Slightly OT - MX RR Santity Check requested...
Kevin P. Knox
bind-users at rc4systems.net
Wed Mar 28 17:59:35 UTC 2007
I've encountered a specific problem FOUR times in the past six months now and
am kindly asking Bind-Users for some insight.
The problem is sending SMTP servers that don't ever query past the first (hi
pref) MX RRs. The first time we encountered this problem, it was with an
e-mail list server appliance (don't know the exact type/make/model) at a
local university in our area.
The second and third times were with new MS Exchange servers.
Now today, I'm working on the same problem with a domain who's SMTP services
are hosted by Network Solutions Inc. (NSI).
We use a strategy whereby our lowest numbered (high pref) MX RR is a
firewalled host. The higher numbered (lower pref) MX RR designates our DMZ
SMTP server, which handles e-mail on behalf of the server in the other MX RR.
The DMZ SMTP server is world reachable on TCP/25. It's straight out of the
ORA Nutshell book, "Building Internet Firewalls". We process 4 million
messages per month, so I'm pretty sure that other organizations are still
using MX and firewalls to force mail through the DMZ SMTP server, and then
deliver back to a better protected mail server.
I've verified that the sending SMTP server only ever queries the first (low
numbered - high pref) MX RR. After that...NOTHING. It never tries the
second.
The net result is that the sender (in this case) will queue SMTP traffic for
our domain indefinitely....because they never look up MX RRs any lower than
the highest pref MX RR.
Has anybody else run into this lately?
For the curious.... YES! We plan on configuring transports in place of the
old Firewall/MX strategy on our Postfix servers ASAP.
Thanks in advance. :-)
... Kev
More information about the bind-users
mailing list