Differences between current version and revision by previous author of SMTPBestPractices.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 17 | Last edited on Monday, September 19, 2005 10:04:58 am | by DanielLawson | |
| Older page: | version 8 | Last edited on Saturday, November 27, 2004 2:02:04 am | by GoogleSite | Revert |
@@ -1,212 +1,46 @@
+Things that are more note worthy than SMTPBestPractices have been moved to [SMTPNotes] - AdrianKitto
+
!!! [DNS] Issues
-Try not to put your mail server in what people might consider a "dynamic [IP]" range.
+Try not to put your mail server in what people might consider a "dynamic [IP]" range. It is reasonably common to drop mail coming from IP blocks that are known to be allocated to dynamic sessions such as dialup and DSL connections. If you have an MTA operating in these ranges, be prepared for a fair chunk of the Internet to drop mail from you instantly
.
-Make sure that you are not using
a [CNAME
] to deliver
to.
For example mail to <tt>foo@fishbowl.example.com</tt> will not work if <tt>fishbowl.example.com</tt> is a [
CNAME]
to some other machine.
+Your <tt>MX</tt> ResourceRecord __MUST__ point to
a [DNS
] name which has an <tt>A</tt> or <tt>AAAA</tt> record. Do __NOT__ set an <tt>MX</tt>
to point
to an [IP] address! Do __NOT__ set it to point to a [DNS] name which is a <tt>CNAME</tt> either
. For example,
mail to <tt>foo@fishbowl.example.com</tt> will not work if <tt>fishbowl.example.com</tt> is a <tt>
CNAME</tt>
to some other machine. <tt>MX</tt>es must point to a name with an <tt>A</tt> or <tt>AAAA</tt> ResourceRecord. Not a <tt>CNAME</tt>, not anything else
.
-Don't set an [MX] to point to an [IP] address! It won't work. [MX]s must point to
a record which contains an [A] or an [AAAA] [RR]
. Not a [CNAME]
, not anything else
.
+Make sure that the reverse lookup of your outgoing mailserver exists, make sure has
a matching forward
record, and where possible, make sure that your <tt>HELO</tt> / <tt>EHLO</tt> name matches the reverse
. Note
, that this usually doesn't match the name of the domain you want to recieve mail for
.
-Make sure that the reverse lookup of
your outgoing mailserver exists
, make sure has a matching forward record, and where possible, make sure that
your <tt>HELO</tt>/<tt>EHLO</tt> name matches the reverse
. Note, that this usually doesn't match the name of the domain you want to recieve mail for
.
+Don't use an underscore "_" in
your domain name for mail
, in
your <tt>HELO</tt> / <tt>EHLO</tt> or 250 server greeting
. Mail will get dropped
.
-Don't use an underscore "_" in your domain name for mail, in your <tt>HELO</tt>/<tt>EHLO</tt> or 250 server greeting. Mail will get dropped.
-
-[
A]
/[
AAAA]
or [
MX] record
. If you use an internal mail domain that doesn't actually exist, and mail from this internal domain somehow gets onto the Internet
, you will lose mail.
+Make sure you send mail from a domain that exists, and has at least an <tt>
A<
/tt> or <tt>
AAAA</tt>
or an <tt>
MX</tt> ResourceRecord
. If you use an internal mail domain that doesn't actually exist, and mail from this internal domain somehow gets onto the InterNet
, you will lose mail.
Use http://dnsreport.com/ to verify that your [DNS] is in good healthy working order.
Attempt to publish a [SPF] record for your domain.
-!!! Secondary [
MX]
s
+!!! Secondary <tt>
MX</tt>
s
-Secondary [
MX]
s have fallen out of favour in recent years as the InterNet is more reliable and there are techniques for keeping your primary up (such as load balancing [NAT]s). Having a secondary [
MX]
is good if your connectivity is unreliable but a pain otherwise.
+Secondary <tt>
MX</tt>
s have fallen out of favour in recent years as the InterNet is more reliable and there are techniques for keeping your primary up (such as load balancing [NAT]s). Having a secondary <tt>
MX</tt>
is good if your connectivity is unreliable but a pain otherwise.
