# mail.domain.ltd

## elmar283

For my server I use bind. I have a mailserver with postfix and courier-imap. Everything works fine. I can receive mail from inside and outside my network.

The only thing that isn't working from outside is connecting to imap with the address mail.eotter1979.xs4all.nl. eotter1979.xs4all.nl works fine.

I found out that this must be a DNS thing, because I can't ping mail.eotter1979.xs4all.nl from outside my network:

```

Last login: Sun Jun  5 14:27:50 2011 from eotter1979.xs4all.nl

elmaro@xs8:~$ ping mail.eotter1979.xs4all.nl

ping: unknown host mail.eotter1979.xs4all.nl

elmaro@xs8:~$ ping eotter1979.xs4all.nl

PING eotter1979.xs4all.nl (80.101.167.116) 56(84) bytes of data.

64 bytes from eotter1979.xs4all.nl (80.101.167.116): icmp_seq=1 ttl=62 time=35.5 ms

64 bytes from eotter1979.xs4all.nl (80.101.167.116): icmp_seq=2 ttl=62 time=35.9 ms

^C

--- eotter1979.xs4all.nl ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

rtt min/avg/max/mdev = 35.535/35.719/35.903/0.184 ms

elmaro@xs8:~$ telnet eotter1979.xs4all.nl 25

Trying 80.101.167.116...

Connected to eotter1979.xs4all.nl.

Escape character is '^]'.

220 mail.eotter1979.xs4all.nl ESMTP Postfix

^]

telnet> quit

Connection closed.

elmaro@xs8:~$ 

```

Is it possible to make other DNS-servers know my mx-record so they know where to go?

Here are my configurations of bind:

```

elmarotter@masterserver ~ $ sudo cat /etc/bind/named.conf

Password: 

/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-9 for more details.

 * Online versions of the documentation can be found here:

 * http://www.isc.org/software/bind/documentation

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { none; };

   listen-on port 53 { 127.0.0.1; 192.168.0.1; 192.168.178.28; };

   allow-query {

      127.0.0.1;

      192.168.0.0/24;

      192.168.178.0/24;

   };

   forward first;

        forwarders {

        //      123.123.123.123;        // Your ISP NS

        //      124.124.124.124;        // Your ISP NS

        //      4.2.2.1;                // Level3 Public DNS

        //      4.2.2.2;                // Level3 Public DNS

                8.8.8.8;                // Google Open DNS

                8.8.4.4;                // Google Open DNS

      194.109.6.66;

        };

};

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      severity debug;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 53 allow { 127.0.0.1/32; } keys { "rndc-key"; };

};

acl mijnnetwerk {

   192.168.0/24;

   192.168.178.0/24;

};

view "internal" {

        match-clients { 

   mijnnetwerk;

   192.168.0.1;

   localhost; };

        recursion yes;

        zone "eotter1979.xs4all.nl" {

                type master;

                file "pri/eotter1979.xs4all.nl.internal";

                allow-transfer { any; };

        };

};

view "external" {

        match-clients { any; };

        recursion no;

        zone "." IN {

                type hint;

                file "named.cache";

        };

        

   zone "localhost" IN {

           type master;

           file "/pri/localhost.zone";

           allow-update { none; };

              notify no;

   };

   zone "127.in-addr.arpa" IN {

                type master;

                file "pri/127.zone";

                allow-update { none; };

                notify no;

        };

        zone "eotter1979.xs4all.nl" {

                type master;

                file "pri/eotter1979.xs4all.nl.external";

                allow-query { any; };

                allow-transfer { 192.168.178.1; };

        };

};

elmarotter@masterserver ~ $ 

