On 9/10/2014 10:24 AM, Viktor Dukhovni wrote:
If your system ever responds with a 4XX, retries will hit the secondaries. You need to at least exclude clients that first tried the primary and tempfailed. However, transient connection or DNS problems can also cause a legitimate client to skip the primary now and then. Therefore, such automatic blacklisting needs to be implemented with great care, by excluding clients that have mostly gotten it right in the not too distant past.
The DNS blacklisting is score-based - so if anyone winds up in the there it won't be the end-all, certainly not for my primary which has extensive whitelisting.
MTAs MUST try the highest priority (lowest value) MX records first. However, there is no expectation that such an attempt will always be observed by the receiving system. See above. If a sender consistently fails to reach the primary MX, and you're not greylisting or otherwise returning 4XX responses forcing them to the secondaries, perhaps there is a systemic connectivity or DNS problem. Their Sendmail MTA could perhaps be misconfigured, but that seems unlikely at this time.
The problem I'm facing is the remote server isn't reaching my primary at all - I have absolutely no indication of it in my logs whatsoever. And they're extensively whitelisted (by IP, domain, and address). They're just going right to the secondaries and have been for the past couple weeks. Yet everyone else is able to reach me without issue.
Temporarily at least I'll drop the secondaries from my DNS and see if it helps - but I still think there's something broken on their end. I just don't know how to express it properly beyond, "it's wrong, and it's on your end".
-- Daniel
