Koozali.org: home of the SME Server

DNS for email on multiple IP

Offline Fumetto

  • *
  • 874
  • +1/-0
DNS for email on multiple IP
« on: October 29, 2018, 01:30:28 PM »
I have an SME behind a PFSense with 3 WAN. What is the correct way to set the DNS to have the server reachable on all three IPs?
Do I have to create a lot of DNS A and/or MX records for each IP?
Do I have to use CNAME?

Currently I have a server.domain.it on IP1, server2.domain.it on IP2 and server3.domain.it on IP3, but in fact the server replies on all three IPs with server.domain.it ...

Wanted useful and updated info, thanks to everyone.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DNS for email on multiple IP
« Reply #1 on: October 29, 2018, 02:55:37 PM »
I really depends on your usage I think.

I have 2 WAN IPs and I set one as the 'main' and one as a backup for mail

So

IP 1.1.1.1
A record
main.myserver.com
mail.myserver.com


IP 2.2.2.2
A record
backup.myserver.com

MX record

10 mail.myserver.com
20 backup.myserver.com

That is very simple - all I am really concerned about is receiving mail if the first IP goes offline.

I think what you are probably looking at is wanting 3 IPs all pointing to the same hostname so the hosts can be reached via any of the 3 IPs.

e.g.

1.1.1.1
2.2.2.2
3.3.3.3

A record

mail.myserver.com
www.myserver.com



To do that you need round robin DNS I think:

eg

https://www.digitalocean.com/community/tutorials/how-to-configure-dns-round-robin-load-balancing-for-high-availability

http://help.dnsmadeeasy.com/managed-dns/records/round-robin/

(I might have to go investigate that more myself !)

I think you need to be careful with CNAMES and MX records.

HTH
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: DNS for email on multiple IP
« Reply #2 on: October 29, 2018, 04:10:14 PM »
OK, my current situation is as follows:

Record A

server.domain.tld 1.2.3.4
server2.domain.tld 1.2.3.5
server3.domain.tld 1.2.3.6

MX record

10 server.domain.tld
20 server2.domain.tld
30 server3.domain.tld

The problem to be solved was the downside of an ISP. Send via smarthost, 3 IP with 3 different ISPs, if down an ISP the "services" are "switched" on another IP (ISP) and everything works ... right? Or am I forgetting something?

My doubt is if it was right to do so or use a system with CNAME or other ... and also in communication the server always presents itself as server.domain.tld, can it be a problem?

Thanks anyway for the exchange of views ... ^ _ ^

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DNS for email on multiple IP
« Reply #3 on: October 29, 2018, 04:46:30 PM »
Outbound traffic

If you have only one ACTUAL server then it is up to pfsense to route outbound to the smarthost.

You have to use a multi WAN setup for that eg https://www.netgate.com/docs/pfsense/routing/multi-wan.html
There are several different options to do that with load balancing/failover etc etc.

That's all fairly straightforward.

The only issue is if each different ISP requires you be using their actual link when you login/send email. If they don't care where the connection comes from because it has to be authenticated then you are OK.

Inbound traffic

Your MX records should be OK. If an upstream server fails to deliver to 1.2.3.4 then it will pick the next IP, and then the next. Your server knows it hosts mail for domain.tld so should accept it (mine seems to)

The tricky part is with www or imap/mail

If say 1.2.3.4 goes down, where will enquiries go for www.domain.tld, or email clients connecting to imap.domain.tld ?

The only way to solve that is with round robin DNS as I mentioned earlier. It seems you can use CNAMEs but you just have to be careful with MX records.

Quote
For example, assume two different A records, example.com pointed to 1.2.3.4 and example.com pointed to 1.2.3.5. We would then have a www.example.com CNAME record that aliases to the root records of the domain

So you would have:

A 1.2.3.4 domain.tld
A 1.2.3.5 domain.tld
A 1.2.3.6 domain.tld
CNAME www.domain.tld
CNAME imap.domain.tld

Then your own records as you mentioned:

Record A

server.domain.tld 1.2.3.4
server2.domain.tld 1.2.3.5
server3.domain.tld 1.2.3.6

MX record

10 server.domain.tld
20 server2.domain.tld
30 server3.domain.tld

Something like that should fix it.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: DNS for email on multiple IP
« Reply #4 on: October 30, 2018, 12:06:14 PM »
My two cents:

Server Communications:

* If you have fixed IPs and can use fixed A and MX records, do so.  Some systems complain about MX records that point to CNAMEs
* Include all your WAN IPs in your SPF record
* Make sure that the PTR record for each WAN IP returns an A record that matches the IP (it doesn't need to match the A record in your MX record, but it has to return an A record whose lookup will return the same IP)
* Don't include the WAN information in your MX record for any ISP that blocks inbound traffic on port 25
* If any of your internet providers block outbound traffic on port 25, you'll have to setup the SME to use an external smarthost for relaying outbound email or accept that outbound email will stop working if you end up failed over onto that connection.

Email Clients / Users:
Use a local hostname on the SME with a matching dyndns entry (or CNAME -> dyndns entry) for external access -- so that one DNS name always points to your mail server.  The external entry must change by itself if the primary (or or primary and secondary) WAN interface goes down.

For example:
My email client points to "office.mmsionline.us", which is defined as a host on my sme server:
Code: [Select]
db hosts show office.mmsionline.us
office.mmsionline.us=host
    ExternalIP=
    HostType=Self
    InternalIP=
    MACAddress=
    ReverseDNS=yes
    static=yes

There is an external CNAME for my server name that points to a dyndns entry:
Code: [Select]
nslookup office.mmsionline.us 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
office.mmsionline.us canonical name = mmsi.homeip.net.
Name: mmsi.homeip.net
Address: 99.56.186.98

Any my router is running a dyndns client that keeps "mmsi.homeip.net" up-to-date.

I am using a CNAME because my primary DNS provider does not support dynamic DNS updates.  If I were using DynDNS for my external DNS, I would not need the CNAME (I could program the router to update the A record for my active WAN connection).

Final notes:
* My SME server only has one ISP with a dynamic DNS -- but I use this exact scheme at work with 3 ISPs who all provide fixed IPs and a Sophos router that updates the dyndns record behind the CNAME if the primary (or primary and secondary) connections fail.

* I could use the dyndns entry directly at work for email clients if I created a local DNS entry for it -- but my users would not be particularly happy using "mmsi.homeip.net" for webmail and email setup...

* My understanding of round-robin dns is that it is used for load balancing inbound connection between multiple external users - the first user gets the first IP, the second user gets the second IP -- but each user keeps using the same IP for any single session to avoid confusing the server. In this instance that would actually create a system where all three connections have to be up at all times to prevent users from getting connection errors.

[edit]
* fix some confusing language in the first paragraph of "Email Clients / Users:"
* add a note about round-robin DNS

[edit2]
* Inconsistent hostname obfuscation replaced with actual data since I leaked it already in a couple places...
« Last Edit: October 31, 2018, 12:01:47 PM by mmccarn »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DNS for email on multiple IP
« Reply #5 on: October 30, 2018, 12:56:33 PM »
Nice...

More informed than mine (as I am no DNS expert !)

I think the clear gotcha often mentioned is not mixing MX Records and CNAMES
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation