Slightly OT - MX RR Santity Check requested...

[Mark Andrews]

> I'm starting to think that I'm just not explaining this well.  The strategy 
> I'm trying to explain came straight out of the ORA book, "Building Internet 
> Firewalls"....albeit years ago.   It's on my list of things to do to 
> configure SMTP server v-hosting transports under Postfix and then we really 
> won't need to use MX RRs the way we do.  But until that time, this is the way
>  
> we do it.

	We understand exactly what you are doing.  ORA got this
	*wrong* as it is not guaranteed to work.  We are quoting
	the relevent parts of the RFCs which prove that ORA got
	this wrong.

	What ORA suggest works 99.9% of the time.  It doesn't work
	*all* of the time (as you have discovered).

	There are a number of fixes suggested already.  The one
	thing they all have in common is that, to the Internet at
	large, the DMZ mail server is the lowest preference MX and
	that the firewalled mail server does not appear in the MX
	RRset.

	How mail gets from the DMZ mail server to the firewalled mail
	server is a private matter for you to workout.

	Mark
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org