HELP! Disabling reverse DNS lookups on client

Similar Messages

• How to disable reverse DNS lookup on SSH login

  How do I disable reverse DNS lookup on SSH login in Solaris 9? I'm using the version bundled with Solaris 9.
  OpenSSH documentation says that I should set UseDNS to no but the option doesnt work in the bundled version of SSH server.
  I do not want to upgrade the bundled version of SSH server. Your help will be greatly appreciated.

  Ah nevermind. I think it was some command I ran changing english.lproj that did this so i am starting over.

• [solved] disable reverse dns caching (pdnsd)

  Hey guys, i have setup pdnsd for dns caching, and it's working fine. There's a small issue though. I would like to disable caching for reverse dns lookups. This is because the cache file is getting filled up with thousand of such entries, due to p2p software such as rtorrent.
  Is there an option for the pdnsd.conf file which can disable this feature?
  Last edited by x33a (2014-01-23 05:51:37)

  After extensive searching, I found that this can be achieved by disabling PTR rr type, but pdnsd won't run without it.
  For reference purpose:
  Support for different rr types can be disabled by modifying src/rr_types.in accordingly (source code file). unfortunately, PTR along with a few other rr types is essential to pdnsd, so disabling it is not an option.

• Is it possible to override authorative reverse DNS lookups?

  Hello,
  I am part of collaborative workgroup which has a group of networked computers that are installed at each others sites. This means that often a server has two names - a "site name", which is the name in DNS, such as BigFoot.yale.edu at X.X.X.5 and a "workgroup name", the name used by the group for distributed processes, such as YaleBigFoot.workgroup.net also at X.X.X.5 in our /etc/hosts file.
  We are trying to use globus and GSI authentication in between the servers which requires valid reverse dns lookups, such that a CN=host/ .
  On unix'y servers, this requires setting up a rather comples /etc/hosts and editing /etc/nsswitch so that /etc/hosts is used authoritively for all lookups.
  I have been trying to replicate this behavior for our Mac users, and I'm running into problems. I have read all the "reverse dns" documentation I can - and it appears that my problem is different.
  I have setup a /etc/hosts file and a /etc/lookupd/hosts configuration file and a /etc/named.conf section for workgroup.net and a /var/named/workgroup.net.zone file.
  However I still get the following output:
  $ host yale-bigfoot.workgroup.net
  yale-bigfoot.workgroup.net has address X.X.X.5
  $ host X.X.X.5
  X.X.X.5.in-addr.arpa domain name pointer workgroup-router-node.net.yale.edu.
  Is it possible to override the authorative reverse lookups?
  Thank you in advance,
  Brendan
  PS: names and address are not actual
  17' SuperDrive Powerbook G4   Mac OS X (10.4.6)  

  However, you can achieve do something that looks similar to overriding.
  class Parent {
    Parent(int i, String s) {
      // do stuff
  class Child extends Parent {
    Child(int i, String s) {
      super(i, s);
      // do Child stuff here
  new Parent(1, "abc");
  new Child(2, "xyz");Although that's not overriding, it sort of looks similar. Is this what you were talking about?

• 9i app 9.0.2.01?Does the reverse DNS lookup have to be set up for a FQDN

  HEy guys:
  I'M ALWAYS GETTING STUCK IN THE SAME PLACE WHEN I AM TRYING TO INSTALL 9I APPSERVER 9.0.2.0.1 REL 2. ITS ALWATYS HAPPENING AT THE oRACLE db CONFIG assistant i have set up my host file and when i ping -a servername i get the full reply back ex. servername.domain.com but now when i ping -a 111.111.111.111 i do not get the host name back this is b/c i do not have the PTR record set up. Do i have to have a reverse dnslookup working for what oracle is stating is "FQDN" and not just the dns lookup working...how is oracle installer looking at this piece.
  that is the only i see that i don't have when i look at my computer name (by the way this is a winnt environment)in properties it has the FQDN. i also have set up the host file correctly resembling 111.111.111.111 servername.domainname.com servername oracleinstall. What else am i missing here guys? thanks for the help in advance
  regards,
  robert

  Actually, these issues were/are documented - see the addendum. Also, the install guide details which files need to be updated with the FQDN/IP.
  Though it does not have to be setup in your DNS server (say if you are just doing it on a single tier to test), those machines which are looking to connect to it would need to have the proper additions to the hosts file as well.
  As for why the 'non-default' http ports, this was a result of Unix security. Non-root users cannot start processes using ports below a specific range. As a result, oracle defaults them to a higher number allowing your oracle account whom lacks root access to start the http service.
  As for non-oracle responses, this isn't really an official forumn. I believe those oracle peeps who do respond here are doing so on their own. If you need official/immediate responses, then i would recommend using metalink for an itar or the metalink forums.
  Now on to Robert's second question. See metalink Note:209114.1: How to Change the Port used for Oracle 9iAS Portal 9.0.x. If you don't have access to metalink, let me know and I can forward the note or post it here.
  Have fun!

• ASA 5520 Reverse DNS lookup Issue

  We are having Reverse DNS issues.
  10.10.0.10 = Exchange Server
  Windows 2003 = DNS server internal.
  Setup: 1 to 1 NAT
  10.10.0.10 smtp --> 70.89.133.218 smtp
  Int gi0/2 = 70.89.133.217
  Incoming Access Rule:
  any --> 70.89.133.218 smtp permit
  When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
  It should be 70.89.133.217.
  This is causing our email to be rejected from external sites due to reverse dns not returning 218. External people say are email is coming from 217. Comcast says the reverse pointer is setup correctly.
  What are we doing wrong?
  Thanks for any help you can offer.

  Correction:
  When we do a WhatismyIp on exchange server it says the IP is 70.89.133.217
  It should be 70.89.133.218
  217 is the interface gi0/2 on the ASA.

• Reverse DNS Lookup Failed!

  I started this thread weeks ago in the mail category, because it was related to sending e-mails to certain accounts. If you could please look at this thread I would greatly appreciate it so I don't have to re-explain the whole situation. I need to get this resolved as soon as possible and I don't know what else to do. I have had tons of help on the subject, yet no one can figure out why it's not working. You can do reverse resolution to my server just fine and my service provider shows it's pointing to my dns servers but somewhere in the mix it won't resolve any other way except directly to mine.
  http://discussions.apple.com/thread.jspa?threadID=323884&tstart=0
  I have read every article on here that has revserse DNS in it, yet still no luck. Thanks.

  Zone File:
  $TTL 86400
  funsunstudio.com. IN SOA ns1.funsunstudio.com. marshall.funsunstudi
  o.com. (
  2006013000 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  funsunstudio.com. IN NS ns1.funsunstudio.com.
  funsunstudio.com. IN NS ns2.funsunstudio.com.
  funsunstudio.com. IN A 12.146.245.40
  ns1 IN A 12.146.245.40
  ns2 IN A 12.146.245.41
  mail IN A 12.146.245.34
  funsunstudio.com. IN MX 0 mail
  www IN A 12.146.245.42
  * IN A 12.146.245.42
  oms IN A 12.146.245.42
  named.conf
  zone "funsunstudio.com." in {
  file "funsunstudio.com.zone";
  type master;
  zone "245.146.12.in-addr.arpa" IN {
  file "db.12.146.245";
  type master;
  db.12.146.245 file:
  $TTL 86400
  245.146.12.in-addr.arpa. IN SOA ns1.245.146.12.in-addr.arpa. mar$
  2006013000 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  245.146.12.in-addr.arpa. IN NS ns1.funsunstudio.com.
  245.146.12.in-addr.arpa. IN NS ns2.funsunstudio.com.
  32/28.245.146.12.in-addr.arpa. IN PTR ns1.funsunstudio.com.
  32/28.245.146.12.in-addr.arpa. IN PTR ns2.funsunstudio.com.
  34.245.146.12.in-addr.arpa. IN PTR mail.funsunstudio.com.
  42.245.146.12.in-addr.arpa. IN PTR www.funsunstudio.com.
  Yes I know I am resolving it for the whole C-Class, but should not affect my issue. Thanks for the help Camelot. BTW I am basing this all off the e-mail AT&T sent me about the setup, so if it's totally wrong please don't yell too bad.

• Reverse IP lookup

  When I run the "last" command I would like to see IP address of the user instead of the host names. I assume Solaris is doing some type of reverse ip lookup and displaying the host name here. Is there a way of disabling reverse DNS lookup and what other consequenses should I consider before doing so.

