Quite new and need help on email, MX record and domain names

I hope this is on topic for this group.

I am trying to understand and learn about networking by installing and
using a home network connected to the Internet via a permenant ADSL
connection.

This runs through a Firewall to keep out the hackers and so far I have
succeeded to get all internal computers to access the internet,
access emails via an account provided by my ISP.

To take it a bit further I payed for a domain name through
dnsexit.com, managed to install a script to aways tell it what IP
address I have and lastly serve a webpage via a computer running Apache on
the home network. No web content yet just the standerd Apache information
and docs. (sorry for the long intro).

Next I am trying to understand how email systems work, and I have a few
'simple' questions I hope you can help with.
My idea is to have the computer with Apache also act as a mail server or
mail transfer agent, if I give the computer a host name of webserver and a
domain name to match my purchased domain name of say
'my-home-network.com'. Would I make the MX record at dnsexit equal to
'webserver.my-home-network.com'.

I am assuming that email request would then be sent to my own IP address
and through a port redirect on my firewall point to the machine called
webserver?

Please let me know if this would work or what may be wrong with it.

Cheers

Adrian Hodgson wrote:

> Next I am trying to understand how email systems work, and I have a few
> 'simple' questions I hope you can help with.

> My idea is to have the computer with Apache also act as a mail server or
> mail transfer agent, if I give the computer a host name of webserver
> and a domain name to match my purchased domain name of say
> 'my-home-network.com'. Would I make the MX record at dnsexit equal to
> 'webserver.my-home-network.com'.
>
> I am assuming that email request would then be sent to my own IP address
> and through a port redirect on my firewall point to the machine called
> webserver?

since example.com is reserved for use, I'll give my spin on how things
may be set up... if your IP is dynamic, it might mess things about but
assuming you have a fixed IP (else your mail could perhaps arrive on a
different IP and be accepted without bouncing!)


type host priority value

A mx01 83.149.83.20
A mx02 62.149.36.50
CNAME web example.com
A www 83.149.83.20
A 62.149.36.50
MX 10 mx01.example.com.
MX 20 mx02.example.com.


The above details are loosely based on a real domain I registered.

web.example.com is an alias of example.com

example.com is on a particular IP, different to that used for
viewing www.example.com pages

Mail should go to mx01.example.com (and if unavailable) then
mx02.example.com (the 2 different servers holding web pages)

"Adrian Hodgson" <(E-Mail Removed)> wrote in message
newsan.2006.02.02.21.56.19.515541@spamtrapaphtra ding.wanadoo.co.uk...
[snip]
> Next I am trying to understand how email systems work, and I have a few
> 'simple' questions I hope you can help with.
> My idea is to have the computer with Apache also act as a mail server or
> mail transfer agent, if I give the computer a host name of webserver and
> a domain name to match my purchased domain name of say
> 'my-home-network.com'. Would I make the MX record at dnsexit equal to
> 'webserver.my-home-network.com'.

If I understand you correctly, you have an ADSL service with a single,
non-static IP address and a NAT router. Presumably, you have configured the
router to forward port 80 to the (LAN) address of the web server machine.

The name you give the computer itself is unimportant. The MX record for the
email domain should contain a name which has an A record that is the WAN
address of the router - ie a record that is updated whenever the address
changes. In addition, you will (as you thought) need to make another port
forwarding entry.

If you run a mail server, be absolutely certain that it is not an "open
relay". (Apache, suitably misconfigured, can also be abused via the CONNECT
method.)

If you run a mail server from a dynamic IP address, there are two additional
issues. The first is that there is a potential window where mail may be
delivered to the wrong place, if your connection is down and the IP address
it had is given to someone else. IMO this is quite serious, but it is fairly
unlikely to happen. The other issue is that you should use your ISP's relay
server for outgoing mail, because many servers on the Internet will reject
mail from dynamic IP addresses.

