setting up my nameserver on new plesk plan

[ilustrate]

hello everyone. i just started my new Virtual Private Server Plan today and need to get my DNS setup. I want to have my own nameservers so that all my customers and even my other sites could all share the same nameserver info. I'm assuming I need a minimum of two nameservers. I purchased a new domain name for this purpose. The domain is still sitting at DirectNic in default settings. I requested from my hosting provider additional IP's to handle DNS and I currently have 3 IP's. All IP's already have a subnet mask of 255.255.255. I haven't done anything to my settings other than enter my general information. Could someone help me getting this setup? If I go to server and then click on DNS, I have a heading called DNS zone template. 8 DNS records total with default host / record type / value listings underneath. Where do I start?

 

[jamesyeeoc]

1. Delete the PTR record. It's cleaner having a single PTR record per IP address, not one PTR per domain on a shared IP. You can manually add a single PTR later to whichever single domain you wish (per IP).

2. Did you register your new nameservers (and specify IP addresses for them) at your registrar?

3. You can add a TXT record to the template for SPF (see http://spf.pobox.com/wizard.html)

4. If your default template has 2 A records like:
ns1.<domain>. A <ip>
ns2.<domain>. A <ip>

You can delete those, just leave the ones which show:
<domain>. NS ns1.yournewdomain.com
<domain>. NS ns2.yournewdomain.com

This will allow your nameservers to be auto created for all new domains you host, rather than having client domain specific nameserver names created.

5. The other records for mail. webmail. *. you can leave those alone.

6. Add any other customizations you wish to have (if any)

7. Wait for your new domain and nameserver info to propagate to the other DNS servers around the world.

8. Familiarize yourself with all aspects of the control panel.

9. Read the manuals, ask questions, get answers, keep asking until you are clearly understanding how things work.

10. Make sure your server is as secure as possible before jumping into hosting. Read up on firewalls, mod_security, secure kernels, etc, etc.

11. Never forget to treat your clients (paying?) right.

12. Try to have fun with it, afterall, if we can't have fun then isn't life a bit of a waste...? lol

 

[ilustrate]

This is what I have already as default

<domain>. NS ns.<domain>.
<domain>. A <ip>
<domain>. MX (10) mail.<domain>.
<ip> / 24 PTR <domain>.
ftp.<domain>. CNAME <domain>.
mail.<domain>. A <ip>
ns.<domain>. A <ip>
webmail.<domain>. A <ip>


Are you saying it should look like this?

<domain>. NS ns1.mynewdomain.com
<domain>. NS ns2.mynewdomain.com
<domain>. A <ip>
<domain>. MX (10) mail.<domain>.
ftp.<domain>. CNAME <domain>.
mail.<domain>. A <ip>
webmail.<domain>. A <ip>

what else am I missing? Where do I enter both of the
IP address?

 

[jamesyeeoc]

To associate the 2 IPs with the ns1 and ns2 for yournewdomain.com (which you say you just registered), you would login to your DirectNic account and find their page to register new nameservers.

Upon filling out the nameserver names, there should also be a field to put in the corresponding IP address for each name server.

Your Plesk DNS template does not need to show the IPs for the ns1/2.yournewdomain.com servers. The NS entries:

<domain>. NS ns1.yournewdomain.com
<domain>. NS ns2.yournewdomain.com

are entered into the DNS Zone file for each hosted domain. The IP addresses once registered (at your registrar DirectNIC) will be found at the TLD nameservers.

 

[ilustrate]

i'm beginning to understand a whole lot more now. thank you. i'm really unsure now what step to take now. I have already created a new nameserver with my new domain name i purchased with DirectNic. I listed ns1.mynewdomain.com with one of the three IP's i have. then I did the same for ns2 with the other IP. I would like to use mynewdomain.com for a web site. i set it up and have to wait a little for the nameserver to switch. I ended up purchasing another domain for a new client and entered the new name server information. within minutes the new site was up and ready to roll. a dns record showed about perfect but mentioned spf. i need to get spf working really quick. will i be adding a spf text file in dns for every domain separately? i visited the link you sent but am unsure how to proceed.

