Slightly OT - MX RR Santity Check requested..

Kevin P. Knox bind-users at rc4systems.net
Thu Mar 29 15:44:30 UTC 2007 

Split views may SOON happen here.  We've held off so far because there are TWO 
of us in the entire organization who would know how to troubleshoot it if 
things went wrong.  Soon though, we're acquiring InfoBlox appliances and then 
we may well use views and/or split views.  It's a little harder to make a 
mess of that way.  Not impossible though. :-)

... Kev

On Thursday 29 March 2007 10:41 am, Barry Finkel wrote:
> "Kevin P. Knox" <bind-users at rc4systems.net> wrote:
> > I've encountered a specific problem FOUR times in the past six months now
> > and
> >
> > am kindly asking Bind-Users for some insight.
> >
> > The problem is sending SMTP servers that don't ever query past the first
> > (hi pref) MX RRs.  The first time we encountered this problem, it was
> > with an e-mail list server appliance (don't know the exact
> > type/make/model) at a local university in our area.
> >
> > The second and third times were with new MS Exchange servers.
> >
> > Now today, I'm working on the same problem with a domain who's SMTP
> > services are hosted by Network Solutions Inc. (NSI).
> >
> > We use a strategy whereby our lowest numbered (high pref) MX RR is a
> > firewalled host.  The higher numbered (lower pref) MX RR designates our
> > DMZ SMTP server, which handles e-mail on behalf of the server in the
> > other MX RR.
> >
> > The DMZ SMTP server is world reachable on TCP/25.  It's straight out of
> > the ORA Nutshell book, "Building Internet Firewalls".  We process 4
> > million messages per month, so I'm pretty sure that other organizations
> > are still using MX and firewalls to force mail through the DMZ SMTP
> > server, and then deliver back to a better protected mail server.
> >
> > I've verified that the sending SMTP server only ever queries the first
> > (low numbered - high pref) MX RR.  After that...NOTHING.  It never tries
> > the second.
> >
> > The net result is that the sender (in this case) will queue SMTP traffic
> > for our domain indefinitely....because they never look up MX RRs any
> > lower than the highest pref MX RR.
> >
> > Has anybody else run into this lately?
> >
> > For the curious....   YES!  We plan on configuring transports in place of
> > the
> >
> > old Firewall/MX strategy on our Postfix servers ASAP.
> >
> > Thanks in advance. :-)
> >
> > ... Kev
>
> This is a good case for split-views.  The external view has MX records
> pointing to your border firewall mailer, and the internal view has
> MX records pointing to your internal mailer.  We use split views for
> this purpose.
> ----------------------------------------------------------------------
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory          Phone:    +1 (630) 252-7277
> 9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
> Building 222, Room D209              Internet: BSFinkel at anl.gov
> Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list