Penguin
Diff: SMTPBestPractises
EditPageHistoryDiffInfoLikePages

Differences between current version and predecessor to the previous major change of SMTPBestPractises.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 9 Last edited on Sunday, August 22, 2004 2:34:55 pm by PerryLorier
Older page: version 7 Last edited on Thursday, August 5, 2004 4:17:05 pm by PerryLorier Revert
@@ -1,42 +1 @@
-!!!STARTTLS  
-Make sure that your smtp server supports [SSL ] (even if you don't have a certificate), it should do [STARTTLS] to [SMTP] servers that support it.  
-  
-For debian stable, install the "exim-tls" package. For debian testing/unstable, exim already supports tls by default.  
-  
-IF you have an SSL certificate, then make sure that exim knows about it (and that your [MX]'s match the name on the certificate!) so that incoming connections can be [SSL] encrypted if necessary.  
-  
-If you relay for other machines, you should set up ssmtp (SMTP over SSL) on port 465/tcp. This is important in particular for laptops which may be used at a hotel, cybercafe or over wireless where port 25 outgoing may be blocked. [MUA]s should be configured to use ssmtp where possible.  
-  
-!!!SMTP Auth  
-Unless you can do challenge response authentication, you should make sure your [SMTP] server supports [SSL] as outlined above. The easiest authentication to get working with [SMTP] is "PLAIN" or "LOGIN" authentication.  
-  
-Information about configuring this with exim is on [EximSmtpAuth]  
-  
-!!!DNS Issues  
-Try not to put your mail server in what people might consider a "dynamic IP" range.  
-  
-Make sure that you are not using a [CNAME] to deliver to. For example mail to "foo@fishbowl.example.com" will not work if "fishbowl.example.com" is a [CNAME] to some other machine.  
-  
-Don't set an [MX] to point to an IP address! It won't work. MX's must point to a record which contains an A RR. Not a [CNAME], not anything else.  
-  
-Make sure that the reverse lookup of your outgoing mailserver exists, make sure has a matching forward record, and where possible, make sure that your [HELO]/[EHLO] name matches the reverse. Note, that this usually doesn't match the name of the domain you want to recieve mail for.  
-  
-Use http://dnsreport.com/ to verify that your DNS is in good healthy working order.  
-  
-Attempt to publish a [SPF] record for your domain.  
-  
-!!!Secondary [MX]'s  
-In general secondary [MX]'s have fallen out of favour in recent years as the internet is more reliable and there are techniques for keeping your primary up. (Such as load balancing [NAT]'s.). In general having a secondary is good if your connectivity is unreliable, otherwise it's a pain.  
-  
-Be aware that spammers regularly send to secondary [MX]'s directly to avoid aggressive [RBL] checks on the primary mailserver. This can be exploited by having a secondary [MX] that always returns a 400 series code (temporary failure), or is __stricter__ with it's [RBL] checks. Another trick is to list your primary mx again as the highest number mx (so that spammers hit that one first)  
-  
-Regularly check that your backup [MX] still correctly relays, you won't notice a backup [MX] rejecting mail until the first time your primary goes down and all your mail is immediately bounced (not retried later) .  
-  
-  
-  
-!!!Virus and spam filtering  
-  
-TODO  
-  
-----  
-CategoryBestPractises  
+Describe [SMTPBestPractises ] here