```

```

elmarotter@masterserver ~ $ sudo cat /var/bind/pri/eotter1979.xs4all.nl.internal

$TTL 2d

@   IN SOA   ns.eotter1979.xs4all.nl.   masterserver.eotter1979.xs4all.nl. (

      2008122612      ;serial

                28800           ;refresh

                14400           ;retry

                604800      ;expire

                86400)          ;default minimum ttl

eotter1979.xs4all.nl.         IN MX   0 mail.eotter1979.xs4all.nl.

eotter1979.xs4all.nl.         IN MX   10 mailgateway.eotter1979.xs4all.nl.

eotter1979.xs4all.nl.         IN TXT   "v=spf1 ip4:80.101.167.116/32 mx ptr mx:mail.eotter1979.xs4all.nl ~all"

eotter1979.xs4all.nl.         IN NS   ns.eotter1979.xs4all.nl.

eotter1979.xs4all.nl.         IN A   192.168.0.1

www.eotter1979.xs4all.nl.      IN A   192.168.0.1

ns.eotter1979.xs4all.nl.      IN A   192.168.0.1

mail.eotter1979.xs4all.nl.      IN A   192.168.0.1

router.eotter1979.xs4all.nl.      IN A   192.168.0.1

masterserver.eotter1979.xs4all.nl.   IN A   192.168.0.1

pikkabird.eotter1979.xs4all.nl      IN A   192.168.0.2

deepthought.eotter1979.xs4all.nl.   IN A   192.168.0.3

arthurdent.eotter1979.xs4all.nl.   IN A   192.168.0.4

root.eotter1979.xs4all.nl.      IN A   192.168.0.1

ftp.eotter1979.xs4all.nl.      IN A   192.168.0.1

mailgateway.eotter1979.xs4all.nl.      IN A   192.168.0.1

elmarotter@masterserver ~ $ 

```

```

elmarotter@masterserver ~ $ sudo cat /var/bind/pri/eotter1979.xs4all.nl.external

$TTL 2d

@   IN SOA   ns.eotter1979.xs4all.nl.   masterserver.eotter1979.xs4all.nl. (

      2008122601 ; Serial

           28800      ; Refresh

             14400      ; Retry

           604800     ; Expire - 1 week

           86400 )    ; Minimum

eotter1979.xs4all.nl.      IN MX   0 mail.eotter1979.xs4all.nl.

eotter1979.xs4all.nl.      IN MX   10 mailgateway.eotter1979.xs4all.nl.

eotter1979.xs4all.nl.      IN TXT   "v=spf1 ip4:80.101.167.116/32 mx ptr mx:mail.eotter1979.xs4all.nl ~all"

eotter1979.xs4all.nl.      IN NS   ns.80.101.167.116.

www.eotter1979.xs4all.nl.   IN A   80.101.167.116

ns.eotter1979.xs4all.nl.   IN A   80.101.167.116

mail.eotter1979.xs4all.nl.   IN A   80.101.167.116

ftp.eotter1979.xs4all.nl.   IN A   80.101.167.116

masterserver.eotter1979.xs4all.nl. IN A   80.101.167.116

mailgateway.eotter1979.xs4all.nl.   IN A   80.101.167.116

elmarotter@masterserver ~ $ 

```

----------

## wanie

 *elmar283 wrote:*   

> 
> 
> Is it possible to make other DNS-servers know my mx-record so they know where to go?
> 
> 

 

I'm not really a proffesional with dns, so please correct me if i am wrong.

This is really just a assumption from me:

I think you manage your own zone, right?

Think mx records are not used to connect with some imap/pop client to your subdomain "mail".

If you manage your own zone, you have to open your bind server for public.

But a nmap to eotter1979.xs4all.nl show me:

53/tcp   closed domain

So i can ask any dns server, who is eotter1979.xs4all.nl, and got the answer 80.101.167.116.

But if i trying to ask your zone-server, who is mail.eotter1979.xs4all.nl i got the answer:

# dig @eotter1979.xs4all.nl mail.eotter1979.xs4all.nl

; <<>> DiG 9.7.3 <<>> @eotter1979.xs4all.nl mail.eotter1979.xs4all.nl

; (1 server found)

;; global options: +cmd

;; connection timed out; no servers could be reached

Does this sounds right, or am I completely wrong?

----------

## Veldrin

```
# dig MX eotter1979.xs4all.nl.

; <<>> DiG 9.7.3 <<>> MX eotter1979.xs4all.nl.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31652

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;eotter1979.xs4all.nl.          IN      MX

;; AUTHORITY SECTION:

xs4all.nl.              10800   IN      SOA     ns.xs4all.nl. hostmaster.xs4all.nl. 2011060800 28800 1800 604800 28800

;; Query time: 203 msec

;; SERVER: 10.23.14.240#53(10.23.14.240)

;; WHEN: Wed Jun  8 00:34:22 2011

;; MSG SIZE  rcvd: 88
```

Doesn't look good. I am able to find your domain, but there is no MX entry.