-Be aware
that spammers regularly send to secondary [MX]s directly to avoid aggressive [RBL] checks on the primary MailServer. This can be exploited by
having a secondary [
MX] that always returns a 400 series code
(temporary failure
), or is __stricter__ with its [RBL] checks
. Another trick
is to list your primary [MX] again as the highest number [MX] so
that spammers hit that one first
.
+Remember
that not
having a secondary <tt>
MX</tt> doesn't mean you'll instantly lose mail if your primary is down! The sending MTA will queue the mail for some period
(typically 4 hours the first time
), then try again
. It'll keep doing this for quite some time before finally giving up. The only downside here
is that mail will be delayed
.
-Regularly check
that your backup [
MX] still correctly relays. You won't notice a backup
[MX
] rejecting mail until
the first time your
primary goes down and all your mail
is immediately bounced rather than retried later
.
+!! Spam and Secondary <tt>MX</tt>s
+Be aware
that spammers regularly send to secondary <tt>
MX</tt>s directly to avoid aggressive
[RBL
] checks on
the primary MailServer. This can be exploited by having a secondary <tt>MX</tt> that always returns a 400 series code (temporary failure), or
is __stricter__ with its [RBL] checks
.
-!!! SMTP Auth
+One suggested trick is to list your primary <tt>MX</tt> again as the highest number <tt>MX</tt>, so that spammers hit that one first. There is some evidence that spammers aren't actually grabbing the highest <tt>MX</tt> possible, but either blindly picking the second one, or sorting the MX list and removing dupes. Perhaps setting your primary as the first two <tt>MX</tt>s and then your secondary as the third might work. Your mileage may vary.
-Unless you can do challenge/response authentication, you should make sure your [SMTP] server supports [SSL] as outlined above. The easiest authentication to get working with [SMTP] is
<tt>PLAIN
</tt> or
<tt>LOGIN
</tt> authentication
.
-
-See EximSmtpAuth for information about configuring [Exim] for it.
-
-!!! [STARTTLS]
-
-Make sure that your smtp server supports [SSL] (even if you don
't have
a certificate), it should do [STARTTLS] to [SMTP] servers that support it.
-
-If you use [Exim] with [Debian] stable, install the
<tt>exim-tls
</tt> package. For [Debian] testing/unstable (see FlavoursOfDebian), [Exim] already supports [TLS] by default.
-
-If you have an [SSL] certificate, then make sure that [Exim] knows about it (
and that
your [MX]s match the name on the certificate!) so that incoming connections can be [SSL] encrypted if necessary.
-
-If you relay for other machines, you should set up SSMTP ([SMTP] over [SSL]) on [Port] 465/[TCP]. This
is important in particular for laptops which may be used at a hotel, cybercafe or over wireless where port 25 outgoing may be blocked. [MUA]s should be configured to use SSMTP where possible
.
+!! Reliability and Secondary
<tt>MX
</tt>s
+Regularly check that your backup
<tt>MX
</tt> still correctly relays
. You won
't notice
a backup
<tt>MX
</tt> rejecting mail until the first time your primary goes down
and all
your mail
is immediately bounced rather than retried later
.
!!! Administrative mail accounts
Make sure you have a <tt>postmaster@</tt> and <tt>abuse@</tt> [Email] addresses that have the least number of filters ([Spam], [Virus], etc) on them. People may try to send you mail to notify you that your machine is broken and explain how you can fix it, but if you treat all mail from their machine as invalid, you'll never hear about the problem.
-!!! [Virus] and [Spam] filtering
+!!! Pipelining
-Make sure you've read http://kmself
.home
.netcom
.com/Rants/avspam
.html
+Pipelining is often used to improve SMTP performance
. It allows remote MTAs to keep sending data without waiting for your server response
. Spammers can make use of this by sending their entire spam in just a handful of packets then disconnecting, rather than having to wait for the entire protocol negotiation
. If you disable pipelining, and your MTA checks for protocol compliance, you may find your spam load drops significantly
.
!!! Misc
Try to run an [IDENT] server on your mail server. Several mail servers still try to check [IDENT] by default. If you don't have [IDENT] enabled, then make sure you don't just drop packets to the [IDENT] port, or you will cause other MailServer~s to wait for a time out before they let you send any [Email], slowing everything down.
----
CategoryBestPractices
-
-[电影|http://www.591dy.com]
-[免费电影|http://www.591dy.com]
-[电影下载|http://www.591dy.com]
-[在线电影|http://www.591dy.com]
-[影视|http://www.591dy.com]
-[免费电影下载|http://www.591dy.com]
-
-[猫沙|http://080.google.591dy.com]
-[猫抓板|http://079.google.591dy.com]
-[猫用品|http://078.google.591dy.com]
-[猫粮|http://077.google.591dy.com]
-[模具|http://076.google.591dy.com]
-[新力净化|http://075.google.591dy.com]
-[空气净化行业|http://074.google.591dy.com]
-[洁净论坛|http://073.google.591dy.com]
-[洁净技术|http://072.google.591dy.com]
-[clean room|http://071.google.591dy.com]
-[无尘室|http://070.google.591dy.com]
-[无尘室净化设备|http://069.google.591dy.com]
-[风机过滤网|http://068.google.591dy.com]
-[有隔板空气过滤器|http://067.google.591dy.com]
-[铝隔板式高效率空气过滤器|http://066.google.591dy.com]
-[无隔板高效空气过滤器|http://065.google.591dy.com]
-[高效率空气过滤器|http://064.google.591dy.com]
-[空气过滤器|http://063.google.591dy.com]
-[狩猎|http://062.google.591dy.com]
-[头盔夜视仪|http://061.google.591dy.com]
-[红外热成像仪|http://060.google.591dy.com]
-[双筒夜视仪|http://059.google.591dy.com]
-[枪械瞄准镜|http://058.google.591dy.com]
-[微光夜视仪|http://057.google.591dy.com]
-[夜视瞄准镜|http://056.google.591dy.com]
-[手持夜视观察仪|http://055.google.591dy.com]
-[药物流产|http://054.google.591dy.com]
-[钛板|http://053.google.591dy.com]
-[冷却塔|http://052.google.591dy.com]
-[挖掘机|http://051.google.591dy.com]
-[搅拌器|http://050.google.591dy.com]
-[球磨机|http://049.google.591dy.com]
-[离心机|http://048.google.591dy.com]
-[会计师事务所|http://047.google.591dy.com]
-[标签打印机|http://046.google.591dy.com]
-[吸顶灯|http://045.google.591dy.com]
-[反光材料|http://044.google.591dy.com]
-[强直性脊柱炎|http://043.google.591dy.com]
-[自动门|http://042.google.591dy.com]
-[钢结构|http://041.google.591dy.com]
-[尿毒症|http://040.google.591dy.com]
-[化学清洗|http://039.google.591dy.com]
-[工业清洗|http://038.google.591dy.com]
-[电视墙|http://037.google.591dy.com]
-[加密狗|http://036.google.591dy.com]
-[过滤器|http://035.google.591dy.com]
-[艾滋病|http://034.google.591dy.com]
-[梅毒|http://033.google.591dy.com]
-[尖锐湿疣|http://032.google.591dy.com]
-[淋病|http://031.google.591dy.com]
-[性病|http://030.google.591dy.com]
-[电子白板|http://029.google.591dy.com]
-[升降机|http://028.google.591dy.com]
-[脚手架|http://027.google.591dy.com]
-[高压水枪|http://026.google.591dy.com]
-[吸脂|http://025.google.591dy.com]
-[洗涤设备|http://024.google.591dy.com]
-[桑拿设备|http://023.google.591dy.com]
-[加湿器|http://022.google.591dy.com]
-[防盗门|http://021.google.591dy.com]
-[保暖内衣|http://020.google.591dy.com]
-[防护服|http://019.google.591dy.com]
-[商铺招租|http://018.google.591dy.com]
-[户外广告|http://017.google.591dy.com]
-[保温材料|http://016.google.591dy.com]
-[防火材料|http://015.google.591dy.com]
-[涂料|http://014.google.591dy.com]
-[无痛流产|http://013.google.591dy.com]
-[油漆|http://012.google.591dy.com]
-[拓展训练|http://011.google.591dy.com]
-[婚庆公司|http://010.google.591dy.com]
