Hi, I have a few servers running in my local net (LAN) and a proper mail server in DMZ.
I want to let sendmail send mails from the servers using the proper mail server as a relay, which I’ve done with my previous firewall.
I’ve setup the IP address for the mail server, so performing a nslookup or dig will serve the correct IP address. But from at TCPdump I’ve made on the Turris, I can see that the sendmail software asks for a MX record which of course is my public IP address outside the Turris firewall/router. Turris rejects traffic from inside to the public IP-address.
So either I have to find a way to let traffic from inside go to the outside IP address and in or setup the local DNS resolver in Turris to respond with a proper IP address when querying for the MX record.
Which way would be the easiest way to configure, and how do I do it?
Simple DNS additions in knot-resolver are just for A and AAAA records at this moment (and the corresponding reverse mappings); MX is doable via a lua plugin, but not as simple.
Still, I don’t fully understand the situation, as MX record is supposed to contain a domain name, not an IP address.
My situation is that I have several domains in my network. And I didn’t know that sendmail is lookingup the mx record. I my previous firewall I just set up the host names and that did work fine.
But with the dns-server in the turris it’s just not very intuitive where and what to enter the host and domain names.
I’ve put in dk in one of the fields in the tui menu so the knot hints in /tmp are correct. But I find this is a bad solution. I’ve just not come across any documentation that instructs me what I shall do.
I’d hit you up in #nixos but you’re hardly there anymore.
Anway, I have the same issue. I need to tell my router to use a mx record. Setup is as followed:
Domain hosted on a different server. Mail server hosted on local lan behind NAT. If there’s no mx record it will make the global lookup which leads back again to same server.
On my current ASUS RT-AC68U with Merlin Firmware I have this entry which I need also to apply to the Turris router:
Hehe, I’ve never been much on IRC or similar channels. It’s just too “noisy” for me, and I’ve had little time lately anyway.
Let me be more concrete. Each global DNS entry for MX will NOT contain an IP address but a domain name, e.g.
nic.cz. 1800 IN MX 10 mail.nic.cz.
I would personally just redirect that name mail.nic.cz to a different address on LAN, and you can do that relatively simply. There might be some clickable way, even, I’m not sure, but it should certainly still work to follow DNS redirection
For @hyper_ch and anyone wanting a simple MX override, here’s an example for knot-resolver’s config:
modules = { 'policy' }
local mydname = todname('some.domain.test')
local function ans_mx(state, req)
local qry = req:current()
local answer = req.answer
local is_exact = ffi.C.knot_dname_is_equal(qry.sname, mydname)
if (not is_exact) or qry.stype ~= kres.type.MX then
return nil
end
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
answer:begin(kres.section.ANSWER)
-- You can repeat these lines multiple times to have multiple MX records.
local mx_prio = 10
local mx_TTL = 900
answer:put(qry.sname, mx_TTL, answer:qclass(), kres.type.MX,
string.char(mx_prio / 256, mx_prio % 256)
.. todname('my.mx.target'))
return kres.DONE
end
policy.add(policy.suffix(ans_mx, {mydname}))
Note: knot-resolver isn’t meant for authoritative data, so this example only answers direct queries and doesn’t in any way change other related queries, e.g. if this addition created an empty non-terminal, it might be “incorrectly” answering NXDOMAIN for it, etc.