Solved

Website hosted externally, Internal Mail Server, how to set up DNS

Posted on 2008-10-15
12
432 Views
Last Modified: 2010-04-21
HI there

We are bringing our mail server in house, previously we have been using hosted POP3 accounts.  I have set up the internal DNS ok on our server, but am not sure what I need to do to point mail traffic to our internal mail server?

Our website is hosted externally and we need to keep that set up, so I think I need to change the MX records?
0
Comment
Question by:tv_kid
  • 6
  • 6
12 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 22719479

Hey,

These are the DNS requirements for hosting an SMTP Server:

1. Host (A) record - Inbound and Outbound mail

If you need to accept inbound mail you should create a dedicated name for your SMTP server (because it makes things clear). The record must be created in your public DNS service and it should point to the public IP address your mail server will use for receiving (and / or sending) mail.

For example, any of these is perfectly adequate:

mail.yourdomain.com.   IN A   1.2.3.4
smtp.yourdomain.com.   IN A   1.2.3.4

2. Mail Exchanger (MX) record - Inbound mail

To accept inbound mail you should create an MX Record for your domain that points to the record created above. MX Records must point to a Host (A) record to be RFC complaint.

MX Records are written in this form:

<email-domain>  IN MX   <priority>   <server>

For example, this MX record will accept mail bound for <anyrecipient>@yourdomain.com and pass it onto mail.yourdomain.com.

yourdomain.com.   IN MX   10   mail.yourdomain.com.

3. Pointer (PTR) record - Outbound mail

The reverse lookup zone maps IP Addresses back to names using Pointer (PTR) records. This forms the basis of a simple test to see if your SMTP server looks official rather than a virus / malware ridden machine sending spam.

If your server is sending out mail to hosts on the internet (that is, not relaying through a third-party service) you must configure a PTR record for your server. If you do not you will find mail sent from your server is rejected by certain recipients.

Addition of the PTR record must, in general, be requested via your ISP; those responsible for providing the internet connection your mail server uses. The exception to this is where responsibility for the Reverse Lookup Zone has been delegated to you.

The PTR record for mail.yourdomain.com running on the public IP 1.2.3.4 would look like this:

4.3.2.1.in-addr.arpa.   IN PTR   mail.yourdomain.com.

Many ISPs will understand a request for a Reverse Lookup Record for 1.2.3.4 to mail.yourdomain.com. That is, you do not necessarily need to know the syntax above.

4. SMTP service name - Outbound mail

Again, if the server is sending out mail it must use a public name. Failure to do so will result in rejected mail because of the simple tests above.

The name used should have a Host (A) record and a Pointer (PTR) record configured.

For Exchange 2007 the name is set in the Properties for the Send Connector. It is possible to set the name for the Receive Connector as well however this will have no impact on mail delivery. It can be considered good practice to set a public name on the Receive Connector for the sake of consistency.

For Exchange 2003 the name is set in the Properties for the Virtual SMTP Server (Delivery, Advanced, Server FQDN).

5. (Optional) Sender Policy Framework (SPF / TXT) record

The Sender Policy Framework allows you to state explicitly which servers can send mail as your domain name.

While this is not universally used it will help reduce abuse of your domain name by third-parties and also reduce the number of non-delivery reports returned to your system for mail you didn't send in the first place.

Wizards exist for this record here:

http://www.openspf.org/
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

The record would be added as a TXT record to your public domain. It is only checked by systems receiving mail from you.

HTH

Chris
0
 
LVL 2

Author Comment

by:tv_kid
ID: 22721410
Hi Chris

Thanks for your comprehensive reply.  I have set up the DNS records I think, and mail can be sent to and from the server.  However, I must have done something wrong...

Assuming my domain name is "example.com", I set up the DNS on the server to be "server.example.com" and directed mail to this accordingly.  However, the mail server automatically creates user accounts as "user@server.example.com" rather than "user@example.com"

What have I done wrong?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22722726

It's likely that the policy responsible for creating addresses is just a bit wrong.

For Exchange 2007 we'd be looking at the Email Address Policy, for Exchange 2003 the Recipient Policies. Which version are we dealing with?

Chris
0
 
LVL 2

Author Comment

by:tv_kid
ID: 22722769
It's Kerio Mail Server on a Mac OSX Server...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22722849

Exchange is normally a fairly safe assumption :)

I've never used Kerio, but this looks like the correct place:

http://www.kerio.com/manual/kms/en/sect-domdef.html

Is the primary domain listed as server.example.com?

Chris
0
 
LVL 2

Author Comment

by:tv_kid
ID: 22722876
The primary domain is listed as "example.com" but I had to create another entry for "server.example.com" to get it to authenticate to the Open Directory on the same server.  This works except for the accounts being created as user@server.example.com

Thanks for your help.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 22722927

Odd, I would expect to create the SMTP addresses with the Primary. Does it list multiple e-mail addresses per user, and is it assigning user@example.com as well?

As I mentioned, I don't have any direct experience with Kerio, so I may not be the best person to ask about this particular piece, hence the exploratory nature of my questions :)

Chris
0
 
LVL 2

Author Comment

by:tv_kid
ID: 22722992
Hi Chris

No it's not listing multiple email addresses per user, just the one for each user that I've linked to in the Open Directory.

My feeling was that I had set up the DNS incorrectly, but I guess it may be something wih Kerio instead.  I had already tried to set up the internal OSX Mail Server but this didn't work either!

DNS is working internally however, as I can authenticate to the server from client machines.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22729717

Hmm I can't say why that bit isn't behaving I'm afraid, anything I suggest there is going to be paraphrasing the manual which isn't much help.

Chris
0
 
LVL 2

Author Comment

by:tv_kid
ID: 22774727
Hi Chris

Thanks for your input on this.  As you've said, there is little more you can suggest.  I've been in direct contact with Kerio about it and am workign to sort it out.

I'm going to mark your original answer as the solution, as that certainly helped to get things clear in my head.

No doubt I'll be back to this topic at some point in the future!
0
 
LVL 2

Author Closing Comment

by:tv_kid
ID: 31506226
Thanks for your help on this Chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22774885

Best of luck, I hope they sort it out for you :)

Chris
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Resolve DNS query failed errors for Exchange
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now