Skip to content


Reply
Stone Emissary
XFox
Posts: 11
Registered: ‎07-19-2010
Accepted Solution

E-mail delivery to domains without MX records - Implicit MX rule

[ Edited ]

Hi all,

I'm troubleshooting an InterScan Messaging Security Suite (IMSS) 7.1 Windows installation that cannot relay e-mails to some valid e-mail addresses. I state that the e-mail addresses are valid because I tried to send test e-mails from third party e-mail addresses and SMTP servers, and it worked.

When I try to send an e-mail to such an e-mail address with IMSS 7.1, I receive back a "Delivery Final Failure Notice" e-mail containing the "Relay domain does not exist." error message.

I did some digging and I found that the issue is that the domains we are talking about don't have any MX record.

Since few days ago, I was convinced that an MX record was absolutely needed for a domain that wants to accepts e-mails. However, I found this is not really the case:

 

RFC 2821 and the "implicit MX" rule

 

So, the next step was to find out why IMSS wasn't obeying to the RFC.

I used the Case Diagnostic Tool to activate debug logs, expecting to find something like this (the following text is from the EN-1036207 Trend Micro article):

 

2007/10/04 14:27:44.343 [3856:3884] 00 W SendMail: Query MX for nonexistent.abc failed, use the domain name to relay. [sendmail.cpp(987)]

2007/10/04 14:27:44.343 [3856:3884] 00 D SendMail: Query A record for nonexistent.abc. [sendmail.cpp(898)]

2007/10/04 14:27:44.343 [3856:3884] 00 I DNSQuery: _dnsqQueryServer for nonexistent.abc and DNS_TYPE_A, from system DNS server returned 0x10002001 [dnsquery.cpp(373)]

2007/10/04 14:27:44.343 [3856:3884] 00 E SendMail: Send to [nonexistent.abc] failed. [sendmail.cpp(1261)]

 

Actually, in the tsmtpd.log file I found:

 

2010/07/16 11:34:59.917    [6036:3020]    81    W    Query MX for mydomain.com failed, deny the recipient directly.    (D5EFFF5F-0980-447C-B482-8D17C16BCDB2)        [sendmail.cpp(1173),_getDNSMailExchangeServer]

 

So, why IMSS doesn't check for an A record when the MX record lookup fails and how can I change this behavior?

I read through all the .ini IMSS configuration file I found and spent a lot of time searching the Internet but I didn't find any clue about how to fix this issue. To be fair, I didn't find anything even mentioning an issue with IMSS and the "implicit MX" rule. I'm at a loss, can anyone shed me some light? :robotsad:

Please use plain text.
Affiliate
dalewj
Posts: 86
Registered: ‎07-08-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule

MX records are needed to send SMTP mail.   A records are a address record that store subnet masks and a IP range.  They have nothing to do with MX records and aren't used by mail relays.

 

Though thinking about it, I bet spammers use them to find mail servers.

 

So the answer to your question is.  If IMSS can't lookup a MX record it isn't going to send the message.


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Affiliate
dalewj
Posts: 86
Registered: ‎07-08-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule

[ Edited ]

and i was reading that RFC.   lots of funky stuff in it.   It has all kinds of calls which were never implemented.  Looking up the history of the RFC , it seems it was an early attempt to stop SPAM and implement communication back and forth between the mail servers (VRFY and EXPN additions).  Its funny that part of the RFC kindof takes steps to make SMTP a bit more secure and then they throw in the ability forthe sending mail relay to aks questions to the recieving mail relay.  I can imagine a SPAM machien loving to ask question about your usernames.

 

John Klensin wrote it, ill try and track him down and ask what it was all about.  But the lesson here is, jsut because its an RFC, doesnt mean anyone actually listened or used it.


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Stone Emissary
XFox
Posts: 11
Registered: ‎07-19-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule

dalewj, thanks for replying.

Anyway, I still think that the current behavior of my IMSS installation is wrong. Or, at least, that there should be a way to change it.

I'll describe the points that makes me think this way.

 

  • The right RFC to look at is RFC 5321 that obsoleted RFC 2821 mentioned in the blog post I linked to in the OP (sorry for not making it clear from the beginning). AFAIK, RFC 5321 is THE SMTP specification that all the SMTP clients/servers should adhere to. About this specific issue (and according to Wikipedia, too) the RFC on section 5.1, page 69, clearly states that:
    1. SMTP clients must look up for an MX record;
    2. If no MX record for domain is present, look up for an A Resource Record (RR), and if such record is present, treat it as an MX record;
    3. If an MX record is present, clients MUST NOT use an A RR.
  • It seems to me that almost all the SMTP servers obey to the implicit MX rule. I think so because if I try to send e-mails to e-mail addresses associated to domain names without MX records using other e-mail providers (and thus using their SMTP servers), the e-mails get through. Moreover, I found many threads on the web about how to disable the implicit MX rule for Microsoft Exchange's SMTP server, that means it's active by default.
  • The very same Trend Micro article I linked in the OP, in the "Diagnosing Relay problems" section, incidentally reports an IMSS 7.0 log that showes how IMSS look for an A record when the MX record for the domain doesn't exist. So, this is almost certainly an available feature, maybe even the default one.
Please use plain text.
Affiliate
dalewj
Posts: 86
Registered: ‎07-08-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule

[ Edited ]

All i can say is a RFC doesn't hold as much weight as you might think.  Vendros only make moves towards changes when they are forced to because everyone else is doing it.  If there is no push in the industry to follow the RFC then it's ignored.