Alex

On Thu, 02 Feb 2006 22:58:55 +0000, Peter M wrote:

> Adrian Hodgson wrote:
>
>snip
>> 'my-home-network.com'. Would I make the MX record at dnsexit equal to
>> 'webserver.my-home-network.com'.
>>
>> I am assuming that email request would then be sent to my own IP
>> address and through a port redirect on my firewall point to the machine
>> called webserver?
>
> since example.com is reserved for use, I'll give my spin on how things
> may be set up... if your IP is dynamic, it might mess things about but
> assuming you have a fixed IP (else your mail could perhaps arrive on a
> different IP and be accepted without bouncing!)
>
>
> type host priority value
>
> A mx01 83.149.83.20 A mx02
> 62.149.36.50 CNAME web example.com A
> www 83.149.83.20 A 62.149.36.50 MX
> 10 mx01.example.com. MX
> 20 mx02.example.com.
>
>
> The above details are loosely based on a real domain I registered.
>
> web.example.com is an alias of example.com
>
> example.com is on a particular IP, different to that used for
> viewing www.example.com pages
>
> Mail should go to mx01.example.com (and if unavailable) then
> mx02.example.com (the 2 different servers holding web pages)

Thanks for the reply Peter.

I think what you are telling me is yes, I am unsure of some of your 'type'
as yet but assuming that 'A' is a record for a computer, one called mx01
and one called mx02.

Looks as though mx01 is on one IP network and mx02 on another. Using the
priority 10 being the lowest the mailserver will look for mx01 on
83.149.83.20, if not found will try to access mx02 on 62.149.36.50

So my basic setup would, I think work. Are there typical values to use as
priorities, why not just 1, 2 etc? I have not found any docs that say what
should be used.

Last comment then I head for sleep. I am on a dynamic IP address as the
ISP does not operate with permenant addresses, they usually last for 2 to
3 days before they expire, but no set pattern.

I use Smoothwall express as the firewall and it detects the IP has changed
by no longer being able to get some form of echo ping back. Then it
resets and detects the new IP address allocated.

A script on the webserver runs every 10 minutes to check if the Internet
IP chages and if it does detect a change then logs into my dns page on
dnsexit and changes the Ip lookup, so worst instance of being off the
Internet would be 20 minutes.

I could use dnsexit as a backup for that period I think, but would be more
concerned that someone else got my old IP address within the 20 minutes
before my new Ip became known and started to get my emails or even worse
spam meant for me. Would they get it only if they had a computer named
webserver?

Cheers
Adrian

(Sorry to the group for long posts but it s how I need things at present)

On Thu, 02 Feb 2006 23:30:49 +0000, Alex Fraser wrote:

snipped
>
> If I understand you correctly, you have an ADSL service with a single,
> non-static IP address and a NAT router. Presumably, you have configured the
> router to forward port 80 to the (LAN) address of the web server machine.
>
> The name you give the computer itself is unimportant. The MX record for the
> email domain should contain a name which has an A record that is the WAN
> address of the router - ie a record that is updated whenever the address
> changes. In addition, you will (as you thought) need to make another port
> forwarding entry.
>
> If you run a mail server, be absolutely certain that it is not an "open
> relay". (Apache, suitably misconfigured, can also be abused via the CONNECT
> method.)
>
> If you run a mail server from a dynamic IP address, there are two additional
> issues. The first is that there is a potential window where mail may be
> delivered to the wrong place, if your connection is down and the IP address
> it had is given to someone else. IMO this is quite serious, but it is fairly
> unlikely to happen. The other issue is that you should use your ISP's relay
> server for outgoing mail, because many servers on the Internet will reject
> mail from dynamic IP addresses.
>
> Alex

Alex, thanks for replying, I posted one reply and then checked the group
to see your post.

Yes you are correct in that I have an ADSL service with non static IP.

I actually run Smoothwall express webserver and this drives the ADSL modem
from its USB port. If the Internet IP changes then it does detect and
reset coming back up with the new IP.

A script on the webserver PC runs a check every 10 mins so in theory, 20
Mins max before it broadcasts my new IP address to dnsexit.

Yes I am concerned what would happen in the 20 minutes ( see other post)
if someone else then takes up my old IP. A records I need to figure out
what it stands for yet appologies but this is the idea to learn.

In Smoothwall I have portforwarding on port 80 to the IP address on the
computer say 192.168.0.200 port 80. I was assuming that I would also port
forward port 25 to 192.168.0.200 port 25.

