On Sun, 21 Feb 2016, Adrian Neale (iComms) wrote: >The 3rd priority MX record is in the event of an outage,
That's your intent, but that isn't how it usually works, much as having a tertiary/backup DNS provider that is only used in the event of outages -- you must expect all MX (and NS) servers to receive traffic even if there seems to you to be no reason for it. >What we are finding is that 90% of Hotmail/Outlook.com emails sent to >the domain abc.com are coming from mxbackup.3rdparty.com. All other >domains behave as expected and come in via 0 autodiscover.abc.com. >Some Gmails follow this behaviour too. As an aside, don't use fake domain names as examples, but if you feel it is necessary at least use ones that are set aside for that purpose or to be used for documentation, e.g., example.com. This sounds like your primary MX servers are slow or using greylisting where your 3rdparty provider is faster or doesn't greylist -- I would have checked but, you know, fake name. But even without either of those things contributing, the networks of the world are not uniform and always working whenever yours is working, so even when all seems well to you (e.g., you can connect to Hotmail) it may be that Hotmail is having problems connecting to you, but are able to connect to the 3rdparty. >What brought this to our attention was that our Sophos UTM instantly >started rejecting emails from our 3rd party MX provider, all of them >from Hotmail/Outlook.com. Bizarre. What's the point of having a backup MX that you won't readily accept mail from? Are they prepared for you to reject what you asked them to accept? >We have obviously now added our 3rd Party as an upstream relay but this >is not ideal - And yet it is what you designed to happen. Which design isn't nearly as simple as it may seem (just add an MX naming their server to your domain and they add your domain to their configuration). Hopefully they are an experienced backup MX service and/or the two of you have gotten together to consider address validation and reject handling so that you don't produce backscatter (or at least not too much). /mark _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