  New_DS_User wrote:
  When I run the "last" command I would like to see IP address of the user instead of the host names. I assume Solaris is doing some type of reverse ip lookup and displaying the host name here.More like it does the reverse IP lookup and logs the name. There's no lookup at display time.
  Is there a way of disabling reverse DNS lookup and what other consequenses should I consider before doing so.I don't know any method of doing so for just the login stuff. You could disable DNS, but that has other consequences. :-)
  Darren

• GWIA doing DNS lookup for local address

  Hello,
  I am running GW8.0.2 on Netware 6.5sp8. I have a server that our recreation department uses to send out confirmation emails when a customer signs up for a class. The recreation server and the GWIA are on the same subnet.
  Here's the problem: When the Rec server sends out the first email confirmation, it gets sent out successfully. Subsequent emails after that fail. After about twenty minutes the next email will go out OK again but subsequent emails will fail.
  The verbose logs on the GWIA don't tell me much but the diagnostic logs show what looks like a reverse DNS lookup happening at the GWIA for my local IP address of 10.0.0.3 (the Rec server). This reverse DNS lookup fails (probably a timeout) and subsequent emails from this local Rec server get dropped by the GWIA without the DNS lookup.
  DNS is being done by DNS proxy on Bordermanager 9.2. I've bypassed the Bordermanager DNS and the same thing happens. I've made entries for the local Rec server into a route.cfg file but the GWIA seems to want to ignore these entries and keeps doing the DNS lookup.
  The wierdest part of the puzzle is that if I restart the proxy on the Bordermanager the next email will go out with, of course, subsequent emails failing. I've looked at the proxy dns cache and can't even find an entry for my Rec server.
  Attached are the entries from the Diagnostic logs of the GWIA. Novell tech support has assured me that the GWIA and the BM are working fine. I am also having this problem with a scanner that scans then emails but all other email and Bordermanager are functioning fine. This server and scanner were not having this problem before upgrading to GW8.0.2.
  I don't understand why GWIA is doing DNS lookups for a local address and I don't know what I can do to stop it. Any help would be greatly appreciated.
  This is a successful transfer right after restarting the proxy: 10.0.0.3 is the Rec server, 10.0.0.130 is the GWIA and 10.0.0.1 is the Bordermanager.
  16:04:13 D15 NgwResQuery(3.0.0.10.in-addr.arpa, 1, 12)
  16:04:13 D15 Querying server (# 1) address = 10.0.0.1
  16:04:13 D15 HEADER:
  16:04:13 D15 opcode = QUERY, id = 17615, rcode = SERVFAIL, flags: qr aa rd
  16:04:13 D15 query = 1, answer = 0, authority = 0, additional = 0
  16:04:13 D15
  16:04:13 D15 QUESTIONS:
  16:04:13 D15 3.0.0.10.in-addr.arpa, type = PTR, class = IN
  16:04:13 D15
  16:04:13 D15 rcode = 2, ancount=0
  16:04:13 D15 NgwResQuery failed
  16:04:13 D15 DMN: MSG 2000909 Accepted connection: [10.0.0.3] ()
  16:04:13 D15 Successful login with client/server access: 10.0.0.130:1677
  16:04:13 D15 DMN: MSG 2000909 Receiving file: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\3RD\receive\df30 fad4.221
  16:04:13 D15 DMN: MSG 2000909 SMTP session ended: [10.0.0.3] ()
  This is an unsuccessful transfer:
  16:06:08 D04 timeout
  16:06:08 D04 NgwResQuery: send error
  16:06:08 D04 NgwResQuery failed
  16:06:08 D04 DMN: MSG 2000933 Accepted connection: [10.0.0.3] ()
  16:06:08 D04 DMN: MSG 2000933 SMTP session ended: [10.0.0.3] ()
  Then the successful email comes back into the system:
  16:06:26 AA8 MSG 2000909 Processing inbound message: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\receive\DF30FAD4 .221
  16:06:26 AA8 MSG 2000909 Sender: [email protected]
  16:06:26 AA8 MSG 2000909 Recipient: [email protected]
  16:06:26 AA8 MSG 2000909 Queuing to MTA
  16:06:26 AA8 MSG 2000909 File: ECMAIL/SYS:\PROGRAMS\GRPWISE\WPGATE\GWIA\wpcsin\4\4daf048 2.8m1 Message Id: (4DAF66F2.B67:244:35687) Size: 163.3 Kb