As wanie already suggested, are you managing the correct DNS server?

Does the parent server point to your DNS Server to resolve those names?

It your DNS Server publically reachable? (from what I can see, like wanie, it is not reachable.

V.

----------

## elmar283

I think I know what went wrong. Port 53 was closed because of the following line in named.conf:

```

allow-transfer { 192.168.178.1; };

```

Instead of 

```

allow-transfer { any; };

```

The only concern with the last is that anyone can use the dns-server, if I'm not mistaken.

Right now the mail.eotter1979.xs4all.nl stille doesn't work, but that could be because other DNS-server has to ajust, right?

----------

## Veldrin

I am not sure, if you want to allow transfers (zone updates) from any source. set that to none;.

tcp/53 is answering, but still no reply on udp/53.

assuming that are behind a nat router.

how is you port forwarding configured? is port udp/53 forwarded to you dns server?

(you may need to configure your internal hosts to use your dns server, instead of an external one, as all (return) traffic will get forwarded to this dns server)

V.

----------

## elmar283

I have an router with iptables. My router is directly connected to my modem with the address 192.168.178.28.

In my modem I have allowed port 53 TCP and UDP to that address.

De DNS is on my router. 

I use the following iptables rule to open the ports on my router:

```

export LAN=eth0

export WAN=eth1

iptables -A INPUT -p TCP --dport 53 -i ${WAN} -j ACCEPT

iptables -A INPUT -p UDP --dport 53 -i ${WAN} -j ACCEPT

```

The iptables route all traffic from 192.168.178.28 (eth1) to 192.168.0.1 (eth0). 

iptables -L states:

```
elmarotter@masterserver ~ $ sudo iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable 

REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dn6-nlm-aud 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:943 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6266 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:echo 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2703 

DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023 

DROP       udp  --  anywhere             anywhere            udp dpts:0:1023 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DROP       all  --  anywhere             192.168.0.0/16      

ACCEPT     all  --  192.168.0.0/16       anywhere            

ACCEPT     all  --  anywhere             192.168.0.0/16      

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

```

And iptables -t nat -L:

```

elmarotter@masterserver ~ $ sudo iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

DNAT       tcp  --  anywhere             anywhere            tcp dpt:6882 to:192.168.0.4:6882 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:6888 to:192.168.0.3:6888 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:11451 to:192.168.0.4:11451 

DNAT       udp  --  anywhere             anywhere            udp dpt:ipsec-nat-t to:192.168.0.4:4500 

DNAT       udp  --  anywhere             anywhere            udp dpt:mdns to:192.168.0.4:5353 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:28712 to:192.168.0.4:28712 

REDIRECT   tcp  --  anywhere             anywhere            tcp dpt:http redir ports 3128 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  anywhere             anywhere            

```

So the port udp 53 should be open but it isn't:

```

elmarotter@masterserver ~ $ sudo nmap -sU -P0 -p 53 80.101.167.116

Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-12 13:56 CEST

Nmap scan report for eotter1979.xs4all.nl (80.101.167.116)

Host is up (0.011s latency).

PORT   STATE  SERVICE

53/udp closed domain

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

```

So I think it is something in '/etc/bind/named.conf' that is not right. But I still don't know what that is.

----------

## cach0rr0

```

53/udp closed domain 

```

this indicates that nothing is listening on port 53

it does not mean that the firewall is disallowing traffic 

if a daemon is listening, but the firewall is dropping packets, you would see "filtered", and not "closed"

----------

## wanie

Did you find the answer of you problem, elmar283?

----------

## elmar283

Sorry for the delayed response.

It is still not working. I'll now just connect through eotter1979.xs4all.nl.  

Could it be since I'm on a subdomain that the domain xs4all.nl does not allow me to add a MX record?

----------

## Veldrin

Well you somehow need to tell xs4all.nl that all dns traffic for eotter1979.xs4all.nl. should be either forwarded to your dns server, or that xs4all.nl handles all your dns traffic (including your mx record)

and in the former case you need to get your dns working - the is still no reply from it.

V.

----------

