Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Caller ID TXT record on Leopard DNS (any way to do this?)
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Let me be the first to admit that I am not a master of DNS.

I'm trying to create the _ep subdomain and its TXT record for Caller ID.

If I try to use the Server Admin GUI to add _ep.mydomain.com, I receive an error for the underscore.

If I manually add the record to /var/named/zones/db.mydomain.com.zone.apple a dig command generates the correct results. However, if anyone makes changes in Server Admin, the _ep TXT record is obliterated.

Note that this is a DNS on our LAN that is asserting a false authority for our public domain (it will not forward queries for a domain if the domain is in the zones list). This was done so our Mail Server could live on our LAN. Our public DNS is not OS X and the Caller ID record is doing its job. However, the Kerio server uses the DNS on our LAN and I would like to have that DNS offer up the Caller ID response.

So, other than restructuring my network, do I have any options? Can I add a TXT record to the hosts file on the Kerio server? Should I just instruct everyone to never mod the DNS via Server Admin?!? Would DNS Enabler be a suitable alternative for a DNS GUI on Leopard Server (and allow the creation of the _ep subdomain)?

Thanks for any feedback.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Hi,

Why do you need the Caller ID internally on your LAN?
Kerio should never ask about CID for itself - as far as I know. I assume you have whitelisted the LAN IP range(s) in Kerio?

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
marook wrote on Tue, 29 December 2009 20:51
Hi,
Why do you need the Caller ID internally on your LAN?

Our mail server points to the DNS on our LAN. I could avoid my caller id problem by pointing the server to our ISP's DNS (which is not where our authoritative public DNS is located). Although, I'd like to hold that as the last resort.

marook wrote on Tue, 29 December 2009 20:51

Kerio should never ask about CID for itself - as far as I know. I assume you have whitelisted the LAN IP range(s) in Kerio?

See Ken's 1st response in the following thread:
http://forums.kerio.com/index.php?t=msg&th=14158&sta rt=0&S=ea41da0666a6bea4c04d89e79ccd675b
And, yes, portions of our LAN are allowed open relay. Although, I'm not sure how that's directly related to the function of caller id - unless I'm really missing something.

Regards,
Lyle
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
oops

[Updated on: Wed, 30 December 2009 04:21]

  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Hi,

Well, As far as I know, Caller ID is only for SMTP delivery from other servers without authentication.

As soon as your users authenticate (and I surely hope they do!) SPF & Caller ID is not used, so I would assume this is not needed at all on the LAN.

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
marook wrote on Tue, 29 December 2009 22:19
Hi,

Well, As far as I know, Caller ID is only for SMTP delivery from other servers without authentication.

As far as I know, you're absolutely correct! And that's what we're using it for. Those other servers connect to our mail server through our load-ballancer and firewall via NAT. The public DNS publishes the public IPs (two for the load-balancer), our internal DNS publishes the internal IP to our LAN users.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
I'm still puzzled why your LAN needs Caller ID...

Is the Loadbalancers SMTP relay servers? (They accept the mail, and relay it into Kerio) or is it 'just' a proxy server?
If they are SMTP relay servers, they should be doing the Caller ID lookup, not Kerio.
If they are proxies, Kerio get a NAT'ed connection via the proxy, but should still get the correct handshake from the original server - right?

So, as I see it, you would need CID on the LAN DNS if the loadbalancers do not check CID.. right? Or did I completely loose it ?? Wink

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Here's the "load balancer": http://www.ecessa.com/pages/products/products_powerlink_pl10 0.php

It's not load balancing for SMTP, as I may have unintentionally implied. It's a two-way link aggregation/failover device for our entire network. By placing the mail server on our LAN, the PowerLink allows us two public IP addresses on two disparate ISPs, both pointing to the one host. Ultimately, the PowerLink will become the domain authority DNS, as is part of its design.

Our Kerio server receives the SMTP connections directly from the cloud (after being sniffed by the firewall and all its filters). However, as far as KMS is concerned, it's talking directly to the Net.