 

and no i doubt you will ever see it changed.   People need to properly maintain there MX records if they want SMTP mail.

 

 


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Affiliate
greggmh123
Posts: 1,978
Registered: ‎01-23-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule

[ Edited ]

I have an Exchange 2003 server that is set to defaults and will send mail to domains that have no MX record, as long as there is an A record for a server that accepts mail.

 

Now WHY any admin would not set up an actual MX record, I do not know. I do know that mail servers **will send** to the domain via an A record if they cannot find an MX record. Many domains have no MX record.

 

I also have Vamsoft ORF as a secondary spam filter to my WatchGuard firewall, and it has a setting (off by default) to require a sending domain to have an MX record before it will accept mail from that domain. In ORF, it states that domains "should" have an MX record, but it "is not an RFC standard requirement" to have an MX record, and they note that enabling that rDNS test would likely result in losing legitimate inbound email. The opposite would also be true: if one were to require that an MX record exist for the domain to which the server wants to send mail, one could lose legitimate email.

 

So, I would check to make sure you haven't checked a box somewhere in the product to require an MX record. I have never used it, so I cannot tell you where to look.

 

Gregg Hill

 

 


I am a Trend Micro Affiliate. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Stone Emissary
XFox
Posts: 11
Registered: ‎07-19-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule


greggmh123 wrote:

Now WHY any admin would not set up an actual MX record, I do not know. I do know that mail servers **will send** to the domain via an A record if they cannot find an MX record. Many domains have no MX record.


 

Thanks a lot greggmh123.

 


greggmh123 wrote

So, I would check to make sure you haven't checked a box somewhere in the product to require an MX record. I have never used it, so I cannot tell you where to look.


 

I already double checked all the visibile settings and found nothing that seems related to this issue.
Maybe an IMSS 7.1 user could tell us if the default behavior is to check for the A record or not, and hopefully the key setting or keyword to change this behavior...

Please use plain text.
Trend Micro Employee
ryandelany
Posts: 857
Registered: ‎08-17-2009

Re: E-mail delivery to domains without MX records - Implicit MX rule

For starters, IMSS *IS* RFC compliant as much as possible, including in this specific scenario.  We don't treat RFC's as optional, much like the rest of the industry, or else our products wouldn't all work together.

 

That being said, I did confirm that IMSS 7.1 is designed to work the way you expect it to, which is to say that if an MX record doesn't exist, an A record lookup will be done and that will be used as the relay host.

 

I reviewed a number of similar cases, and read and re-read your initial post numerous times.  The consensus on the cases we have handled is that most, if not all of the time, the issue was the specific DNS server that IMSS was configured to use was having problems, wasn't up to date, etc.  In your initial post, you didn't mention which DNS server you configured IMSS to use.  You also mentioned you sent emails from third parties, which most likely aren't using the same DNS server you have configured.

 

My suggestion for troubleshooting would be the following:

 

1. Do a manual DNS lookup from the IMSS server

 

a. Open a command prompt on the IMSS server

b. Issue the following commands, one at a time, followed by Enter

 

nslookup

set type=a

nonexistentdomain.abc (replace this with the actual domain name)

exit

 

Report back whatever output you get.  I would expect an error of some sort.  If not:

 

2. Do a manual connection from the IMSS server

 

a. Open a command prompt on the IMSS server

b. Issue the following command

 

telnet servername 25  (replace servername with the value of the A record reported back in Step 1)

 

3. Change the DNS servers that IMSS is using.  You could try one of the "free" ones like Google DNS at 8.8.8.8 and 8.8.4.4 or OpenDNS at 208.67.222.222 and 208.67.220.220 and see if that helps.

 

4. If IMSS still doesn't work, then I would contact support.  They are equipped to help you gather up the appropriate information and help you resolve the issue.  I strongly believe this is a DNS problem though, and hopefully you won't get to this step.

 

Ryan


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.
Stone Emissary
XFox
Posts: 11
Registered: ‎07-19-2010

Re: E-mail delivery to domains without MX records - Implicit MX rule

[ Edited ]

ryandelany, thank you very much for your reply.
FWIW, we configured IMSS to use the DNS server of Windows Server 2008 R2 and the domain we are trying to send mails to is sandonatino.com.
I performed the tests you described but I got no errors: querying the DNS server for the A record of the domain gives back an IP address and if we telnet to that address we start speaking to an SMTP server.

 

The output of the nslookup commands is:
Server:  our_dns_server
Address:  xxx.xxx.xxx.xxx

Non-authoritative answer:
Name:    sandonatino.com
Address:  67.205.76.105
The output of the telnet command is:
220-server.abastrologie.com ESMTP Exim 4.69 #1 Mon, 26 Jul 2010 08:25:11 -0400
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

 

Do you have any other suggestions other than to contact the support?
Thank you again.

Please use plain text.
Trend Micro Employee
ryandelany
Posts: 857
Registered: ‎08-17-2009

Re: E-mail delivery to domains without MX records - Implicit MX rule

Did you try using another DNS server as I suggested?  It's possible that IMSS doesn't play well with the Windows 2008 R2 DNS server (I am going to research that in the mean time) but changing your DNS server would be a very easy way to troubleshoot/validate that.

 

If that doesn't work, contacting support is your best bet.  These forums are designed for customer - customer interaction and are only viewed by employees on a voluntary basis, so there is no guarantee you will get a solution here.

 

Ryan


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.