Apache is infact on a Linux box running Suse, for the past two months I
have been monitoring the attacks on the system from port scans, MS-SQL
Worm propagation attempt, (http_inspect) NON-RFC HTTP DELIMITER and
others and others. So far OK the logs have always show them as
either blocked or errors not found, etc.

If there is a danger from going down the emails erver I would really like
to stop hassle to others along the way as I learn.

Cheers

Adrian

"Adrian Hodgson" <(E-Mail Removed)> wrote in message
newsan.2006.02.03.00.07.28.569694@spamtrapaphtra ding.wanadoo.co.uk...
[snip]
> Yes you are correct in that I have an ADSL service with non static IP.
>
> I actually run Smoothwall express webserver and this drives the ADSL
> modem from its USB port. If the Internet IP changes then it does detect
> and reset coming back up with the new IP.

Not that it offers much advantage, but have you looked into getting
Smoothwall to do the dynamic DNS update? The only time the IP address may
change is if the link goes down for some reason.

> Yes I am concerned what would happen in the 20 minutes ( see other post)
> if someone else then takes up my old IP.

The window of opportunity is not 20 minutes. In the worst case, it is 10
minutes more than the length of time your connection is down. Say someone
else gets what was your IP address. There are a few obvious scenarios:

- They are not running a mail server. Attempts to deliver mail for you
will naturally fail. For some particular message, the sending server will
try to deliver to other MXes for the domain (if any), and possibly try
"your" IP address at a later time if it can't pass the message on. After
a few days, the sending server will give up and bounce the message.
- They are running a well configured mail server. The server will probably
reject the message as soon as the sending server gives the recipient
address (saying "I don't accept mail for that domain"). This will cause
the sending server to immediately bounce the message.
- They are running an open relay. In this case the server will accept
messages, and either create a mail loop (which will be detected fairly
quickly, and the message will bounce) or, if the server is behind a NAT
router that (like most) does not do "reflective" port forwarding, will
act like the sending server in the first scenario.

Though it's unlikely, it's also possible the server accepts messages and
does nothing with them. The real problem is that the situation is not under
your control.

> A records I need to figure out what it stands for yet appologies but this
> is the idea to learn.

No need to apologise. 'A' stands for address.

> In Smoothwall I have portforwarding on port 80 to the IP address on the
> computer say 192.168.0.200 port 80. I was assuming that I would also port
> forward port 25 to 192.168.0.200 port 25.

Yep.

[snip]
> If there is a danger from going down the emails erver I would really like
> to stop hassle to others along the way as I learn.

I'm not sure what you mean.

Alex

Alex Fraser wrote:

> The window of opportunity is not 20 minutes. In the worst case, it is 10
> minutes more than the length of time your connection is down.

I hadn't thought of it like that - someone hits the phone pole down
the road and your line (plus the rest of the neighbours have no way
of doing anything until BT puts in a new pole and reconnects homes)
could be quite a while!!

> Though it's unlikely, it's also possible the server accepts messages and
> does nothing with them.

Yes, Agent has an option to simply accept anything on port 25, without
any forwarding or validation... Must be other apps which do the same.


> The real problem is that the situation is not under your control.

You've opened my eyes much wider to the problems, thanks Alex. I had
seen this discussed on u.t.broadband but the 'connection down' scene
was not one which was highlighted and is rather a bad one IMO.

>>If there is a danger from going down the emails erver I would really
>>like to stop hassle to others along the way as I learn.

> I'm not sure what you mean.

Yeah, I saw that before going to bed, and decided to wait for some
clarification... I'm sure I misunderstood it, reading it now!

Adrian Hodgson wrote:

>>snip

> Looks as though mx01 is on one IP network and mx02 on another.
> Using the priority 10 being the lowest the mailserver will look
> for mx01 on ...

indeed, where 'the mailserver' will be one 'sending' to the domain.

> So my basic setup would, I think work. Are there typical values to use as
> priorities, why not just 1, 2 etc? I have not found any docs that say what
> should be used.

