Still problems with mx-records

Discussion in 'Installation/Configuration' started by schmidtedv, Apr 16, 2007.

  1. schmidtedv

    schmidtedv New Member

    I have 3 IP's

    1.1.1.1
    2.2.2.2
    3.3.3.3

    and there are 3 reverse dns

    1-1-1-1.internetserviceteam.com
    2-2-2-2.internetserviceteam.com
    3-3-3-3.internetserviceteam.com

    my main IP is 1.1.1.1 (used for ISPConfig-Install)

    now I want to put 3 Domains into ISPConfig and each with it's own IP

    www.1.com 1.1.1.1 with 1-1-1-1.internetserviceteam.com
    www.2.com 2.2.2.2 with 2-2-2-2.internetserviceteam.com
    www.3.com 3.3.3.3 with 3-3-3-3.internetserviceteam.com

    If I put www.2.com into ISPConfig with Standard DNS and MX it takes 1.1.1.1.internetserviceteam.com for MX. Ok, I fixed that later in the DNS-Manager to 2-2-2-2.internetserviceteam.com and put a Standard SPF for www without config-changes into my List.

    Should this be the right way or did I do something wrong (still having mx and spf errors on www.steuerlehrgaenge.com, so that www.2.com claims to be on 1-1-1-1.internetserviceteam.com)!?
     
  2. Hawker

    Hawker New Member

    This is a common problem when multiple domains are hosted on a single server. There is only one mail server per server and that uses the server's main IP address, so you need to properly set up your MX records for each domain.

    Every domain will use the same IP address as the mail server...

    mx 10 mail.domain.com.
    primaryipaddress PTR mail.domain.com.
    domain.com. A domainipaddress
    mail A primaryipaddress
    www A domainipaddress

    That will stop the mail server host name in greeting error.

    The SPF problem is different, but you would use
    domain.com. TXT "v=spf1 mx -all"
     
  3. schmidtedv

    schmidtedv New Member

    ähm...sorry, but I'm not really shure it I do this right/understand this correct....would you mind to put it into words using my stupid example in the above post :) ?

    Currently my bind config for steuerlehrgaenge.com looks like this:

    Code:
    [SIZE=1]
    $TTL 86400
    @ IN SOA 84-16-251-18.internetserviceteam.com. admin.steuerlehrgaenge.com. (
    2007041609 ; serial, todays date + todays serial #
    28800 ; refresh, seconds
    7200 ; retry, seconds
    604800 ; expire, seconds
    86400 ) ; minimum, seconds
    ;
    NS 84-16-251-18.internetserviceteam.com. ; Inet Address of name server 1
    NS 84-16-251-18.internetserviceteam.com. ; Inet Address of name server 2
    ;
    MX 10 84-16-250-216.internetserviceteam.com.
    www MX 10 84-16-250-216.internetserviceteam.com.
    forum MX 10 84-16-250-216.internetserviceteam.com.
    steuerlehrgaenge.com. A 84.16.250.216
    www A 84.16.250.216
    forum A 84.16.250.216
    steuerlehrgaenge.com. TXT "v=spf1 ?all"
    www.steuerlehrgaenge.com. TXT "v=spf1 ?all"
    forum.steuerlehrgaenge.com. TXT "v=spf1 ?all"
    ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
    [/SIZE]
    anything wrong with this? I'm still confused that 84-16-251-18.internetserviceteam is in this file, although it belongs to a different domain, but this might be ok, just becaouse, as you said, there is only one mailserver here and this is it's configured fqdn....
     
  4. Hawker

    Hawker New Member

    If your mail server is at 84.16.251.18 this should work for you...

    Code:
    $TTL 86400
    @ IN SOA 84-16-251-18.internetserviceteam.com. admin.steuerlehrgaenge.com. (
    2007041609 ; serial, todays date + todays serial #
    28800 ; refresh, seconds
    7200 ; retry, seconds
    604800 ; expire, seconds
    86400 ) ; minimum, seconds
    ;
    NS 84-16-251-18.internetserviceteam.com. ; Inet Address of name server 1
    NS 84-16-251-18.internetserviceteam.com. ; Inet Address of name server 2
    ;
    MX 10 mail.steuerlehrgaenge.com.
    84.16.251.18  PTR mail.steuerlehrgaenge.com.
    mail A 84.16.251.18
    steuerlehrgaenge.com. A 84.16.250.216
    www A 84.16.250.216
    forum A 84.16.250.216
    steuerlehrgaenge.com. TXT "v=spf1 mx -all"
    ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
     
    Last edited: Apr 17, 2007
  5. schmidtedv

    schmidtedv New Member

    ...last questions on this very nice help :) :

    the PTR-Line I would have to add manually? Or is there an option in ISPConfig-DNS-Manager where I can add this? If manually, better under ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;; or wouldn't it work there?

