[CentOS] Split dns issues

Les Mikesell lesmikesell at gmail.com
Sun Aug 2 22:19:51 UTC 2009

Jason Pyeron wrote:
>> You could just firewall port 25 on the spam-checking MX 
> They are outsourced to google, we cannot control that.

You must have a firewall that you control on your side where these connections 
have to pass.

>> relays from the trusted networks  and add a high-numbered MX 
>> record for the target you want them to hit instead.  As long 
> Adding mail.pdinc.us to the list would beg spammers to skip our spam gateway
> service.

That's fine, as they would be unable to connect if you leave it a private address.

> And I think adding the non routable Ips assigned to the intranet mail.pdinc.us
> server to public MX records might be a bit of bad form and add a point of
> failure when the ip address changes.

It's a bit of bad form to use NAT and private addresses at all because the 
internet really wasn't designed to be segmented, but everyone does it.  Or you 
could use a public address in a DMZ where it is firewalled from everything but 
internal connections and perhaps things relayed by the external spam service. 
The point of being able to provide multiple MX records is that things keep 
working even if some of them aren't reachable.

   Les Mikesell
    lesmikesell at gmail.com

More information about the CentOS mailing list