Differences between version 9 and previous revision of SMTPBestPractises.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 9 | Last edited on Sunday, August 22, 2004 2:34:55 pm | by PerryLorier | Revert |
| Older page: | version 8 | Last edited on Sunday, August 22, 2004 2:29:44 pm | by PerryLorier | Revert |
@@ -1,42 +1 @@
-!!!STARTTLS
-Make sure that your smtp server supports
[SSL
] (even if you don't have a certificate), it should do [STARTTLS] to [SMTP] servers that support it.
-
-For debian stable, install the "exim-tls" package. For debian testing/unstable, exim already supports tls by default.
-
-IF you have an SSL certificate, then make sure that exim knows about it (and that your [MX]'s match the name on the certificate!) so that incoming connections can be [SSL] encrypted if necessary.
-
-If you relay for other machines, you should set up ssmtp (SMTP over SSL) on port 465/tcp. This is important in particular for laptops which may be used at a hotel, cybercafe or over wireless where port 25 outgoing may be blocked. [MUA]s should be configured to use ssmtp where possible.
-
-!!!SMTP Auth
-Unless you can do challenge response authentication, you should make sure your [SMTP] server supports [SSL] as outlined above. The easiest authentication to get working with [SMTP] is "PLAIN" or "LOGIN" authentication.
-
-Information about configuring this with exim is on [EximSmtpAuth]
-
-!!!DNS Issues
-Try not to put your mail server in what people might consider a "dynamic IP" range.
-
-Make sure that you are not using a [CNAME] to deliver to. For example mail to "foo@fishbowl.example.com" will not work if "fishbowl.example.com" is a [CNAME] to some other machine.
-
-Don't set an [MX] to point to an IP address! It won't work. MX's must point to a record which contains an A RR. Not a [CNAME], not anything else.
-
-Make sure that the reverse lookup of your outgoing mailserver exists, make sure has a matching forward record, and where possible, make sure that your [HELO]/[EHLO] name matches the reverse. Note, that this usually doesn't match the name of the domain you want to recieve mail for.
-
-Use http://dnsreport.com/ to verify that your DNS is in good healthy working order.
-
-Attempt to publish a [SPF] record for your domain.
-
-!!!Secondary [MX]'s
-In general secondary [MX]'s have fallen out of favour in recent years as the internet is more reliable and there are techniques for keeping your primary up. (Such as load balancing [NAT]'s.). In general having a secondary is good if your connectivity is unreliable, otherwise it's a pain.
-
-Be aware that spammers regularly send to secondary [MX]'s directly to avoid aggressive [RBL] checks on the primary mailserver. This can be exploited by having a secondary [MX] that always returns a 400 series code (temporary failure), or is __stricter__ with it's [RBL] checks. Another trick is to list your primary mx again as the highest number mx (so that spammers hit that one first)
-
-Regularly check that your backup [MX] still correctly relays, you won't notice a backup [MX] rejecting mail until the first time your primary goes down and all your mail is immediately bounced (not retried later)
.
-
-
-
-!!!Virus and spam filtering
-
-TODO
-
-----
-CategoryBestPractices
+Describe
[SMTPBestPractises
] here
.
