Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
-aurf
On 02/25/2013 08:06 AM, aurfalien wrote:
Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
The short answer is you can't do that and expect it to work because you can't mix CNAME and other types of records for a hostname. It is simply an invalid configuration at a DNS level.
Read http://en.wikipedia.org/wiki/CNAME_record#Restrictions
On 02/25/2013 11:21 AM, Jerry Franz wrote:
On 02/25/2013 08:06 AM, aurfalien wrote:
Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
The short answer is you can't do that and expect it to work because you can't mix CNAME and other types of records for a hostname. It is simply an invalid configuration at a DNS level.
Which is why most setups use an A RR for foo.com
On Feb 25, 2013, at 8:21 AM, Jerry Franz wrote:
On 02/25/2013 08:06 AM, aurfalien wrote:
Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
The short answer is you can't do that and expect it to work because you can't mix CNAME and other types of records for a hostname. It is simply an invalid configuration at a DNS level.
Read http://en.wikipedia.org/wiki/CNAME_record#Restrictions
-- Benjamin Franz
Yes, I agree. I posted this as some one wants me to allow this due to old online articles referencing simply http://domain.com
I told them that I cannot allow CNAME and MX mix of any kind but they insist. At any rate its up to me in the end but I wanted to reach out to the community.
- aurf
On Feb 25, 2013, at 8:21 AM, Jerry Franz wrote:
On 02/25/2013 08:06 AM, aurfalien wrote:
Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
The short answer is you can't do that and expect it to work because you can't mix CNAME and other types of records for a hostname. It is simply an invalid configuration at a DNS level.
Read http://en.wikipedia.org/wiki/CNAME_record#Restrictions
-- Benjamin Franz
Forgot, i did allow this for a few weeks and mail broke as well as the wild card SSL ceasing to work as it has;
*.domain.com domain.com
At any rate, I will insist that mixing MX/CNAME will not be possible but wanted to see if I missed something.
Hence this seemingly basic posting t the list.
- aurf
On Mon, Feb 25, 2013 at 10:59 AM, aurfalien aurfalien@gmail.com wrote:
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
The short answer is you can't do that and expect it to work because you can't mix CNAME and other types of records for a hostname. It is simply an invalid configuration at a DNS level.
Read http://en.wikipedia.org/wiki/CNAME_record#Restrictions
-- Benjamin Franz
Forgot, i did allow this for a few weeks and mail broke as well as the wild card SSL ceasing to work as it has;
*.domain.com domain.com
At any rate, I will insist that mixing MX/CNAME will not be possible but wanted to see if I missed something.
Hence this seemingly basic posting t the list.
I think the only clean approach is to give domain.com an A record pointing to something that can run a web server that does a client redirect to www.domain.com. And even then https will show an invalid cert before the redirect unless you have one specifically for domain.com.
On 02/25/2013 06:24 PM, Les Mikesell wrote: [snip]
I think the only clean approach is to give domain.com an A record pointing to something that can run a web server that does a client redirect to www.domain.com. And even then https will show an invalid cert before the redirect unless you have one specifically for domain.com.
Afaik that can be solved by adding a subjectAltName to the cert so it's valid for domain.com and www.domain.com and it's FQDN. Or maybe get a wildcard cert.
Regards, Patrick
On Feb 25, 2013, at 10:01 AM, Patrick Lists wrote:
On 02/25/2013 06:24 PM, Les Mikesell wrote: [snip]
I think the only clean approach is to give domain.com an A record pointing to something that can run a web server that does a client redirect to www.domain.com. And even then https will show an invalid cert before the redirect unless you have one specifically for domain.com.
Afaik that can be solved by adding a subjectAltName to the cert so it's valid for domain.com and www.domain.com and it's FQDN. Or maybe get a wildcard cert.
Regards, Patrick
Sorry I should have clarified.
The SSL is a wild card cert with a SNA of *.domain.com and domain.com
- aurf
Il 25/02/2013 12.28, Simon Matter ha scritto:
Hello to the list, I update a RedHat server from 6.3 to 6.4 and install the last shorewall rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the error ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system, after the boot I can start shorewall by hand.
Could it be a problem with SELinux?
Simon
What can I do? Thanks to everybody
Amedeo
Here from the shorewall newsletter...............
Simon you're magician!!!!! the update change the selinux's labels of iptables after reset this it's all ok.... I think that when the people updates frome centos 6.3 to centos 6.4 the world stopping Here is the commands:
restorecon -Rv /sbin restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
Thanks sooo much Amedeo
Il 26/02/2013 19.24, News ha scritto:
Il 25/02/2013 12.28, Simon Matter ha scritto:
Hello to the list, I update a RedHat server from 6.3 to 6.4 and install the last shorewall rpm 4.5.13.0-1.el6, after this shorewall not start at boot and show the error ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system, after the boot I can start shorewall by hand.
Could it be a problem with SELinux?
Simon
What can I do? Thanks to everybody
Amedeo
Here from the shorewall newsletter...............