  Thanks Massimo. I could have swore I already did that but when I did it again just to make sure it solved the problem. Appreciate the help. Have a good one.
  Originally Posted by mrosen
  On 02.05.2011 21:06, avanrav wrote:
  >
  > Hello,
  >
  > I am running GW8.0.2 on Netware 6.5sp8. I have a server that our
  > recreation department uses to send out confirmation emails when a
  > customer signs up for a class. The recreation server and the GWIA are on
  > the same subnet.
  >
  > Here's the problem: When the Rec server sends out the first email
  > confirmation, it gets sent out successfully. Subsequent emails after
  > that fail. After about twenty minutes the next email will go out OK
  > again but subsequent emails will fail.
  >
  > The verbose logs on the GWIA don't tell me much but the diagnostic logs
  > show what looks like a reverse DNS lookup happening at the GWIA for my
  > local IP address of 10.0.0.3 (the Rec server). This reverse DNS lookup
  > fails (probably a timeout) and subsequent emails from this local Rec
  > server get dropped by the GWIA without the DNS lookup.
  >
  > DNS is being done by DNS proxy on Bordermanager 9.2. I've bypassed the
  > Bordermanager DNS and the same thing happens. I've made entries for the
  > local Rec server into a route.cfg file but the GWIA seems to want to
  > ignore these entries and keeps doing the DNS lookup.
  >
  > The wierdest part of the puzzle is that if I restart the proxy on the
  > Bordermanager the next email will go out with, of course, subsequent
  > emails failing. I've looked at the proxy dns cache and can't even find
  > an entry for my Rec server.
  The reverse DNS done by GWIA is normal, and can't be stopped or tricked.
  That it fails in such odd ways must be a bug with the reverse DNS proxy
  of Bordermanager though. Apparently on the second lookups, it doesn't
  answer in a timely manner (the type of answer is irrelevant, just it
  *has* to answer). Use a different, "real" DNS server for your GWIA.
  CU,
  Massimo Rosen
  Novell Product Support Forum Sysop
  No emails please!
  Untitled Document

• Set up reverse DNS for virtual mail hosting

  I need a bit of server configuation advice.
  I have a static IP and two public domains on a Snow Leopard server connected using NAT behind a firewall - with the necessary port forwarding to ensure all works. 
  1. abc.com is my primary domain on the server - server.abc.com
  2. I have xyz.com set up as a virtual domain and also as a virtual mail host
  This setup has worked well for a long time but I have found that emails to [email protected] are going missing.  If I check my mx records using one of the web based tools it show an error on the reverse dns for server.xyz.com showing a reverse DNS of server.abc.com.
  So the question - is it possible to have secondary 'virtual' DNS record on the server so reverse DNS works for the virtual mail host xyz.com?  If not how do I handle the reverse DNS problem which i think is causing some external mail server to reject mail due to the inconsistency on the reverse DNS lookup?
  Many thanks for any suggestions

  SMTP requires a DNS A record.
  A DNS A record is also known as a machine record.
  A DNS A record inherently means that forward DNS and reverse DNS will match.
  The forward translation translates the host name to the IP address.
  The reverse translation translates the IP address to host name.
  When the full translation produces the same host name, that's an A record.
  DNS CNAME records are aliases, and are used for virtual hosts.
  CNAME records inherently do not match the reverse DNS translations.
  To get your configuration to work, your server must have an A record.
  That means forward and reverse DNS will match.
  Any of the virtual hosts within your mail server then all use an MX pointing at the A record host.
  If you have your DNS hosted somewhere other than your ISP, then you'll need your ISP to set up a DNS PTR.
  The DNS PTR is the reverse translation; address to name.
  If you have your own DNS services within your network (as would be typical with a privately-addressed NAT'd network), set that up as a virtual host within SMTP.
  Here is some related reading on external (public) DNS, as related to SMTP servers and such.

• Block Reverse DNS failures or not?