 

[jamesyeeoc]

You can either do the SPF records manually for each, or in the DNS template make a TXT record:

<domain>. TXT "v=spf1 a mx include:yournewdomain.com ~all"

or

<domain>. TXT "v=spf1 a mx ~all"

Some of it depends on the exact setup of your server, and which exact domain name answers for the mail server.

The first option specifically puts yournewdomain.com as an allowed mail server for the other domain (probably safer doing this). For your own domain you could do the second one since the domain name is the same as the mail server domain name.

Since I don't know which of your 3 IPs are bound to which NIC (assuming you may have more than one network adapter), and which one is the 'primary' which Qmail will use to send from, another way you could cover your bases would be to list the IPs in the SPF record:

"v=spf1 a mx ip4:192.168.100.1 ip4:192.168.100.2 ip4:192.168.100.3 include:yournewdomain.com ~all"

You could do the simple line and test to see if there are any problems, should not be since SPF is not widely implemented/in-use yet. Even some of the big places (MSN/Hotmail and AOL) are still doing a lot of testing, not doing full reject on no SPF (yet).

Hope this is clear, not sure I'm being coherent right now (pain killers are wonderful!)

 

[ilustrate]

damn you give a guy so many options. you really make me sit here and think.

 

[jamesyeeoc]

The less concrete info I have to work with, the more options I give. As I said, since I don't know the specific config of your server, I have to try and cover as many options as I can think of.

If I made a bunch of assumptions and told you 'do exactly this ....' and it didn't work, then I would look really dumb (which I'm not).

The other purpose is to give newbie admins some food for thought and some insight as to how things work.

Sorry if it is confusing for you, but I can only give advice based upon whatever info is posted.

The pobox site has additional info about SPF, I would suggest reading up on it, as well as googling for other sources, searching this and other forums for more info as well.

If it were a single dedicated server with a single domain, then the SPF record would be very short and sweet. When you have virtual hosting, it can be a little more complicated but not really difficult. SPF is still in it's infancy, so there will be more changes to the 'spec'. As a good friend of mine always says, "don't sweat the little stuff"

 

[ilustrate]

i've been reading about spf and have a question. does this mean that if spf is enabled i would have to send all my email from the webmail panel? would i not be able to send mail from outlook or incredimail? i normally use incredimail and use my ISP's outgoing mail server IP. Would my SPF record keep me from sending from these programs?

 

[jamesyeeoc]

Hopefully your ISP would have their own SPF records in place.

But since you use the ISP mail server, you would then add their domain in the 'include' portion (as they mention).

From my way of thinking, doing this could possibly allow other people on the same ISP to spoof mail from your domain. Personally I would use my own email servers instead of the ISP's (why else would you run your own mail server!?!)

I know that's not possible in all situations due to port 25 blocking on some ISP networks, but from a business DSL/T1 standpoint, all providers I have ever dealt with who provide businesses will remove port blocking upon request.

I had to do that for quite a few of my clients back in Feb when SBC turned on port blocking with no notice, according to them they sent out snail mail and emails to all clients (which is b.s.).

SPF will undergo additional changes in due time. Remember, the internet is a living being unto itself, ever changing....

 

[CrackGoogle]

Great thread guys.

If I may add my .50.

Plesk comes out of the box (on a 1and1 setup anyway) with SSL encryption working.

While you can do it over 25, you can also do it over 465 (port).

I too have clients with SBC and they pulled a poopy like the other gentleman stated. They do this under the guise of "stopping" spam, but all they are really doing is collecting intelligence on their customers. (e.g., who you email to, what is in the message if they so desire to read, time message sent, how many emails you sent, where you send most of your emails, to, etc. Everyone is taking our privacy by the second (including you Plesk, don't act like you are innocent) and I will take any reasonable step to counter this as best I can).

