Slightly OT - MX RR Santity Check requested...

Kevin P. Knox bind-users at
Wed Mar 28 17:59:35 UTC 2007

I've encountered a specific problem FOUR times in the past six months now and 
am kindly asking Bind-Users for some insight.

The problem is sending SMTP servers that don't ever query past the first (hi 
pref) MX RRs.  The first time we encountered this problem, it was with an 
e-mail list server appliance (don't know the exact type/make/model) at a 
local university in our area.  

The second and third times were with new MS Exchange servers.

Now today, I'm working on the same problem with a domain who's SMTP services 
are hosted by Network Solutions Inc. (NSI).  

We use a strategy whereby our lowest numbered (high pref) MX RR is a 
firewalled host.  The higher numbered (lower pref) MX RR designates our DMZ 
SMTP server, which handles e-mail on behalf of the server in the other MX RR.  
The DMZ SMTP server is world reachable on TCP/25.  It's straight out of the 
ORA Nutshell book, "Building Internet Firewalls".  We process 4 million 
messages per month, so I'm pretty sure that other organizations are still 
using MX and firewalls to force mail through the DMZ SMTP server, and then 
deliver back to a better protected mail server.

I've verified that the sending SMTP server only ever queries the first (low 
numbered - high pref) MX RR.  After that...NOTHING.  It never tries the 

The net result is that the sender (in this case) will queue SMTP traffic for 
our domain indefinitely....because they never look up MX RRs any lower than 
the highest pref MX RR.

Has anybody else run into this lately?  

For the curious....   YES!  We plan on configuring transports in place of the 
old Firewall/MX strategy on our Postfix servers ASAP.  

Thanks in advance. :-)

... Kev

More information about the bind-users mailing list