  Hey guys,
  Philosphical question, which I honestly didn't think I'd have to ask...
  Do you block messages from servers that fail reverse DNS lookup (eg no pointer record or non matching pointer record)?
  We recently tightened things up, and put those in the blacklist, and I'm seeing more legit senders getting dropped than I expected.
  Am I expecting too much?
  Ken

  You can enable these three checkbox in the sendergroup BLACKLIST:
  -Connecting host PTR record does not exist in DNS.
  -Connecting host PTR record lookup fails due to temporary DNS failure.
  -Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A).
  Be aware for the False positives.

• WLC 5508 and WPA/WPA2 causes client DNS lookups to fail

  Hi all, we just recently received a brand new 5508 with 6.0.199.4 firmware.  We currently have three LAP-1250s that associate just fine to the WLC.
  For testing purposes only, we enabled WPA2 with both types of encryption TKIP and AES with an ASCII PSK.   The clients are able to connect, authenticate and get an IP address from our local (same subnet) DHCP server.  They also get the DNS info from our DHCP server.   However, the problem is that they are not able to do any DNS lookups.   I haven't run wireshark yet to confirm, but it sounds very familiar to this problem: https://supportforums.cisco.com/message/3202369
  I've even had clients use nslookup with both of my DNS servers and they are not able to resolve.  I'm not sure if the request or the reply is being blocked/dropped, but I can find out tomorrow.
  Now the strange part - if I turn off WLAN security altogether, it works!   That's right, I just disable L2 security for the WLAN and re-connect the clients and they are able to do full DNS lookups.
  AND - if I leave L2 security configured (WPA2 with PSK), and enable L3 Passthrough security - the clients get to the auth web page, click the "accept" button and are then able to do full DNS lookups too.
  What could be the problem here?   There's nothing I see configured for the L2 or L3 security settings that could be the culprit.  We're using default (from Cisco) configuration, so there's no ACLs configured or anything like that to block DNS.
  Another strange thing here which may or not be related - during initial configuration the setup asked for a virtual IP - so I gave it one - 1.1.2.2.   Now when I do an ipconfig /all on the client, I see this 1.1.2.2 address listed as the DHCP server.  Why is this?   It's definitely getting an IP address and DNS info from the correct DHCP server, so not sure why this is showing up.
  Thanks, Matt

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi Matt,
  Just wanted to jump in, and also mention it may be worth attempting to disable the fastpath feature on the 5508, and test your failing client again.  You may be hitting CSCti34667.
  debug fastpath cfgtool --fc.disable
  This command can be run via Telnet/SSH.  Please keep in mind that fastpath will automatically re-enable periodically, so we recommend disabling every 10 minutes as a workaround for any known fastpath issues.  You can do so by running the following Macro in TeraTerm:
  :mainloop
     sendln "debug fastpath cfgtool --fc.disable"
     pause 600
  goto mainloop
  If you find that disabling fastpath resolves your concern, you can reach out to TAC for an Escalation Image with the fix for this one.
  Best,
  Drew

• T3 client Question (DNS lookups vs IP addess)

  We have a Java Time Entry application that uses Weblogic's T3 client
  to talk to the servers. In the client properties file we currently have the
  DNS name of the servers. I can see that the client does in fact seem to
  do repeated DNS lookups to the resolve the name again as the client
  runs. Is it typical that the DNS name is used or the IP address of the
  server. Asuming I use the IP address instead it should make a good
  performance improvement since I don't have to worry about the DNS
  server getting busy during the day and I also don't have to worry about
  users that are pointing to a DNS server without the entries to our
  Weblogic servers. Any thoughts on this?
  Robert

  r> In the client properties file we currently have the DNS name of the
  r> servers. I can see that the client does in fact seem to do
  r> repeated DNS lookups to the resolve the name again as the client
  r> runs.
  How are you seeing this, and what platform are you running on?
  r> Is it typical that the DNS name is used or the IP address of the
  r> server.
  That's up to you. I think it's easier to use DNS names myself. There
  shouldn't be any performance difference between them, unless you have
  something misconfigured in your DNS servers or clients. Such issues
  aren't really WebLogic problems, though; they're problems with your
  systems and infrastructure.
       <b
  Let us pray:
  What a Great System.
  Please Do Not Crash.
  ^G^IP@P6

• Reverse DNS not function properly ? URGENT HELP ..PLEASE..