Anyway, you should have ALL of your clients as well as YOURSELF using SSL authentication and encryption. Why? Well, you know that airport you connect to and check mail from your notebook with? Well, pretty easy to read your emails and sniff your password. How about that free wifi hotspot at your local coffee shop? Can you visualize the college/high school students laughing as they read your emails and capture your login/password pair.

I am frequently suprised the SSL authentication and encryption has been the exception and not the rule. I am sure anyone who knows what I am talking about would agree. There is really ver few reasons (if any) that I can think of that would keep someone from not encrypting email to and from their server.

Yes, I know, if someone on the other side does not encrypt, etc. it kills the mojo, but the idea is that you are confident that you are not being sniffed to an from your own server. This is paramount when you are working from a non-trusted network (wifi hotspot etc.). For the ideal solution, you can use pgp to make sure all emails are encrypted. But that will take more time before it is widely adopted.

So, use port 465. Use your own server and not your ISPs. It's none of their business who you talk to, when you talk to them, and what you are talking to them about. We have plenty of big brothers "helping" us and we don't want to make them jealous now do we?

Lol, great thread, thanks.



Crack Google!

 

[CrackGoogle]

Regarding SPF

One other thing regarding SPF records. Here is what I have decided after racking my brain and reading posts like this.

I have a server that is responsible for sending/receiving email for the domains it hosts.

I am setting up plesk with the default SPF record.

v=spf1 ip4:x.x.x.x/32 a mx -all


x.x.x.x = my smtp server's IP address, same IP as the server that hosts the domains.

Here is what I understand and I am sure there are better ways, but this is what my lazy mojo came up with.

v=spf1 (ok, we have a SPF record, blah blah)
ip4:x.x.x.x (only acccept email on behalf of this domain if it comes from this ip address)
a,mx (same thing as above, just different ways to slice the pie)

and -all is used to say, it is does not come from this server, don't accept it.

Now that is my default. Here is what will happen. You will get calls from your clients because you did not use ~all, but rather -all. This means that you are saying, look, it comes from my server, or it's a fake. If you had sad ~all, then you would be saying, watch this email closely as it is not coming from my server and I can't be certain that it's a fake or not, you are on your own receiving server of this email.

So you get a call from your client, HEY HOW COME I AM GETTING BOUNCED WHEN I SEND TO XYZ.COM, that NEVER HAPPEND.

Here are your three choices mr client. First, are you using our mail server or another mail server? Most likely, they are NOT using "our" server and that is why it is bouncing. SO, tell them to use your server and avoid getting bounces from emails that you never even sent (someone forged an email with your domain name in the email name, do you want that?)

Or, fix their SPF record so that the -all, reads ~all instead. This way they can do what they want, but they may have their emails treated with greater scrutiny by spam blockers etc.

Or, +all, means you have an SPF record, but you don't care where your email is coming from. Just consider it valid. This may actually hurt them as well.

It's ugly out there. Things should work reasonably well if everyone followed the RFCs. But then the Internet wouldn't grow as fast. Over time it will get regulated and if you want to get on the grid, you will HAVE to abide by the rules. You will probably require a federal license, etc. It's just a matter of time. For now it's laisse fair, (think i spelled it correctly) and that is bullish for the growth of the Internet.

The Bottom Line:

Use SPF records

Have your clients use YOUR SPF enabled Server that is responsible for handling their domain's email.

Default to protect them the most, and be ready to change it to accomodate them if they don't opt to use your email server.

That's my take anyway. If ANYONE has input, I MORE THAN WELCOME it as this is the best I came up with based on my situation and I COULD HAVE IT WRONG, so please. Feedback feedback feedback.

PLESK STOP YOUR ADVERTISING ON MY SERVER!