[gentoo-user] Re: Dynamic IP address services. - gentoo-user

From:	Kai Krakow <hurikhan77@×××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Re: Dynamic IP address services.
Date:	Sat, 12 Nov 2016 09:08:33
Message-Id:	`20161112100754.172df252@jupiter.sol.kaishome.de`
In Reply to:	Re: [gentoo-user] Re: Dynamic IP address services. by Alan McKinnon

1

Am Tue, 8 Nov 2016 13:12:03 +0200

2

schrieb Alan McKinnon <alan.mckinnon@×××××.com>:

3

4

> On 08/11/2016 13:07, J. Roeleveld wrote:

5

> > On November 8, 2016 9:43:30 AM GMT+01:00, Willie M

6

> > <matthews.willie80@×××××.com> wrote:

7

> >> On 11/07/2016 06:31 PM, Harry Putnam wrote:

8

>  [...]

9

>  [...]

10

>  [...]

11

>  [...]

12

> >> on

13

>  [...]

14

> >> :-)

15

>  [...]

16

> >> expected

17

>  [...]

18

> >> that

19

>  [...]

20

> >>

21

> >> Hey Harry,

22

> >>

23

> >> If I a not mistaken if you change your nameservers to FreeDNS you

24

> >> will be able to have that dynamic IP Address that way. So your

25

> >> reverse lookup

26

> >> should work just fine.

27

> >>

28

> >> Only problem is that if your IP address changes, you would have a

29

> >> short amount of time that your server would not respond (because

30

> >> of the IP change). The default TTL on FreeDNS is 3600 seconds (1

31

> >> hour).

32

> >>

33

> >> Reading on the front page it says that you can edit the TTL if you

34

> >> add your own domain. I don't know for sure how it all works

35

> >> because I have never added on. It doesn't hurt to try and it seems

36

> >> like it would be a lot better than what you are using now.

37

> >>

38

> >> Hope this helps.

39

> >

40

> > Willie,

41

> >

42

> > This will not work.

43

> > A reverse lookup (which FQDN for the IP) needs to work for all SMTP

44

> > servers he is likely to send mail to. This would also include

45

> > Google and Microsoft.

46

> >

47

> > He needs to get his ISP to change the reverse DNS.

48

>

49

>

50

> ISP mail admin chiming in here.

51

>

52

> If a host on a dynamic range tries to hit my MX machines and deliver

53

> mail, that host WILL be denied. Most ISP's work similarly as we are

54

> sick and tired and fed up to the yinyang of 99.99% of mail from such

55

> hosts being pure spam.

56

>

57

> Harry, you have 2 options:

58

>

59

> 1. Do it yourself and do it properly - get a static IP from your ISP

60

> 2. Don't do it yourself  and do it properly - use your ISP's mail

61

> relays, or use a relay provider

62

>

63

> Why are you even trying to do this yourself? I do this for a living

64

> and I can tell you it's a pain in the butt you don't want (*I* don't

65

> even want it, I shove mail services off onto other teams as fast as I

66

> can get them to take it...)

67

68

I can only second this...

69

70

As a full service provider and admin myself (using Gentoo machines

71

btw) we are also running our own mail central mail server with correct

72

RDNS etc. And it's a pain to filter out all those spammers correctly.

73

74

But we are also servicing our customers with their own on-premise mail

75

servers (mostly exchange). For the most part, we are also admin of

76

those servers.

77

78

The only sane configuration is to setup authenticated relaying. This

79

is, we forward proxy mails (by address rewriting) to the static IP of

80

the customer (with firewall in place), or in case of dynamic IP use a

81

POP3 grabber (everything is forwarded to the same POP3 box, not

82

catchall) and adding an original receiver header. P2S works great for

83

it on windows machines, use fetchmail for linux.

84

85

The setup scenarios are as follows:

86

87

example.com = MX on our site

88

relay.example.com = MX on customer site

89

90

Static DNS:

91

92

  * Setup a special SMTP sending account on our site

93

  * Forward @example.com to @relay.example.com

94

  * Outgoing mails sent to our site, TLS, port 587, using smart relaying

95

    with authentication (use the sending account)

96

97

98

Dynamic DNS (which would be your case):

99

100

  * Setup one POP3 box for sending and receiving

101

  * Forward each email address to this POP3 box adding an original

102

    receiver header

103

  * Setup POP3 grabber on customer site and let it decide to which

104

    email account this belongs inspecting the added header

105

106

107

With the second solution, you are free to fall back to multiple POP3

108

boxes to fetch - but this involves some advanced strategies how to send

109

mails. With linux it's easy to do sender-based routing and using

110

different SMTP accounts for sending. Especially if it's all the same

111

sender domain, you can fall back to use the same SMTP account for

112

sending. If it's different mail providers, you should use different

113

SMTP accounts per sender depending on which provider the sender belongs

114

to.

115

116

Apparently, Exchange doesn't support sender-based routing, only

117

destination-based routing (I still wonder the purpose for this).

118

119

120

Background here is:

121

122

For spam fighting purpose, we only allow a customer to use senders

123

within their own customer account - even when authenticated. We don't

124

allow senders belonging to a different customer. And we don't allow

125

unauthenticated delivering with any sender on our system. This

126

successfully fights a lot of spam and account hijacking.

127

128

129

So in your case: Use POP3 grabbing, use authenticated sending, use

130

sender-based routing, and all should be fine. Don't try to be a public

131

MX. If it's only two or three accounts, it's fine. Otherwise it's not

132

worth the hassle. Better find a sane client solution that provides you

133

good mail storage usable from different MUAs. You usually don't want to

134

setup a local IMAP server for the long term, especially not on your

135

local machine.

