Multi-IP address zimbra server DNS PTR records and spam

domain-name-systememailpostfixspamzimbra

We have a mail server running Zimbra (ZCS 6.0.8). The server has 5 active public IP addresses in the same subnet. (.226–.230). I currently have A records for each of these (host0.domain.com..host4.domain.com), with the main host.domain.com of the machine pointing to .226.

Our host has ended up being listed on the SORBS DUHL list (even though it's in a server farm). According to them you can get removed quickly by checking that your host has an MX record, an A record, and a PTR record that points back to the hostname given in the MX record.

I tried setting the PTR records so that each of these addresses resolved back to their A record (i.e. .228 had a PTR to host2.domain.com). However, I then got mail being rejected from other servers because when Postfix (under Zimbra control) sends out mail, it uses the main hostname for the HELO – there doesn't seem to be any way to override it. So the PTR records currently say host.domain.com for all 5 IP addresses.

What's the correct way to handle this? Should I have an A record for the domain that points to all the IP addresses (for round-robin handling)? I'm nervous of changes that could cause problems, so I'm wondering what the standard way to handle a multiple-IP-address mail server is.

Best Answer

If there is no specific reason you want/need a service to listen to multiple addresses, it always makes troubleshooting a lot less complicated if you can decide on one address to bind to. This is a generally good practice, and especially true for protocols such as SMTP which may attempt to match reverse DNS lookups with source addresses at level 7.

Some suggestions:

Make the Postfix SMTP client part of Zimbra bind only to your "main" IP. Either you must edit /opt/zimbra/postfix/conf/master.cf.in adding an address to the smtp line like this - see below. (Or to set inet_interfaces using zmlocalconfig, but this doesn't work)
Verify that you have a corresponding A and PTR (no round-robin records or anything).
Verify that you have servername/hostname & mail domain name setup correctly in Zimbra. Best verified by sending a test email somewhere and then inspecting the mail headers.
Make sure you have restart the corresponding daemons when necessary.

Here's the syntax for adjusting the smtp line:

smtp unix - - n - - smtp
-o smtp_bind_address=n.n.n.n

Related Solutions

DNS and PTR for SMTP: shared IPs and subdomains

You can have as many A RRs as you want point to 1.2.3.4.
You must have one PTR point back to a name.
Therefore all you need is to make sure that the PTR points to the name you want and that this name points back to 1.2.3.4.

This means that you can have:

example.com. IN A 1.2.3.4

example.com. IN MX 10 mail.example.com.

server.example.com. IN A 1.2.3.4

www.example.com. IN A 1.2.3.4

mail.example.com. IN A 1.2.3.4

and:

4.3.2.1.in-addr.arpa. IN PTR server.example.com.

Why is this the requirement? Because when your SMTP server connects to a remote SMTP server to deliver mail the SMTP server knows only the address of your server and not the name. With the address at hand (1.2.3.4) it queries the DNS and gets the PTR response (server.example.com). The remote server now will ask the DNS again "what is the address of server.example.com" and it expects that answer to be 1.2.3.4.

What you send in the HELO string should not frighten you. You can read about the purpose of the SMTP HELO and find about the exceptions where it is allowed to block based on what is given in the HELO string.

Setting up DNS records for a shared host

Addressing 1 and 2: In most cases, I would recommend doing a single "A" record for the actual IP associated with the box and CNAME everything you need to that. If you are going to have a lot of somethings.example.com, I would make use of a wildcard entry

example.com     A      192.168.0.1
*.example.com   CNAME  example.com

The benefit being that you don't have to do a lot of DNS maintenance as whatever .example.com you use will already match. You just let apache figure out what to do with it based on the name given. This would result in 2 look-ups, and I would only do many CNAMEs to one A, and not try doing CNAME->CNAME. Additionally MX records must only point to an A record name.

If you ever need to break a vhost off to its own IP addres, you can then just add an "A" record for that one host and the most-specific answer will win.

example.com     A      192.168.0.1
*.example.com   CNAME  example.com
new.example.com A      192.168.0.2

Best Answer

Related Solutions

DNS and PTR for SMTP: shared IPs and subdomains

Setting up DNS records for a shared host

Related Topic