send it
directly to colonel.com.pl and -- surprise -- find a welcoming
(listening) SMTP server. You don't want that, so, again, you should
disable/remove/uninstall the SMTP server on colonel.com.pl

Hopefully this is clear now.
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Håkon Alstadheim
In reply to this post by Poliman - Serwis

Den 14.11.2018 08:21, skrev Poliman - Serwis:

>
>
> 2018-11-13 19:58 GMT+01:00 Wietse Venema <[hidden email]
> <mailto:[hidden email]>>:
>
>     Poliman - Serwis:
>     > 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni <[hidden email]
>     <mailto:[hidden email]>>:
>     >
>     > > > On Nov 13, 2018, at 11:48 AM, Wietse Venema
>     <[hidden email] <mailto:[hidden email]>>
>     > > wrote:
>     > > >
>     > > >> It's colonel.com.pl <http://colonel.com.pl>. Please check.
>     I don't see anywhere MX's IP as A
>     > > record
>     > > >> in dns zone.
>     > > >
>     > > > You have both A and MX records for colonel.com.pl
>     <http://colonel.com.pl>. Some SMTP systems
>     > > > may try to send email using the A record, if those SMTP
>     systems are
>     > > > borked and if their DNS resolver is borked.
>     > >
>     > > In other words, nothing to worry about. There's no need to
>     worry about
>     > > such broken systems in practice.  Real MTAs don't get this
>     wrong (though
>     > > perhaps what I'm saying is that if there are some MTAs that
>     get this wrong,
>     > > they are garbage that deserves to be ignored).
>     > >
>     > > --
>     > >         Viktor.
>     > >
>     > > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
>     <https://en.wikipedia.org/wiki/Infinite_monkey_theorem>
>     >
>     >
>     > Ok, thank you guys for answers and advices. Appreciate!
>
>     You man still want to turn off the SMTP listener on colonel.com.pl
>     <http://colonel.com.pl>,
>     because it will never receive legitimate email.
>
>             Wietse
>
>
> Thank you for answer. I suppose I don't understand properly. How could
> I do this if this domain has MX on Google?
>
To make sure all mail delivered to colonel.com.pl gets to google, make
sure that the host colonel.com.pl will NOT accept connections for
incoming mail from the internet.

In other words: if you want mail to end up at your MX, your A ip-address
should not accept incoming mail.

If that is already OK, you are OK. It looks OK from where I am sitting.

Viz:

# dig colonel.com.pl mx

; <<>> DiG 9.11.2-P1 <<>> colonel.com.pl mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63690
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;colonel.com.pl.                        IN      MX

;; ANSWER SECTION:
colonel.com.pl.         3600    IN      MX      5 alt1.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      5 alt2.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      10 alt4.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      10 alt3.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      1 aspmx.l.google.com.

;; AUTHORITY SECTION:
colonel.com.pl.         3576    IN      NS      ns6.poliman.net.
colonel.com.pl.         3576    IN      NS      ns7.poliman.net.

;; ADDITIONAL SECTION:
ns6.poliman.net.        3576    IN      A       193.70.38.6
ns7.poliman.net.        3576    IN      A       54.38.202.128

;; Query time: 42 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: on. nov. 14 10:20:30 CET 2018
;; MSG SIZE  rcvd: 240

0:gt ~ # nc colonel.com.pl 25
nc: unable to connect to address colonel.com.pl, service 25


Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis


2018-11-14 10:22 GMT+01:00 Håkon Alstadheim <[hidden email]>:

Den 14.11.2018 08:21, skrev Poliman - Serwis:


2018-11-13 19:58 GMT+01:00 Wietse Venema <[hidden email] <mailto:[hidden email]>>:

    Poliman - Serwis:
    > 2018-11-13 18:24 GMT+01:00 Viktor Dukhovni <[hidden email]
    <mailto:[hidden email]>>:
    >
    > > > On Nov 13, 2018, at 11:48 AM, Wietse Venema
    <[hidden email] <mailto:[hidden email]>>
    > > wrote:
    > > >
    > > >> It's colonel.com.pl <http://colonel.com.pl>. Please check.
    I don't see anywhere MX's IP as A
    > > record
    > > >> in dns zone.
    > > >
    > > > You have both A and MX records for colonel.com.pl
    <http://colonel.com.pl>. Some SMTP systems
    > > > may try to send email using the A record, if those SMTP
    systems are
    > > > borked and if their DNS resolver is borked.
    > >
    > > In other words, nothing to worry about. There's no need to
    worry about
    > > such broken systems in practice.  Real MTAs don't get this
    wrong (though
    > > perhaps what I'm saying is that if there are some MTAs that
    get this wrong,
    > > they are garbage that deserves to be ignored).
    > >
    > > --
    > >         Viktor.
    > >
    > > [1] https://en.wikipedia.org/wiki/Infinite_monkey_theorem
    <https://en.wikipedia.org/wiki/Infinite_monkey_theorem>
    >
    >
    > Ok, thank you guys for answers and advices. Appreciate!

    You man still want to turn off the SMTP listener on colonel.com.pl
    <http://colonel.com.pl>,
    because it will never receive legitimate email.