I believe the values can be from 0 to 99 (perhaps higher) but they
are arbitrary values, to allow for several entries at the same
priority (eg to load share)... and I tend to use multiples
of 10 to allow for inserting another entry easily...

For mail to 'something'.clara.net there's an entry at priority 5
(mailspool.clara.net - which resolves to at least 5 separate IP
addresses) and then another at priority 10 (mail2.clara.net)...
It is a slightly neater solution, perhaps.



> so worst instance of being off the Internet would be 20 minutes.

If you have a dynamic IP, I would hesitate to run a mail server.
Alex has pointed out a significant downside concerning downtime.
Good luck with your experimenting... Peter M.

On Fri, 03 Feb 2006 13:14:43 +0000, Peter M wrote:

> Alex Fraser wrote:
>
>> The window of opportunity is not 20 minutes. In the worst case, it is
>> 10 minutes more than the length of time your connection is down.
>
> I hadn't thought of it like that - someone hits the phone pole down the
> road and your line (plus the rest of the neighbours have no way of doing
> anything until BT puts in a new pole and reconnects homes) could be
> quite a while!!
>
Smoothwall waits 5 minutes then resets, (has to do this I think due to the
Speedtouch modem) the script runs every 10 mins so 20 mins was an average.
Yes I do accept what would happen if I had a BT fault etc. then it could
be down for days.

>> Though it's unlikely, it's also possible the server accepts messages
>> and does nothing with them.
>
> Yes, Agent has an option to simply accept anything on port 25, without
> any forwarding or validation... Must be other apps which do the same.
>
>
>> The real problem is that the situation is not under your control.
>
> You've opened my eyes much wider to the problems, thanks Alex. I had
> seen this discussed on u.t.broadband but the 'connection down' scene was
> not one which was highlighted and is rather a bad one IMO.
>
>
I guess I could never do anything about anyone else accepting all messages
or running a relay. I just want to make sure I don't.

>>>If there is a danger from going down the emails erver I would really
>>>like to stop hassle to others along the way as I learn.
>
>> I'm not sure what you mean.
>
> Yeah, I saw that before going to bed, and decided to wait for some
> clarification... I'm sure I misunderstood it, reading it now!

It was late at night and much of the time I do not watch the screen when
typing.
What I was trying to say is that if there is a real danger of me messing
up someones elses mail server I would not do it! But that being said, for
the next 8 months I will not be able to move away from Wanadoo broadband.
It is only after getting broadband that much of this has been possible for
me to even get into networking as the downloas on dial-up were restrictive
to say the least.

What are my options, I would still like to learn and run a mail server,
can I go for the following scenario. Use dnsexit as a mail server, use a
mail agent at home to retrieve and store any messages here ready for
handing to client computers when they log in. In the transmit path send
from client to server here that then checks for dnsexit and uploads?

Not what I wanted to try but still. (sulk)

Next question will be on preferred servers or MTA, but that is pssibly for
one of the Linux groups?

Cheers

Adrian

On Fri, 03 Feb 2006 00:07:29 +0000, Adrian Hodgson
<(E-Mail Removed)> wrote:

>Yes I am concerned what would happen in the 20 minutes ( see other post)
>if someone else then takes up my old IP. A records I need to figure out
>what it stands for yet appologies but this is the idea to learn.

For this reason I don't really think you can run with your dynamic IP
being the primary MX server, however, for a long while I used to use
Mailkeep's services <www.mailkeep.com>. In this system, you specified
Mailkeep as the primary and secondary servers, and you could use
secure ODMR to log into the server to release your mail by SMTP.
Mailkeep would then automatically forward your mail to the last used
IP address, and you could tell Mailkeep what your SMTP banner (or
greeting) should be, which it would look for in order to start mail
delivery. I can't remember whether you could specify a non-standard
port, but this would make it less likely that someone would be running
an SMTP server on the same non-standard port, with the same banner as
yours. Mailhop (www.dyndns.org) may do a similar service - I only
need their very simple backup MX, but they are very good.

Andrew.
--
Andrew Hodgson in Bromyard, Herefordshire, UK.
My Email: use <andrew at hodgsonfamily dot org>.