[TAG] How not to do DNS, example n+1
rick at linuxmafia.com
Tue Nov 22 22:45:42 MSK 2005
Quoting Jay R. Ashworth (jra at baylink.com):
> And see Rick's comments about backup MX, supra.
> Though *I* think that having Nagios watch your backup MXs is probably a
> better solution than not having them at all.
Nagios might indeed make enough of a difference.
I was basically saying that _unverified_ MXes, the ones you simply trust
to be competently configured, have a nasty habit of turning out to say
"Oh, we certainly wouldn't relay for _those_ people" at the worst
possible moments. I have the burn marks to prove this. ;->
In part, this is collateral damage from the spam war: Everyone's been
so conditioned to think that relaying is bad (opens you up to abuse by
spammers) that MTA defaults push that concept heavily. It's thus typical
for some half-dazed Linux admin in the middle of a system rebuild to
suddenly forget he'd been relaying domain foo's mail for _reason_ and
silently drop it as a "security measure".
I try to heavily comment my configuration files (about _why_ I did
certain things), hoping to avert those and similar mishaps on my end.
More information about the TAG