136

137

--

138

Regards,

139

Kai

140

141

Replies to list-only preferred.

1	Am Tue, 8 Nov 2016 13:12:03 +0200
2	schrieb Alan McKinnon <alan.mckinnon@×××××.com>:
3
4	> On 08/11/2016 13:07, J. Roeleveld wrote:
5	> > On November 8, 2016 9:43:30 AM GMT+01:00, Willie M
6	> > <matthews.willie80@×××××.com> wrote:
7	> >> On 11/07/2016 06:31 PM, Harry Putnam wrote:
8	> [...]
9	> [...]
10	> [...]
11	> [...]
12	> >> on
13	> [...]
14	> >> :-)
15	> [...]
16	> >> expected
17	> [...]
18	> >> that
19	> [...]
20	> >>
21	> >> Hey Harry,
22	> >>
23	> >> If I a not mistaken if you change your nameservers to FreeDNS you
24	> >> will be able to have that dynamic IP Address that way. So your
25	> >> reverse lookup
26	> >> should work just fine.
27	> >>
28	> >> Only problem is that if your IP address changes, you would have a
29	> >> short amount of time that your server would not respond (because
30	> >> of the IP change). The default TTL on FreeDNS is 3600 seconds (1
31	> >> hour).
32	> >>
33	> >> Reading on the front page it says that you can edit the TTL if you
34	> >> add your own domain. I don't know for sure how it all works
35	> >> because I have never added on. It doesn't hurt to try and it seems
36	> >> like it would be a lot better than what you are using now.
37	> >>
38	> >> Hope this helps.
39	> >
40	> > Willie,
41	> >
42	> > This will not work.
43	> > A reverse lookup (which FQDN for the IP) needs to work for all SMTP
44	> > servers he is likely to send mail to. This would also include
45	> > Google and Microsoft.
46	> >
47	> > He needs to get his ISP to change the reverse DNS.
48	>
49	>
50	> ISP mail admin chiming in here.
51	>
52	> If a host on a dynamic range tries to hit my MX machines and deliver
53	> mail, that host WILL be denied. Most ISP's work similarly as we are
54	> sick and tired and fed up to the yinyang of 99.99% of mail from such
55	> hosts being pure spam.
56	>
57	> Harry, you have 2 options:
58	>
59	> 1. Do it yourself and do it properly - get a static IP from your ISP
60	> 2. Don't do it yourself and do it properly - use your ISP's mail
61	> relays, or use a relay provider
62	>
63	> Why are you even trying to do this yourself? I do this for a living
64	> and I can tell you it's a pain in the butt you don't want (I don't
65	> even want it, I shove mail services off onto other teams as fast as I
66	> can get them to take it...)
67
68	I can only second this...
69
70	As a full service provider and admin myself (using Gentoo machines
71	btw) we are also running our own mail central mail server with correct
72	RDNS etc. And it's a pain to filter out all those spammers correctly.
73
74	But we are also servicing our customers with their own on-premise mail
75	servers (mostly exchange). For the most part, we are also admin of
76	those servers.
77
78	The only sane configuration is to setup authenticated relaying. This
79	is, we forward proxy mails (by address rewriting) to the static IP of
80	the customer (with firewall in place), or in case of dynamic IP use a
81	POP3 grabber (everything is forwarded to the same POP3 box, not
82	catchall) and adding an original receiver header. P2S works great for
83	it on windows machines, use fetchmail for linux.
84
85	The setup scenarios are as follows:
86
87	example.com = MX on our site
88	relay.example.com = MX on customer site
89
90	Static DNS:
91
92	* Setup a special SMTP sending account on our site
93	* Forward @example.com to @relay.example.com
94	* Outgoing mails sent to our site, TLS, port 587, using smart relaying
95	with authentication (use the sending account)
96
97
98	Dynamic DNS (which would be your case):
99
100	* Setup one POP3 box for sending and receiving
101	* Forward each email address to this POP3 box adding an original
102	receiver header
103	* Setup POP3 grabber on customer site and let it decide to which
104	email account this belongs inspecting the added header
105
106
107	With the second solution, you are free to fall back to multiple POP3
108	boxes to fetch - but this involves some advanced strategies how to send
109	mails. With linux it's easy to do sender-based routing and using
110	different SMTP accounts for sending. Especially if it's all the same
111	sender domain, you can fall back to use the same SMTP account for
112	sending. If it's different mail providers, you should use different
113	SMTP accounts per sender depending on which provider the sender belongs
114	to.
115
116	Apparently, Exchange doesn't support sender-based routing, only
117	destination-based routing (I still wonder the purpose for this).
118
119
120	Background here is:
121
122	For spam fighting purpose, we only allow a customer to use senders
123	within their own customer account - even when authenticated. We don't
124	allow senders belonging to a different customer. And we don't allow
125	unauthenticated delivering with any sender on our system. This
126	successfully fights a lot of spam and account hijacking.
127
128
129	So in your case: Use POP3 grabbing, use authenticated sending, use
130	sender-based routing, and all should be fine. Don't try to be a public
131	MX. If it's only two or three accounts, it's fine. Otherwise it's not
132	worth the hassle. Better find a sane client solution that provides you
133	good mail storage usable from different MUAs. You usually don't want to
134	setup a local IMAP server for the long term, especially not on your
135	local machine.
136
137	--
138	Regards,
139	Kai
140
141	Replies to list-only preferred.

Gentoo Archives: gentoo-user