Firewalls: Re: Re[2]: DNS on firewall??

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Re[2]: DNS on firewall??
From:	Lee Neely <lkn @ llnl . gov>
Date:	Thu, 2 Mar 1995 07:06:51 -0800
To:	brian @ imcon . ilinx . com, firewalls @ greatcircle . com

> From: brian @
 imcon .
 ilinx .
 com
> 
> from the quill of "J. T. Judge" <sy71703 @
 public .
 fmr .
 com>
> > 
> > 	If you are application level, how do you deal with the 
> > 	problem that internal mailers, network client programs, etc
> > 	can resolve A and MX records for "out there" -- but these
> > 	same client programs can NOT connect to those addresses ?
> > 
> Ah, yes.  I had to deal with this one over the weekend.  I was fortunate in
> my decision to dump sendmail for smail a long time ago.  With smail, you
> can tell it only to do a hostname lookup if the domain is known (i.e. I can
> list which domains to do a hostname lookup of) and I specify only our
> internal domain as known.  This way mail to the inside domain gets looked
> up and passed via SMTP but mail to all other domains is routed to the
> smarthost.
> 
 
I contend that Sendmail 8.6.x is now able to do this too.  I am not
slamming smail here, but, rather, offering the solution to those still
using sendmail.

There are several hooks for this, and they include:
1) The ability to define a mailertable
   this is an external database of hosts or subnets and the place to send
   their mail.  This allows one to circumvent a wildcard mx for a distributed
   domain, or, avoid mx mailers that are broken.  (PSI comes to mind.)
     I had a client where he was in California, on one internet provider,
     and his parent domain was in DC.  The parent had a wildcard mx for out
     bound email. The problem was that this host was A) Undersized and B)
     the smtp implementation wasn't smtp compliant!   The mailertable allowed
     me to re-route mail destined for west-coast systems properly, and
     save about 24 hours on average delivery time.
2) The definition of a smart host
   this is used to deliver non-local mail, unless there is a wildcard mx
   mailer defined for your domain. 

3) Fallback MX host,  when all else fails, this is a nice feature to get
   the queueing off the local host and onto something that can deal with
   delivery problems....

Happy mailing!
Lee

--
   _______                                              ______________
   | | | |              Leland K. Neely                 |  ________  |
   | | | |              U.C.L.L.N.L                     | |`       | |
   | | | |_____         P.O. Box 808 L-613              | |________| |
   | | \______/         Livermore CA 94551              |____________|
   | \_______/          Email: lkn @
 llnl .
 gov             ___|______|___
   \________/           Voice: (510) 422-0140           |____________|
                                                                     \
                                                                     /
                                                                    ||

Indexed By Date	Previous:	SNK004 From: Yves_Morin @ BComeau . Hydro . Qc . CA (Yves Morin)
Indexed By Date	Next:	RE: FW-1, etc. From: ted @ gw . lsli . com
Indexed By Thread	Previous:	Re[2]: DNS on firewall?? From: brian @ imcon . ilinx . com
Indexed By Thread	Next:	Re: DNS on firewall?? From: Larry Chin <Larry_Chin @ ca . cch . com>