So, if a foreign SMTP server attempts to send us an E-mail with a spoofed actual_user<_at_>ourdomain.com from address we need either SPF or Caller ID to catch it. Here's some examples from the security log:

[30/Dec/2009 15:47:09] SPF check failed: The IP address '196.217.245.81' is not in permitted set for sender 'realuser1<_at_>ourdomain.com' (FAIL)
[30/Dec/2009 15:47:09] SPF check failed: The IP address '196.217.245.81' is not in permitted set for sender 'realuser2<_at_>ourdomain.com' (FAIL)

[30/Dec/2009 15:05:15] Caller-ID check failed: IP address 95.135.14.167 is not in permitted set for sender 'realuser3<_at_>ourotherdomain.com'


In the last example, Caller-ID worked because the spoofed sender was a member of one of our domain aliases. That domain alias isn't in the zone file on our LAN DNS so the request for the _ep TXT record is passed on to the public DNS and fulfilled. It would be a nice feature if BIND could be set to say "Yes, I have this domain, but I don't have the _ep sub-domain, let me go get that elsewhere." Years ago, the DNS in our Vicomsoft Gateway behaved that way.

It may be worth noting that there are several servers in the cloud that are allowed to send E-mail on our behalf. So our SPF and Caller-ID records obviously have more than one IP, and no /MX reference.

So, was that clear as mud? Wink I'm sure I'm missing the boat on some lingo; one of the risks of being a jack of all trades.

Happy New Year,
Lyle
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Took while, but I think I finally have a solution:

1. In Server Admin, select the server running DNS and click on the "DNS" pane.
2. Click on the "Zones" tab.
3. Click to highlight the primary zone record that needs the Caller-ID info (eg. example.com).
4. Click on the "Add Record" drop down menu and select "Add Machine (A)"
5. In the "Machine Name" field enter: ep.example.com. |substituting your primary zone name for example.com. Note, this is not _ep, but ep and there is a trailing period.
6. In the "IP Addresses" list, I entered the IP of the DNS server itself. For the most part, I believe this entry is irrelevant, so long as you don't try to use localhost (127.0.0.1).
7. In "Comments" enter the Caller-ID record. Make sure you don't include the quote marks that the DIG command includes with results.
8. Click "Save."

Test with DIG:

dig <_at_>IP_of_your_DNS ep.example.com TXT +short | the @ is supposed to be an @

If you see your Caller-ID record, move on to these next steps:

1. Repeat steps 1-3 above
2. Click on the "Add Record" drop down menu and select "Add Alias (CNAME)"
3. In the "Alias Name" field, enter ep1.example.com. | again, changing example.com as appropriate.
4. In the "Destination" field, enter ep.example.com. | should match what you entered in step 5 above.
5. Click "Save," stop the DNS, and click on any Server Admin section other than DNS (eg. AFP, DNS, etc).
6. Using your preferred text editor with root privileges (TextWranger makes this very easy), open the following file: /var/named/zones/db.example.com.zone.apple | this file will have your zone name instead of example.com.
7. Locate the entry: ep1.example.com. IN CNAME ep.example.com.
8. Change "ep1.example.com." to "_ep.example.com." and save the file. This has to be done in the zone file because Server Admin doesn't allow the underscore character. The alias is needed because BIND will error when attempting to load a primary zone with an underscore in the zone name.
9. In Server Admin click on DNS, click on the Zones tab, and expand the example.com zone. The ep1.example.com. CNAME record should be replaced by _ep.example.com. If so, start the DNS.
10. Check the logs for errors.
11. Use DIG to test.

dig <_at_>IP_of_your_DNS _ep.example.com TXT +short

Your Caller-ID record should appear.

I've only done this on a test bed system so far. However, everything looks good. I'm now able to perform DNS changes in Server Admin without blowing out the standalone TXT record I was using previously. I'll do the same for our live DNS within the next few days and post back if anything unexpected occurs.

[Updated on: Mon, 09 May 2011 22:19]

Previous Topic: Outlook 2010 - Connect/Koff 7.1.4 patch 1 build 3411 - UNABLE TO DISPLAY FOLDER
Next Topic: Kerio MailServer went unresponsive... what happened?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 01:21:16 CET 2017

Total time taken to generate the page: 0.00432 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.