-[旗袍|http://009.google.591dy.com]
-[婚纱|http://008.google.591dy.com]
-[管道疏通|http://007.google.591dy.com]
-[婚纱摄影|http://006.google.591dy.com]
-
-[家政 |http://005.google.591dy.com]
-[家政服务 |http://005.google.591dy.com]
-[家政服务公司 |http://005.google.591dy.com]
-[保姆 |http://005.google.591dy.com]
-[钟点工 |http://005.google.591dy.com]
-[小时工 |http://005.google.591dy.com]
-
-[汽车坐垫 |http://004.google.591dy.com]
-[汽车坐垫代理 |http://004.google.591dy.com]
-[汽车坐垫销售 |http://004.google.591dy.com]
-[汽车坐垫生产 |http://004.google.591dy.com]
-[北京汽车坐垫 |http://004.google.591dy.com]
-
-[白癜风 |http://003.google.591dy.com]
-[白癜风专家 |http://003.google.591dy.com]
-[白癜风医院 |http://003.google.591dy.com]
-[白癜风治疗 |http://003.google.591dy.com]
-[白癜风药品 |http://003.google.591dy.com]
-[白癜风信息 |http://003.google.591dy.com]
-
-[美容仪器 |http://001.google.591dy.com]
-[美容设备 |http://001.google.591dy.com]
-
-[空调清洗 |http://002.google.591dy.com]
-[中央空调清洗|http://002.google.591dy.com]
-[清洗空调 |http://002.google.591dy.com]
-[清洗中央空调|http://002.google.591dy.com]
-
-[搬家公司 |http://google.591dy.com/banjgs/]
-[造桥机 |http://google.591dy.com/zqj/]
-[中央空调 |http://google.591dy.com/zhykt/]
-[麦克维尔 |http://google.591dy.com/mkwr/]
-[管道疏通 |http://google.591dy.com/guandsht/]
-[霓虹灯 |http://google.591dy.com/nihd/]
-[卫生洁具 |http://google.591dy.com/weishjj/]
-[游乐设备 |http://google.591dy.com/youlshb/]
-[游乐设备 |http://google.591dy.com/youlshb/]
-[乳胶漆 |http://google.591dy.com/rujq/]
-[塑钢门窗 |http://google.591dy.com/sugmch/]
-[CI策划 |http://google.591dy.com/cich/]
-[私人侦探 |http://google.591dy.com/sirzht/]
-[可视门铃 |http://google.591dy.com/keshml/]
-[律师事务所 |http://google.591dy.com/lvshshws/]
-[驾校 |http://google.591dy.com/lvshshws/]
-[轴承 |http://google.591dy.com/zhouch/]
-[夜视仪 |http://google.591dy.com/yeshy/]
-[高压清洗机 |http://google.591dy.com/gaoyqxj/]
-[铁路标准 |http://google.591dy.com/tielbzh/]
-[铁路工法 |http://google.591dy.com/tielgf/]
-[架桥机 |http://google.591dy.com/jiaqj/]
-[网站推广 |http://www.starpioneer.com/]
-[快餐 |http://google.591dy.com/]
-[订餐 |http://google.591dy.com/]
-[天花板 |http://www.591dy.com/tianhb/]
-[NEC交换机 |http://www.591dy.com/necjhj/]
-[印刷机械 |http://google.591dy.com/yinshjx/]
-[整形美容 |http://google.591dy.com/zhengxmr/]
-[糖尿病 |http://google.591dy.com/tangnb/]
-[高血压 |http://google.591dy.com/gaoxy/]
-[建材 |http://google.591dy.com/jianc/]
-[变压器 |http://google.591dy.com/bianyq/]
-[胶合板 |http://google.591dy.com/jiaohb/]
-[热水器 |http://google.591dy.com/reshq/]
-[楼市图 |http://google.591dy.com/lousht/]
-[二手车 |http://google.591dy.com/ershch/]
-[安防设备 |http://google.591dy.com/anfshb/]
-[继电器 |http://google.591dy.com/jidq/]
-[传感器 |http://google.591dy.com/chuangq/]
-[对讲机 |http://google.591dy.com/duijj/]
-[宠物食品 |http://google.591dy.com/chongwshp/]
-[猫粮 |http://google.591dy.com/maol/]
-[狗粮 |http://google.591dy.com/goul/]
