Multiple Domains and Reverse Lookup (incomming)
Alex Leibovici
Our GWIA hosts several domains. My question is about how to configure
everything, so that, if some external mail server is doing reverse
lookup on our domains, it gets the correct information.
Our current configuration is as follows:
Let's assume one GWIA services the domains "dom1.com", "dom2.com" and
"dom3.com". We define three MX record at our ISP, for "mail.dom1.com",
"mail.dom2.com" and "mail.dom3.com"., each with its public IP address.
Our ISP also defines the three PTR records for this addresses.
The purpose of defining distinct public (and private) addresses for
each domain was to insure proper functioning of the reverse lookup for
all three domain.
On the Netware (V5.1) server on which GWIA runs, we define several
secondary IP addresses, (some of) which are MIP-ed at the firewall to
the public addresses of the MX records.
The server on which GWIA runs, also runs three POs, whose Internet
Addressings are configured to correspond to the three domains.
In GWIA's SMTP/MIME settings, the "A-Record" is set to
"mail.dom1.com".
In the GWIA's GroupWise/Identification field "Foreign ID" we have all
the 3 domains listed, the first being "mail.dom1.com". The Network
Address field is set to a private address which is *not* NATed to a
public one.
Now, I have the following *two* questions:
1. Is this configuration going to achieve its purpose - correct
reverse lookup ? Is something missing ?
2. I am trying to send a mail to a mail server which recently enabled
reverse DNS checking (in order to fight spam). I am getting an
undeliverable message which says:
The message that you sent was undeliverable to
<destinatin@mailbox>. Fix reverse DNS
for <a public IP address>
Now, curiously, the public IP address listed is indeed in the range of
our public IP addresses, but is *not* one of the three addresses used
in the MX records. Still, it is the one which is NATed to the
*primary* private address of our GWIA server (and, of course, we
haven't defined the reverse lookup for this address).
What is going on? Why does the receiver mail server believe we are
sending from this <public IP address> ?
I can provide the real domain names and IP addresses, if necessary.
GWIA is 6.0.2.
TIA
Alex
Ted Kumsher
the different domains. While some people might consider it poor form, you
can have the MX record of dom2.com pointing to mail.dom1.com--in other words
forget all the mail.dom2.com and mail.dom3.com stuff for simplicity.
But that's not really related. In the email world, reverse dns is used by
the receiving server to check the ip address of the server that is sending
to it. So for your problem number 2, if I understand your setup properly,
you must have reverse dns setup for the ip address that the email you are
sending out is coming from. That's the ip address of your gwia (or what it
gets nat'ed to). It has nothing to do with incoming mail.
So basically it all boils down to this:
1) What public ip address does your GWIA send email from? This will NOT be
any secondary ipaddresses. If your GWIA has a public ip address it WILL be
that (unless you use a relay). Do you use a relay? If your GWIA doesn't
have a public ip address, then what's the public IP address of the gateway
that your GWIA server points to? It sounds like your GWIA is sending email
through your firewall . . .
2) When you esablish what public IP address your gwia server sends from,
then all you need to have is a PTR record that points to ANY hostname that
resolves back to the public ip address. If you could get Novell to add a
hostname for you, you could give your public ip address aaa.bbb.ccc.ddd a
PTR record pointing to sillyexample.novell.com and it would work as long as
sillyexample.novell.com resolves to aaa.bbb.ccc.ddd . . . And no, it
doesn't matter if your gwia server claims to be mail.dom1.com instead of
sillyexample.novell.com, nor does it matter if the MX record for dom1.com
points to mail.dom3.com for the reverse dns stuff to work.
Ted Kumsher
PS--I wrote this quickly so if anybody sees something I'm wrong about please
speak up . . .
>>> Alex Leibovici<alex.le...@berufsbildung-srk.ch> 1/27/2004 12:30:41
PM >>>
Alex Leibovici
Thanks, Ted
>[...]
>So for your problem number 2, if I understand your setup properly,
>you must have reverse dns setup for the ip address that the email you are
>sending out is coming from. That's the ip address of your gwia (or what it
>gets nat'ed to). It has nothing to do with incoming mail.
>
>So basically it all boils down to this:
>
>1) What public ip address does your GWIA send email from? This will NOT be
>any secondary ipaddresses. If your GWIA has a public ip address it WILL be
>that (unless you use a relay). Do you use a relay? If your GWIA doesn't
>have a public ip address, then what's the public IP address of the gateway
>that your GWIA server points to? It sounds like your GWIA is sending email
>through your firewall . . .
Yes, GWIA is sending/receiving mail through our firewall; there is no
relay or geteway.
Now, how can I find out from what public address GWIA sends out mails?
Further, on what parameters of GWIA (and/or the server it runs on)
does this depend ?
FRom the "undeliverable" message I am getting, it seems that GWIA is
sending under the server's primary IP address (its NATed public
address, in fact). Why is this so? Can/should I change this? Or should
I simply ask the ISP to define a reverse lookup for this address?
Thanks again
Alex
Ted Kumsher
If you have a nic on the GWIA server that has a public ip address, that will
be the ip. Note that this will always be the primary ip address (I don't
know ANY way of using a secondary ip address). In other words, in inetcfg,
bindings, are there any public ip's listed--and if so, then that would be it
(unless you have an unusual routing setup).
However, since you said that the GWIA sends "through" your firewall, I
assume that means via NAT. In that scenario, the ip address the receiving
server would see is the public ip address your firewall is setup to use NAT
with. That's how NAT works--it "replaces" your private ip address with its
public ip address (OK, it's much more complicated than that, but close
enough), and then sends on the internet traffic as if it originated from the
firewall.
>>>>Further, on what parameters of GWIA (and/or the server it runs on)
does this depend ?
As above, as far as I know the GWIA server will always send out (from its
perspective) using the primary ip on the server, never the secondary ip's.
(Note that if you have multiple nics/subnets then it depends on your
routing.) Again note that any NAT firewalls will manipulate this ip.
>>>>FRom the "undeliverable" message I am getting, it seems that GWIA is
sending under the server's primary IP address (its NATed public
address, in fact).
Which would make sense as described above.
>>>>Why is this so?
That's the way ip and NAT works. IP and NAT are not really aware of
services like www or smtp or whatever. They just route traffic and
manipulate packets (for the most part). So the server won't say "Since I'm
supposed to be mail.dom2.com for this email then I'll use secondary ip
address xx.yy.zz.ab to send this email". Instead it says "Hey ip and NAT
subsystem--just send this however you think works best".
>>>>Can/should I change this?
As far as CAN you change this, certainly (though it could get very
difficult). SHOULD you? I wouldn't.
>>>>Or should I simply ask the ISP to define a reverse lookup for this
address?
There's the right answer at the end of the day. Instead of messing with DNS
or IP or NAT or firewalls or routing or whatever, just define a reverse dns
for the ip that the receiving server claims to see.
Ted Kumsher
Alex Leibovici
understand what I was doing . . . :-)
Alex
Bill Sappington
you cant run more then one GWIA on a server. I have had many instances
where it would have been quite desirable to run multiple GWIA's on a
single server for multiple domains without having to go through all the
hoopla.