Mx lookup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Mx lookup

Sorry
Hi,

I have installed postfix 2.5.1.

If I use the opendns service:
resolv.conf
nameserver 208.67.222.222
nameserver 208.67.220.220

the email that I try to send to unreal domain (i.e. yrcwed4r.it) go to  
the queue with
connection time out:
   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
                                          [hidden email]

If I use the other DNS (my service provider) the email is bounced to  
sender correctly
(Host or domain name not found. Name service error for  
name=yrcwed4r.it type=AAAA: Host
found but no data record of requested type).

The problem seems to be in opendns service.

Can you help me.

Regards,

-- NETBUILDER S.R.L.
Andrea Soracchi- System Engineer
Tel. 0521-247791
Fax. 0521-7431140 / 0521 - 1851253
www.netbuilder.it

Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Mark Blackman-4

On 14 May 2008, at 13:25, Andrea Soracchi wrote:

> Hi,
>
> I have installed postfix 2.5.1.
>
> If I use the opendns service:
> resolv.conf
> nameserver 208.67.222.222
> nameserver 208.67.220.220
>
> the email that I try to send to unreal domain (i.e. yrcwed4r.it) go  
> to the queue with
> connection time out:
>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>                                          [hidden email]
>
> If I use the other DNS (my service provider) the email is bounced  
> to sender correctly
> (Host or domain name not found. Name service error for  
> name=yrcwed4r.it type=AAAA: Host
> found but no data record of requested type).
>
> The problem seems to be in opendns service.
>
> Can you help me.

Yes, don't use opendns for MX lookups.

- Mark

Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Charles Marcus
On 5/14/2008 8:29 AM, Mark Blackman wrote:

>> If I use the opendns service:
>> resolv.conf
>> nameserver 208.67.222.222
>> nameserver 208.67.220.220
>>
>> the email that I try to send to unreal domain (i.e. yrcwed4r.it) go to
>> the queue with
>> connection time out:
>>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>>                                          [hidden email]
>>
>> If I use the other DNS (my service provider) the email is bounced to
>> sender correctly
>> (Host or domain name not found. Name service error for
>> name=yrcwed4r.it type=AAAA: Host
>> found but no data record of requested type).
>>
>> The problem seems to be in opendns service.
>>
>> Can you help me.

> Yes, don't use opendns for MX lookups.

Bad answer... opendns works really well for me and has been for a long
time, on numerous systems.

Just log into your OpenDNS account and disable 'Typo Corrections' and
you're good to go...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Arturo 'Buanzo' Busleiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Charles Marcus wrote:
| Bad answer... opendns works really well for me and has been for a long
| time, on numerous systems.

It works perfectly. But he could also run his own caching-only nameserver to speed up things.


- --
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIKuPXAlpOsGhXcE0RCjIZAJ9TPeRlZmHE65HMR2BFbIwkwAdNTACaAsB8
hG0LwAJ1+9rhF7YF1ItmoJs=
=fS0u
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Mark Blackman-4
In reply to this post by Charles Marcus

On 14 May 2008, at 13:53, Charles Marcus wrote:

> On 5/14/2008 8:29 AM, Mark Blackman wrote:
>>> If I use the opendns service:
>>> resolv.conf
>>> nameserver 208.67.222.222
>>> nameserver 208.67.220.220
>>>
>>> the email that I try to send to unreal domain (i.e. yrcwed4r.it)  
>>> go to
>>> the queue with
>>> connection time out:
>>>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>>>                                          [hidden email]
>>>
>>> If I use the other DNS (my service provider) the email is bounced to
>>> sender correctly
>>> (Host or domain name not found. Name service error for
>>> name=yrcwed4r.it type=AAAA: Host
>>> found but no data record of requested type).
>>>
>>> The problem seems to be in opendns service.
>>>
>>> Can you help me.
>
>> Yes, don't use opendns for MX lookups.
>
> Bad answer... opendns works really well for me and has been for a long
> time, on numerous systems.
>
> Just log into your OpenDNS account and disable 'Typo Corrections' and
> you're good to go...