    If I put the mail-A-Record for steuerlehrgaenge.com on my main-ip, do I still need www- and forum-A-record?

    Actually would I have to make a co-domain mail.steuerlehrgaenge.com or is this new a-record mail just for getting the mailserver for steuerlehrgaenge.com act on the mx-record mail?

    Would mail.steuerlehrgaenge.com then be my pop3 and smtp-hosts for the Outlook?

    And last but not least :) the line v=spf1 mx -all looks a bit different if I do it over ISPConfig: v=spf1 mx ~all ...with an ~, is that correct or would I have to edit here by hand again?
     
    Last edited: Apr 18, 2007
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    PTR records are created automatically by ISPConfig, they are in a separate file. But for mail delivery, the PTR for the IP is most relevant and this PTR can only be set by your ISP and not on your own server.
     
  7. schmidtedv

    schmidtedv New Member

    ...so, if everything else belonging to my last post is correct and well done, I would have to ask my ISP if the ptr for steuerlehrgaenge.com is on 84.16.251.18, right? And I would not add the PTR-Line into the bind-config? Would ISPConfig then use the main IP in this extra file 84.16.251.18 with mail.steuerlehrgaenge.com or could this happened to be 84.16.250.216 which belongs originally to steuerlehrgaenge.com? If the PTR-Line is added automatically would this include the mx mail.steuerlehrgaenge.com?

    Maybe my other questions can get an ok/wrong, so I can finish this mail-quest :) ? It's not easy just to work this out only with a hint for the PTR but without a solution :)
     
    Last edited: Apr 18, 2007
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That is the wrong order.

    You must ask your ISP to set the reverse record for the IP 84.16.251.18 to steuerlehrgaenge.com
     
  9. schmidtedv

    schmidtedv New Member

    ...or (found the PTR) would I have to put A-Record mail on 84.16.250.216 to get a PTR for mail.steuerlehrgaenge.com and then just ask the ISP to put PTR on 84.16.251.18?

    Sorry, but I'm not very familiar with the mail-config...
     
  10. schmidtedv

    schmidtedv New Member


    That can't be the way because this IP belongs to schmidtedv.de :)

    as my first post intended to give a clue i have 3 IP's with 3 reverse-DNS...

    Now, start from the beginning again.

    Lets say I have the main-IP 1.1.1.1 with the domain www.1.com.

    the second ip 2.2.2.2 will be steuerlehrgaenge.com. now I do my dns-setup like this:

    a-record mail on ip 2.2.2.2
    mx-record on mail.steuerlehrgaenge.com

    ....and then finally change the original reverse-dns, which is now at 2-2-2-2.internetserviceteam.com (that's used also in hosts) to steuerlehrgaenge.com?
     
  11. Hawker

    Hawker New Member

    I modfied pri.domain.master like this (SERVER_MAIL_IPADDRESS is a number, not the words)...

    Code:
    <!-- BEGIN DYNAMIC BLOCK: mxrecords -->
    {MX_HOST}   mx   {MX_PRIORITAET} {MX_MAILSERVER}.
    SERVER_MAIL_IPADDRESS   PTR   {MX_MAILSERVER}.
    <!-- END DYNAMIC BLOCK: mxrecords -->
    Yes

    As shown, the mail A record is already there pointing to your mail server IP. You do not need to create a sub-domain for it. When specifying the mail record in ISPConfig just use the mail server IP instead of the site IP.

    Yes

    Edit ispconfig_bind.lib.php. Look for $spf .= '~all' and change the ~ to -.

    ~ is intended for testing purposes only. It results in a soft fail which is no protection at all since soft fails are accepted. Changing the ~ to - results in a true fail which rejects mail not sent from your server.
     