Simon you're magician!!!!! the update change the selinux's labels of iptables after reset this it's all ok.... I think that when the people updates frome centos 6.3 to centos 6.4 the world stopping Here is the commands:
restorecon -Rv /sbin restorecon reset /sbin/iptables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0 restorecon reset /sbin/ip6tables-multi-1.4.7 context system_u:object_r:bin_t:s0->system_u:object_r:iptables_exec_t:s0
Thanks sooo much Amedeo
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello to the list,
I start from here because there are some news, this is the story:
I upgrade one server from Centos 6.3 to 6.5 and come back out again the problem described above, so I use restorecon -Rv /sbin but there is not output, this was strange, I reboot the server and shorewall won't start again, i try some hacks but nothing. So i tried to change selinux in permissive mode and shorewall START!! I look at files:
ls -Z /sbin/ip*
and the surprise
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/ip6tables-multi-1.4.7 -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /sbin/iptables-multi-1.4.7
the selinux label was wrong so I look in the /etc/selinux/targeted/contexts/files/file_contexts file for the label
cat /etc/selinux/targeted/contexts/files/file_contexts | grep ip
and i don't find nothing, this was very very strange so I open manually the file and SURPRISE!! what i find:
/sbin/ebtables -- system_u:object_r:iptables_exec_t:s0 /sbin/ebtables-restore -- system_u:object_r:iptables_exec_t:s0
look!! ebtables and not iptables............................. if i use restorecon -Rv /sbin did not work because the label was wrong..... I find the same problem in a server running RedHat 6.5 but had not come out because I had upgraded from 6.4 to 6.5
[FIX] I relabel manually the two files with this commands: chcon -t iptables_exec_t /sbin/iptables-multi-1.4.7 chcon -t iptables_exec_t /sbin/ip6tables-multi-1.4.7 but i hope that the /etc/selinux/targeted/contexts/files/file_contexts will updated soon.
I hope that this can help someone Thanks Amedeo
On 27-08-14 19:43, News wrote: [snip]
Hello to the list,
I start from here because there are some news, this is the story:
I upgrade one server from Centos 6.3 to 6.5 and come back out again the problem described above, so I use restorecon -Rv /sbin
After such an update I would do: $ sudo touch /.autorelabel and reboot
or for your particular use case do: $ sudo /sbin/restorecon -v -R -F /sbin
Note the '-F' option. The restorecon man page has more info about that.
These two methods have always worked for me.
HTH, Patrick
On Mon, Feb 25, 2013 at 6:06 PM, aurfalien aurfalien@gmail.com wrote:
Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
Hello,
You can't mix CNAMEs with other record types.
The whole domain name can't be defined as a CNAME even if you don't add any A/MX records to it because it *must* have NS records.
With BIND you can't even load a zone file defined like you suggested. named-checkzone complains:
dns_master_load: domain.com.zone:14: domain.com: CNAME and other data zone domain.com/IN: loading from master file domain.com.zone failed: CNAME and other data zone domain.com/IN: not loaded due to errors.
Interesting read: http://tools.ietf.org/rfc/rfc1912.txt pages 5/6 for CNAMEs.
Usually you should use something like:
domain.com IN NS dns.server.com. domain.com IN NS other.dns.com.
domain.com IN A x.x.x.x www.domain.com IN CNAME domain.com.
domain.com IN MX 5 etc
AFAIK, SSL certs for www.domain are also valid for domain by default so that shouldn't be a problem.
On Feb 25, 2013, at 1:45 PM, Radu Anghel wrote:
On Mon, Feb 25, 2013 at 6:06 PM, aurfalien aurfalien@gmail.com wrote:
Hi,
Has any one had problems with mail clients were your DNS is like this;
doman.com MX 50 mail.domain.com domain.com MX 100 mail2.domain.com
domain.com CNAME www.domain.com
Hello,
You can't mix CNAMEs with other record types.
The whole domain name can't be defined as a CNAME even if you don't add any A/MX records to it because it *must* have NS records.
With BIND you can't even load a zone file defined like you suggested. named-checkzone complains:
dns_master_load: domain.com.zone:14: domain.com: CNAME and other data zone domain.com/IN: loading from master file domain.com.zone failed: CNAME and other data zone domain.com/IN: not loaded due to errors.
Interesting read: http://tools.ietf.org/rfc/rfc1912.txt pages 5/6 for CNAMEs.
Usually you should use something like:
domain.com IN NS dns.server.com. domain.com IN NS other.dns.com.
domain.com IN A x.x.x.x www.domain.com IN CNAME domain.com.
domain.com IN MX 5 etc
AFAIK, SSL certs for www.domain are also valid for domain by default so that shouldn't be a problem.
Cool info.
I ended up mixing A, MX and NS records but not CNAMEs.
All seems to work although I am waiting for breakage, giving it another day or 2 b4 updating our external DNS. Internal is quick to update so its easy to manage.
- aurf
-
aurfalien -
Jerry Franz -
Les Mikesell -
News -
Patrick Laimbock -
Patrick Lists -
Radu Anghel -
Robert Moskowitz