Thanks, I certainly didn't realize that option existed, but
how does that deal with malicious conflicting IP entries?

i.e.
user A declares they do queries from IP A and turn off typo correction
user B declares they do queries from IP A *as well* and turn *on*  
typo correction.

They do appear to go to some effort to confirm you're an actual user of
that IP address, but for multiple machines on a NAT, they can't  
distinguish
those cases. The case where you might get two conflicting users at  
the same IP address
is small, but not vanishingly so.

In any case, the general point is that openDNS is aimed primarily at  
web clients and
so they'll always do a better job for that case rather than mx lookups.

A local caching resolver is preferred, but opendns is more suitable  
than I originally
realized.

- Mark


>
> --
>
> Best regards,
>
> Charles

Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Sorry
In reply to this post by Charles Marcus
Thanks,

now it works fine.

Regards,

Def. Quota Charles Marcus <[hidden email]>:

> On 5/14/2008 8:29 AM, Mark Blackman wrote:
>>> If I use the opendns service:
>>> resolv.conf
>>> nameserver 208.67.222.222
>>> nameserver 208.67.220.220
>>>
>>> the email that I try to send to unreal domain (i.e. yrcwed4r.it) go to
>>> the queue with
>>> connection time out:
>>>   (connect to yrcwed4r.it[208.67.217.132]:25: Connection timed out)
>>>                                          [hidden email]
>>>
>>> If I use the other DNS (my service provider) the email is bounced to
>>> sender correctly
>>> (Host or domain name not found. Name service error for
>>> name=yrcwed4r.it type=AAAA: Host
>>> found but no data record of requested type).
>>>
>>> The problem seems to be in opendns service.
>>>
>>> Can you help me.
>
>> Yes, don't use opendns for MX lookups.
>
> Bad answer... opendns works really well for me and has been for a long
> time, on numerous systems.
>
> Just log into your OpenDNS account and disable 'Typo Corrections' and
> you're good to go...
>
> --
>
> Best regards,
>
> Charles
>
>



-- NETBUILDER S.R.L.
Andrea Soracchi- System Engineer
Tel. 0521-247791
Fax. 0521-7431140 / 0521 - 1851253
www.netbuilder.it

Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Sahil Tandon
In reply to this post by Arturo 'Buanzo' Busleiman
* Arturo 'Buanzo' Busleiman <[hidden email]> [05-14-2008]:


> It works perfectly. But he could also run his own caching-only nameserver
> to speed up things.

Yep, look into djbdns for that.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Charles Marcus
In reply to this post by Mark Blackman-4
>> Just log into your OpenDNS account and disable 'Typo Corrections' and
>> you're good to go...

> Thanks, I certainly didn't realize that option existed, but
> how does that deal with malicious conflicting IP entries?
>
> i.e.
> user A declares they do queries from IP A and turn off typo correction
> user B declares they do queries from IP A *as well* and turn *on* typo
> correction.

? What do users have to do with it? This is on a server. If you have
your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
need to have an account with them (free), which is associated with your
IP address(es) in the 'Networks' section.

> They do appear to go to some effort to confirm you're an actual user of
> that IP address, but for multiple machines on a NAT, they can't distinguish
> those cases. The case where you might get two conflicting users at the
> same IP address is small, but not vanishingly so.

? I'm not sure why you are talking about clients/users.

Set up your local caching server / DNS server to use OpenDNS as a
forwarder... tell your Clients to use your DNS server... done.

> In any case, the general point is that openDNS is aimed primarily at
> web clients and so they'll always do a better job for that case
> rather than mx lookups.

True on the first point, but I disagree with the second... DNS is DNS,
whether you're looking up a FQDN through a web browser, or an MX record
through an smtp server.

> A local caching resolver is preferred, but opendns is more suitable than
> I originally realized.

Very true... but a combination is the best of both worlds... use a local
caching server, with opendns as the backup...

Of course, nothing wrong with running your own real DNS server, but this
is the easiest way, at least for me... :)

But this has gone way beyond postfix related...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Mark Blackman-4

On 14 May 2008, at 15:34, Charles Marcus wrote:

>>> Just log into your OpenDNS account and disable 'Typo Corrections'  
>>> and
>>> you're good to go...
>
>> Thanks, I certainly didn't realize that option existed, but
>> how does that deal with malicious conflicting IP entries?
>>
>> i.e.
>> user A declares they do queries from IP A and turn off typo  
>> correction
>> user B declares they do queries from IP A *as well* and turn *on*  
>> typo
>> correction.
>
> ? What do users have to do with it? This is on a server. If you have
> your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
> need to have an account with them (free), which is associated with  
> your
> IP address(es) in the 'Networks' section.

I don't think it's uncommon to have a postfix system sitting behind
a NAT IP address with a public IP address shared by web clients
in the same office. First person to sign up with that *shared* public IP
address controls the settings as far as I can tell and that might not be
the system administrator.

- Mark


Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Charles Marcus
> I don't think it's uncommon to have a postfix system sitting behind
> a NAT IP address with a public IP address shared by web clients
> in the same office. First person to sign up with that *shared* public IP
> address controls the settings as far as I can tell and that might not be
> the system administrator.

In other words, no solution is a one size fits all - yes, I agree...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Blake Hudson
In reply to this post by Mark Blackman-4
-------- Original Message  --------
Subject: Re: Mx lookup
From: Mark Blackman <[hidden email]>
To: Charles Marcus <[hidden email]>
Date: Wednesday, May 14, 2008 9:41:51 AM

>
> On 14 May 2008, at 15:34, Charles Marcus wrote:
>
>>>> Just log into your OpenDNS account and disable 'Typo Corrections' and
>>>> you're good to go...
>>
>>> Thanks, I certainly didn't realize that option existed, but
>>> how does that deal with malicious conflicting IP entries?
>>>
>>> i.e.
>>> user A declares they do queries from IP A and turn off typo correction
>>> user B declares they do queries from IP A *as well* and turn *on* typo
>>> correction.
>>
>> ? What do users have to do with it? This is on a server. If you have
>> your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
>> need to have an account with them (free), which is associated with your
>> IP address(es) in the 'Networks' section.
>
> I don't think it's uncommon to have a postfix system sitting behind
> a NAT IP address with a public IP address shared by web clients
> in the same office. First person to sign up with that *shared* public IP
> address controls the settings as far as I can tell and that might not be
> the system administrator.
>
> - Mark
>
>
Perhaps someone should contact OpenDNS, as mx lookups may not be
suitable for "typo correction". The reasons being that 1) it breaks
software that rely on nxdomain responses (specifically common in MTAs);
2) even if an email made it to the intended destination server, that
server would likely reject the message because the domain or mailbox
doesn't exist (because of the typo).

e.g. I email [hidden email] -
Oh no, gmaill.com doesn't exist, but typo correction saves the day and
figures out you meant to send to [hidden email]
Your server sends to gmail, but oh wait! gmail.com's mail servers don't
accept email for gmaill.com, your message is rejected.

This detection could have happened earlier and the message never left
the sender's client... I don't see any win for using typo correction on
MX records... AGain, perhaps a registered user of OpenDNS could let them
know about this issue.

-Blake
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Noel Jones-2
In reply to this post by Mark Blackman-4
Mark Blackman wrote:

>>
>> Just log into your OpenDNS account and disable 'Typo Corrections' and
>> you're good to go...
>
> Thanks, I certainly didn't realize that option existed, but
> how does that deal with malicious conflicting IP entries?
>
> i.e.
> user A declares they do queries from IP A and turn off typo correction
> user B declares they do queries from IP A *as well* and turn *on* typo
> correction.
>

Only one user can register for a given IP.  As long as you're
the first to register your IP there isn't a problem.  If one
of your users already registered your NAT IP, prove to OpenDNS
you're the admin and they'll bump the squatter off.

