On Fri, February 13, 2015 11:04 am, Les Mikesell wrote: > On Fri, Feb 13, 2015 at 9:57 AM, Ken Smith <kens at kensnet.org> wrote: >> Hi All, >> >> I'm just wanting to check that my understanding of the settings is >> correct >> as my web searches are finding a lot of dated information. >> >> If I want a Centos 6 sendmail system act as the secondary MX for domain >> bbbbb.co.uk do I just add a >> >> Connect:bbbbb.co.uk RELAY >> >> statement into /etc/mail/access and restart sendmail >> >> Obviously I have the DNS MX records for the domain are already >> established. >> >> I've been getting "/config error/: /mail loops back to me/ " errors. >> >> I think I may be stumbling into a variant of cname problem where the >> hostname as far as the sendmail machine is concerned is aaaaa.com but >> the >> DNS setting for the secondary MX is smtp1.bbbbb.co.uk. >> >> They both resolve to the same IP but when sendmail looks up the MX >> records >> for bbbbb.co.uk it will find smtp.bbbbb.co.uk and smtp1.bbbbb.co.uk >> listed >> and it may relay the mail off to smtp1.bbbbb.co.uk without recognising >> that >> aaaaa.com = smtp1.bbbbb.co.uk. Am I on the right track here, as I then >> just >> need to change the secondary MX setting in DNS to aaaaa.com? > > I'd recommend not having a secondary MX at all unless it is equipped > to reject invalid users and spam in all the same ways as your primary. Agree, but... > Otherwise it accept junk that your primary rejects Not exactly. If greylisting on primary is set, but on backup MX is not, still what is killed by greylisting by primary MX, almost never will come through backup MX. This is due to the same reason why greylisting is efficient: it trows off all that doesn't behave as mail server (thus never comes for re-delivery, and definitely doesn't try backup MX which real servers always do even before attempt of re-delivery). Still, it is good to have the same greylisting on backup MX. And all other blows and whistles. > and then you are > obligated to send a bounce message which is always a bad thing - you > want the authoritative receiver to reject at the smtp level instead of > accepting at all. I agree, it is wrongful behavior to accept something which later you discover you can not deliver. I would call it bad MX setup, as you are making yourself potential source of backscatter (which though is not as much exploited yet as open relays, but still is bad setup). If you set backup MX based on postfix, there is relay_recipients you have to specify, which lists all e-mail addresses that are legitimate on primary MX. Nothing else is being accepted by default, thus secondary MX does not become a source of backscatter. <rant> I've seen at least at some point that google mail accepts everything. Then, (after they parsed and filed information in that message I would speculate) they send non-delivery notification. That was a real incident after which I have a policy on my servers: I do not forward e-mail of users who left department to their google mail. As I don't want _my_ server to become a source of backscatter as a result of the crap they do. </rant> Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++