  Please tell me how to do a Reverse DNs in java
  e.g IP address of a network machine is 192.168.0.30
  Then how can i get its name (i.e machine name)?
  I know that i mus thave to use a jdk 1.4
  Please prvide a full solution.
  Thanks.

  Not all IP addresses map to a hostname. Try:
  InetAddress.getByName( args[ i ] )And PLEASE don't post messages that say "URGENT"; it turns people off, by implying that your problems are more important thatn everyone else's. See http://forum.java.sun.com/thread.jsp?forum=57&thread=271752

• OS X 10.4.11 Server - configured name and reverse DNS do not match / DNS

  Hi all,
  I have looked for similar posts but all seem to have different scenarios, hoping to get an answer from someone more experienced than myself before I do anything silly.
  Help much appreciated!
  Scenario:
  We run a 10.4.11 OS X Server on an XServe, hosted at an ISP. ISP provides all DNS services, incl. the reversed DNS entry.
  I am currently only running the following services (based on the display in ServerAdmin):
  AFP
  Firewall
  iChat
  Mail
  QuickTimeStreaming
  Web
  All others (incl. DNS) are grayed out. (As ISP instructed us not to add a DNS service on our box, that's "normal" according to my experiences with dedicated /co-location server hosting).
  We never used changeip after the initial setup, meaning the server's
  Current Hostname = somename.local and
  DNS Hostname = mail.ourdomainname.net
  So in system.log I find this re-occuring entry:
  Jul 8 11:41:22 somename servermgrd: servermgr_dns: configured name and reverse DNS name do not match (somename.local != mail.ourdomainname.net), various services may not function properly - use changeip to repair and/or correct DNS
  Finally, my question:
  As Mail and Web services etc. are currently running OK from what I can tell,
  1) do I HAVE to change this at all?
  2) Would it be much better / why?
  3) Could I change this using the following command
  (111.11.111.1 indicating the server's IP address)
  changeip 111.11.111.1 111.11.111.1 somename.local mail.ourdomainname.net
  4) without running a DNS server on the machine, i.e. DNS service is not required for this to work?
  5) obviously I want to be able to use Server Admin after I issue this command...
  6) can I fall back easily in case this would screw it up, or is there no risk whatsoever doing this in my case?
  THANK YOU so much for any help!

  Hi Jonas
  If port 443 is already being used on the same box as KMS then it will complain and probably not start the service? I've seen this with LDAP port 636. This is when Kerio is installed on a server configured as an OD Master. Clearly the port can't be used by both servers.
  It might be easier to change the port your sites are currently using to something else? Although don't do anything yet. Pose the question to Kerio Support and see what advice they offer.
  Yes moving the mail to a local folder on the mail client will do it.
  Is Kerio going on the same box? If its a different box (presumably different IP address?) Then what you can do is to port forward to the new server's IP address instead of disabling it. This way while you are bringing the new server on line users can still send mail right up until the time you give instructions on changing their inbound/outbound mail server details. Of course they won't be able to receive but if you time it right they may not even get an error message? Depends on what their schedules are.
  If it was me I would choose IMAP every time. As the mail admin you have full control and a central location for easy backup. KMS has a built in archiving feature that makes this a simple process. This is an easier option than going round individual client machines and making sure mail held locally in POP accounts are backed up. Besides there is always someone who falls through the loop and I'm not taking into account drive failures. It makes good sense anyway as there is talk of legislation being introduced to make this a requirement for businesses who run their own mail servers. This is certainly true for certain parts of the US and what usually happens there is generally taken up in the UK and most parts of Europe.
  Kerio's WebMail Client means users don't even have to have their own computer. Just as long as they have access to one that has access to the internet they can send/receive mail. No need for dedicated mail applications such as Apple Mail, Thunderbird, Entourage etc. How mail is uses remains consistent for all users.
  Yes. I did this not so long ago with Leopard's built in Mail Server. I sent an e-mail defining a time when no inbound mail would be received. Disabled port forwarding for SMTP port 25 and approx 30 minutes after that another mail stating no outbound mail should be sent. Once everything was swopped over (we were changing from a G4 10.4 server to a G5 10.5 Server) port 25 was enabled, new server brought online and everyone was mailing again with no appreciable downtime.
  These boxes were to have the same IP address hence the slightly different approach.
  Does this help?
  Tony