Not exactly perfect, but usable.

I've had very good results using OpenDNS as a bind forwarder
on sites with high-latency connections.  Works great after
typo correction is turned off.

And an alternative is to use check_sender_mx_access and reject
anything that returns OpenDNS' search IP.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Mark Blackman-4
In reply to this post by Blake Hudson

On 14 May 2008, at 15:53, Blake Hudson wrote:

> -------- Original Message  --------
> Subject: Re: Mx lookup
> From: Mark Blackman <[hidden email]>
> To: Charles Marcus <[hidden email]>
> Date: Wednesday, May 14, 2008 9:41:51 AM
>>
>> On 14 May 2008, at 15:34, Charles Marcus wrote:
>>
>>>>> Just log into your OpenDNS account and disable 'Typo  
>>>>> Corrections' and
>>>>> you're good to go...
>>>
>>>> Thanks, I certainly didn't realize that option existed, but
>>>> how does that deal with malicious conflicting IP entries?
>>>>
>>>> i.e.
>>>> user A declares they do queries from IP A and turn off typo  
>>>> correction
>>>> user B declares they do queries from IP A *as well* and turn  
>>>> *on* typo
>>>> correction.
>>>
>>> ? What do users have to do with it? This is on a server. If you have
>>> your mail server DNS pointed at OpenDNS, it simply uses OpenDNS. You
>>> need to have an account with them (free), which is associated  
>>> with your
>>> IP address(es) in the 'Networks' section.
>>
>> I don't think it's uncommon to have a postfix system sitting behind
>> a NAT IP address with a public IP address shared by web clients
>> in the same office. First person to sign up with that *shared*  
>> public IP
>> address controls the settings as far as I can tell and that might  
>> not be
>> the system administrator.
>>
>> - Mark
>>
>>
> Perhaps someone should contact OpenDNS, as mx lookups may not be  
> suitable for "typo correction". The reasons being that 1) it breaks  
> software that rely on nxdomain responses (specifically common in  
> MTAs); 2) even if an email made it to the intended destination  
> server, that server would likely reject the message because the  
> domain or mailbox doesn't exist (because of the typo).

as Charles pointed out, the typo correction feature can be turned off  
by the first person
to declare that IP as theirs (by registering *from* that IP) and the  
typo correction is
done on the A record lookup that follows a failed MX lookup, I  
believe and so it's
a bit tough to discern intentions for that case.

- Mark

>
> e.g. I email [hidden email] -
> Oh no, gmaill.com doesn't exist, but typo correction saves the day  
> and figures out you meant to send to [hidden email]
> Your server sends to gmail, but oh wait! gmail.com's mail servers  
> don't accept email for gmaill.com, your message is rejected.
>
> This detection could have happened earlier and the message never  
> left the sender's client... I don't see any win for using typo  
> correction on MX records... AGain, perhaps a registered user of  
> OpenDNS could let them know about this issue.
>
> -Blake

Reply | Threaded
Open this post in threaded view
|

Re: Mx lookup

Bill Cole-3
In reply to this post by Mark Blackman-4
At 3:41 PM +0100 5/14/08, Mark Blackman wrote:
>I don't think it's uncommon to have a postfix system sitting behind
>a NAT IP address with a public IP address shared by web clients
>in the same office. First person to sign up with that *shared* public IP
>address controls the settings as far as I can tell and that might not be
>the system administrator.

The potential for an OpenDNS settings squabble would not be the top
item on most  lists of reasons to not share a NAT address between a
mail server and desktop systems.

--
Bill Cole                                  
[hidden email]