    Last edited: Apr 18, 2007
  12. Hawker

    Hawker New Member

    Mail PTR records for domains that your name server is authoritative for do not have to be processed by the ISP.

    The only thing I would do is be sure that your ISP does have reverse DNS entries for your web sites. IE: www.steuerlehrgaenge.com has a reverse DNS to 84.16.250.216 and www.schmidtedv.de has a reverse DNS to 84.16.251.18.

    NOTE THE FQDN for reverse DNS. This is VERY important for fully protected mail servers. While mail servers don't care what is there, they DO look for a FQDN (your 84-16-251-18.internetserviceteam.com IS an FQDN). And they will reject mail that doesn't have a FQDN. This is also true for shared IP hosting. Anything can be in the reverse DNS, but it should always be an FQDN.
     
    Last edited: Apr 18, 2007
  13. schmidtedv

    schmidtedv New Member

    Thanks a lot, I did like you said SERVER_MAIL_IPADDRESS changed to 84.16.251.18 and just edited my mx-records and saved them again and it comes out like you posted...

    however, if i have the subdomain forum.steuerlehrgaenge.com it's only using standard mail-adresses like admin(AT)steuerlehrgaenge.com not soething weird like admin(AT)forum.steuerlehrgaenge.com...so, just to make shure, would I realy need an A-Record for a subdomain like forum? Why? :)
     
  14. Hawker

    Hawker New Member

    The subdomain is up to you. Many people run forums under subdomains but it isn't needed and could be deleted if you don't do that. And you redirect to your main site with forum.steuerlehrgaenge.com anyway, so you really don't need it.

    Think of subdomains as divisions of a company. They are all the same company, but want some way of distinguishing themselves from the parent.
     
    Last edited: Apr 18, 2007
  15. schmidtedv

    schmidtedv New Member

  16. Hawker

    Hawker New Member

    I'm not sure about this, but it looks like your name servers are located at netdirekt.de and the SOA serial number (2006042200) hasn't changed since I originally looked at the DNS report.

    If that's not you then your nameservers aren't authoritative for that domain and you need to change which nameservers are being used for that domain.
     
  17. schmidtedv

    schmidtedv New Member

    Sorry, but I didn't get it :-(

    netdirekt.de is my ISP and in their Original Rescue-Image they use these DNS-Servers in interfaces:

    dns-nameservers 217.20.116.1 217.20.115.1
    dns-search internetserviceteam.com

    ...and 84-16-251-18.internetserviceteam.com I have as NS1 and NS2 in ISPConfig...has this something to do with what you wanna explain me ? :)

    However, has it to do with Reverse-DNS (I can change this by myself if there is a need to) from my ISP that's pointing 84.16.250.216 (steuerlehrgaenge.com) to 84-16-250-216.internetserviceteam.com, that when I wanna try to do the SNDS-Steps for Hotmail that they provide me the abuse-adress they would send mail to looks like [email protected] and not [email protected]?

    Very hard stuff for me....sorry to bother you again :)
     
  18. Hawker

    Hawker New Member

    Wherever the steuerlehrgaenge.com is registered it is saying to use

    ns1.deciso.net
    ns2.deciso.net

    as the name servers for it.

    That needs to be changed with the registrar to your name servers. Otherwise all of the changes you make are useless since ns1 & ns2 deciso.net are authoritative for that domain and yours aren't.
     
  19. schmidtedv

    schmidtedv New Member

    Ok, I already spoke with my ISP and he can change it, so that my Server gets Nameserver for the domains...would that do the trick?

    On the other hand, might it have been an error that i used the automatically given NS1 and NS2 for ISPConfig AND NS1/NS2 for steuerlehrgaenge.com which was 84-16-21-18.internetservgiceteam.com?

    Maybe that's the error? Because this FQDN is just my hostname / main IP...in interfaces NS1 and NS2 are (resolved) ns10.dnspro.de and ns9.dnspro.de...should I try to put these NS as NS1 and NS2 for ISPConfig and steuerlehrgaenge.com and watch for changes with that?
     
  20. Hawker

    Hawker New Member

    Don't over analize. It's really quite simple...

    The first thing that must be done is the name servers you created in ISPConfig must be authoritative for the domains you host. This is done by changing them with the registrar for those domains.

    Until that is completed, your name servers are useless because nobody knows to look at them.
     

Share This Page