Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » New Mail Server Setup from Scratch with MX record & DNS
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
Hi Guys

I was thinking if you can give me some advice and/or best way to do my first full in-house mail server setup with MX records and dns,rdns etc.

At the moment we have our MX record with our old isp who we also have our domain with, but we have kerio connect running in-house which basically download all emails using POP. The setup was done by predecessor and it was fine until we started getting blacklisted because reverse DNS doesnt match.

Now I want to set our mail server from scratch by bringing MX record here, giving static IP address (external), asking ISP (the one we will have external IP address with) to add an entry for rDNS on their side.

My question is: am I right to do the above? What else do I need to secure network from outside access apart from firewall and usiong nat on the port. Also, if you can point me to the right direction, so we dont have much downtime when we migrate our MX record it would be much appreciated.

Am I right in thinking that I can set up MX record here and then tell our MX record holder to add our as backup and then after few days remove their entry. That way our MX record will be primary and then we wont have downtime?

I would appreciate if you can help me as it is my first full mail server setup for a company which is live and dont want interruption.

Thanks

EDIT: Forgot to add what I will be using.

OpenSUSE or CentOS, Vigor Firwall, Kerio Connect.

[Updated on: Mon, 21 February 2011 12:09]

  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
You should first setup the new Kerio Connect server. Once it is running correctly and users are migrated, you can switch the MX record to the new server. The PTR record can be setup beforehand by your ISP.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
we are already running kerio connect server. The Kerio Connect Server is set up in-house, but DNS records arent.

So wouldnt i just have to create a DNS record for lets say welcome.tothe.darkside and point it to our external IP address, lets say 174.150.x.x, and then create MX record on our existing mail server (where Kerio Connect is).

Do I need to change anything from Kerio Connect?
  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
Quote:
So wouldnt i just have to create a DNS record for lets say welcome.tothe.darkside and point it to our external IP address, lets say 174.150.x.x,


Correct, you have to create an A record for your mail server on the external DNS server.

Quote:
and then create MX record on our existing mail server (where Kerio Connect is).


Wrong, you have to create the MX record on the external DNS server as well, pointing to the A record you have created before.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
ah sorry, slip of the tongue (fingers?)

I meant create MX record on our external dns server and point it to our mail server (new A record of course).

Is that all I need to do? any settings to be changed on Kerio connect itself? Before Kerio was downloading using POP, but when the MX record is changed, do we still need to use POP?

Thanks by the way freakinvibe, for replying.
  •  
freakinvibe

Messages: 1542
Karma: 62
Send a private message to this user
No, you don't need to use POP3 to download your mails from the ISP to your mail server. You will get them directly.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
thanks.

I have set up a test server, with a test domain and it is all working fine except some problems in sending email externally. I think thats due to my firewall settings i have done.

I will look into it.

What do you guys recommened if I want to open relay but put the server behind firewall. I want users to access webmail and/or mobile devices, but at the same time I want it to be secure enough.

Which ports should I allow, and should I use port redirections? i.e. forwarding to different ports than the machine for public?
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
UPDATE:

I have tried everything I required i.e. having mx record pointing to the server which is inhouse (behind the firewall) and also successfully managed to connect my iphone to the server.

Now the question is: is there a way to allow or block certain people from accessing their laptops/PC Devices who are not in the office, i.e. outside the company, for emails?
  •  
benjalamelami

Messages: 157

Karma: 5
Send a private message to this user
I strongly recommend SSL... is the minimum you can do to boost security. I only opened outside ports of my firewall to the SSL services of POP3, IMAP, HTTPS, SMTPS, with the exception of SMTP (port 25), which is required to properly use the mail server. I closed all the insecure ones.

Another thing I found useful is to allow only SMTP with authentication. You have to set your external clients that will send mail to use the SSL and change the port number to 465 (default on Kerio). This is done sadly, manually.

If you want to allow certain people to use your server from outside, then have them use a VPN, and close all ports (except 25) to the outside, but allow connections that come from the VPN and LAN. Then you can manually give permission to who can access information.
  •  
benjalamelami

Messages: 157

Karma: 5
Send a private message to this user
One basic tool available on the internet for you to know your mx status is www.mxtoolbox.com

Its quite handy, and give you a quick insight of your mail server status, as well if you are being blacklisted... pay attention to this, but not that much, as there are many blacklists that might have your IP there, even though your server is clean (UCE PROTECT LEVEL 3 is known to blacklist broad range of public IPs). I dont care for those, and I havent had any issues. I also strongly suggest if you claim to these blacklist, be very polite, these guys can be very sensitive people, and could leave you blacklisted, just because they think so.

I have had a bad time being rude with these people XD Twisted Evil
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
thanks benjalamelami.

I will play around with allowing only Secure IMAP and SMTP. I will block webmail access and POP3 too i think, making users only to use IMAP. At the moment I have tried with secure IMAP but havent with the Secure SMTP.

So if I have allowed Secure SMTP and SMTP, can users still use non-secure smtp to send messages?
  •  
benjalamelami

Messages: 157

Karma: 5
Send a private message to this user
Yeah... I tried to find a work around... but then... I coudln't... 90% of the time, the people behind technical support at kerio are friendly... but this time, a tech guy with bad mood, and bad temper told me there was no other way... I dunno if there is...
Previous Topic: Lame performance of the KOFF connector
Next Topic: 32bit vs 64bit
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 06:19:11 CEST 2017

Total time taken to generate the page: 0.00466 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.