            Wietse


Thank you for answer. I suppose I don't understand properly. How could I do this if this domain has MX on Google?

To make sure all mail delivered to colonel.com.pl gets to google, make sure that the host colonel.com.pl will NOT accept connections for incoming mail from the internet.

In other words: if you want mail to end up at your MX, your A ip-address should not accept incoming mail.

If that is already OK, you are OK. It looks OK from where I am sitting.

Viz:

# dig colonel.com.pl mx

; <<>> DiG 9.11.2-P1 <<>> colonel.com.pl mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63690
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;colonel.com.pl.                        IN      MX

;; ANSWER SECTION:
colonel.com.pl.         3600    IN      MX      5 alt1.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      5 alt2.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      10 alt4.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      10 alt3.aspmx.l.google.com.
colonel.com.pl.         3600    IN      MX      1 aspmx.l.google.com.

;; AUTHORITY SECTION:
colonel.com.pl.         3576    IN      NS      ns6.poliman.net.
colonel.com.pl.         3576    IN      NS      ns7.poliman.net.

;; ADDITIONAL SECTION:
ns6.poliman.net.        3576    IN      A       193.70.38.6
ns7.poliman.net.        3576    IN      A       54.38.202.128

;; Query time: 42 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: on. nov. 14 10:20:30 CET 2018
;; MSG SIZE  rcvd: 240

0:gt ~ # nc colonel.com.pl 25
nc: unable to connect to address colonel.com.pl, service 25


Really appreciate help. About " In other words: if you want mail to end up at your MX, your A ip-address should not accept incoming mail. " - currently I have spf which allow sending emails only for google servers added as MX records (I have removed 'a' from spf record). Second - I tried "nc colonel.com.pl 25" from virtual machine deployed on my PC in job and result:
tot@haha:~# nc colonel.com.pl 25
220 s1.poliman.net ESMTP Postfix (Ubuntu)
^C



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Dominic Raferd
On Thu, 15 Nov 2018 at 09:40, Poliman - Serwis <[hidden email]> wrote:
Really appreciate help. About " In other words: if you want mail to end up at your MX, your A ip-address should not accept incoming mail. " - currently I have spf which allow sending emails only for google servers added as MX records (I have removed 'a' from spf record). Second - I tried "nc colonel.com.pl 25" from virtual machine deployed on my PC in job and result:
tot@haha:~# nc colonel.com.pl 25
220 s1.poliman.net ESMTP Postfix (Ubuntu)

So you are running a receiving postfix mail server on the A ip-address of colonel.com.pl. What for? G-Suite does it all for you, you shouldn't be using any other relaying mail server - just send and receive through Gmail.

If you still want to run postfix for outgoing mail on the machine which is receiving colonel.com.pl:25,  you can stop postfix processing incoming mail there with:
postconf inet_interfaces=loopback-only
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis


2018-11-15 12:14 GMT+01:00 Dominic Raferd <[hidden email]>:
On Thu, 15 Nov 2018 at 09:40, Poliman - Serwis <[hidden email]> wrote:
Really appreciate help. About " In other words: if you want mail to end up at your MX, your A ip-address should not accept incoming mail. " - currently I have spf which allow sending emails only for google servers added as MX records (I have removed 'a' from spf record). Second - I tried "nc colonel.com.pl 25" from virtual machine deployed on my PC in job and result:
tot@haha:~# nc colonel.com.pl 25
220 s1.poliman.net ESMTP Postfix (Ubuntu)

So you are running a receiving postfix mail server on the A ip-address of colonel.com.pl. What for? G-Suite does it all for you, you shouldn't be using any other relaying mail server - just send and receive through Gmail.

If you still want to run postfix for outgoing mail on the machine which is receiving colonel.com.pl:25,  you can stop postfix processing incoming mail there with:
postconf inet_interfaces=loopback-only

I have few domains on the server. Some part of them use my server for send emails but few have configured external mail service like Google. I need to disable using my mail service by colonel.com.pl on my server. There need to be only google, nothing more but other domains need to use my mail service.

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

B. Reino
On 2018-11-15 12:24, Poliman - Serwis wrote:

> I have few domains on the server. Some part of them use my server for
> send emails but few have
> configured external mail service like Google. I need to disable using
> my mail service by
> colonel.com.pl on my server. There need to be only google, nothing more
> but other domains need
> to use my mail service.

Well then just leave it as it is. Obviously the warning you got from
Google does not apply, because that SMTP server is taking care of other,
unrelated, domains. Therefore you can safely ignore the warning, as it
is wrong.
Reply | Threaded
Open this post in threaded view
|

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

Poliman - Serwis


2018-11-15 15:19 GMT+01:00 B. Reino <[hidden email]>:
On 2018-11-15 12:24, Poliman - Serwis wrote:

I have few domains on the server. Some part of them use my server for send emails but few have
configured external mail service like Google. I need to disable using my mail service by
colonel.com.pl on my server. There need to be only google, nothing more but other domains need
to use my mail service.

Well then just leave it as it is. Obviously the warning you got from Google does not apply, because that SMTP server is taking care of other, unrelated, domains. Therefore you can safely ignore the warning, as it is wrong.

Ok, thank you.

--
Pozdrawiam / Best Regards
Piotr Bracha