Something I later figured out might not work (last few lines below)... I simply disabled the firewall policy enabling mail traffic through the Illinois firewall. My guess is, since there was an internet connection to Illinois, and the policy was disabled for fewer than, say, 10 minutes (more like 5), it was a poor test as DNS was still directing mail to the higher priority address.
Thanks! -- richard From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, May 15, 2012 8:01 AM To: NT System Admin Issues Subject: RE: Help w/DNS MX records What did you do to test the pathway into NYC? From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, May 15, 2012 8:53 AM To: NT System Admin Issues Subject: Help w/DNS MX records Greetings! We have an email-to fax gateway (Faxcore). Our email system is hosted Exchange (Perimeter), and our external DNS is hosted by Cogent. The external FQDN for the gateway is "faxcore1.mwro.aspca.org". There is an MX record for "faxcore1.mwro." with the data entry "faxcore1.mwro.aspca.org." (priority of 10). This is MIP'd in through our firewall to the IP address for "faxcore1.aspca.local". There is an MX record "faxcore1.aspca.local". We send faxes, either through the user's Exchange client or through a scripted reports system, to "[Phone_Number]@faxcore1.mwro.aspca.org". Mail leaves our network, is processed by the Perimeter system, and mail meant for faxcore1 is delivered to the gateway through the MIP'd port in the firewall. The gateway then processes the mail, digitized it, dials the recipient's fax machine , and all is well (barring other problems). We are in Illinois. We have a WAN cloud to our NYC offices. Now, regarding "other problems"... We had a 25 hour internet outage a month ago. Internet traffic was re-routed into the WAN cloud, so much of what we needed from the internet was available. However, with the internet connection "broken", all our MIP'd DNS entries had no way back into our firewall. We are trying to alter things so that, if the Illinois firewall is down, Faxcore traffic is re-directed to an NYC firewall and come to Illinois via the WAN cloud. Currently, we have these DNS entries with Cogent: faxcore1.mwro A 63.85.204.151 faxcore1.mwro. MX 10 faxcore1.mwro.aspca.org (this works when the Illinois internet connection is up) I've added: faxcore2.mwro A 38.96.187231 faxcore1.mwro. MX 20 faxcore2.mwro.aspca.org. The NYC firewall has the 38.x.x.x address MIP'd and has the same policy settings as the Illinois firewall. Now to test... I disable the Faxcore policy in the Illinois firewall. I'd like to think that mail routing would then use the MX record with the lower priority and try sending it through NYC. NOPE! Messages do not make it to Faxcore to be processed. I see no traffic through the NYC firewall. (FWIW, I've also added an MX record, priority 25, for faxcore2.aspca.local. .) After 5 minutes or so (as Faxcore is a production machine sending out about 100 or so medical records per day), I re-enable the Faxcore policy on the Illinois firewall. The test faxes soon arrive once Illinois is back accepting traffic. So, if I could get some assistance, I figure at least one of the following: 1. I do not have MX records set properly 2. Mail traffic is not going to NYC because the Illinois firewall is accepting internet traffic (but is blocking mail) Anything else? That 25-hour internet outage made for a really bad back-log for our Client Services group to sort through, re-send, contacting clients, etc... Thanks! -- Richard D. McClary Jr Infrastructure Architect, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richard.mccl...@aspca.org<mailto:richard.mccl...@aspca.org> P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org<http://www.aspca.org/> The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin