Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

MX Record Best Practices

Greets. I have a question on MX Records. I'm 95% certain of the answer, I just want a sanity check.

Our email domain matches the hostname of our mail server. eg, user@mail.domain.com is handled by our server mail.domain.com.

We have a C350 (ironport.domain.com) sitting in front of mail.domain.com, and the MX Records for mail.domain.com look like this:

0 ironport.domain.com
10 mail.domain.com

A lot of spam is being delivered to the lowest priority MX Record, bypassing ironport.domain.com.

Can I remove the "10 mail.domain.com" MX Record? I know a lot of MTA's will look for an A Record to deliver mail to if there are no MX Records for a domain.

But in this case, there are MX Records. If I remove the 10 priority, and for some reason the C350 is offline, will all mail to user@mail.domain.com bounce, or will MTA's try delivered to the A Record after the 0 priority MX Record?

Thanks for any help.

Reece.

3 REPLIES
New Member

Re: MX Record Best Practices

If I understand what you are saying, both the Ironport and Non-Ironport MTAs are listed in the mx record, 0 cost being the Ironport and 10 cost being the non-Ironport. Based on this, inbound connection attempts try the Ironport first and if it can not connect then try the 10 cost "Non Ironport". sounds like the spammers figured out they can't deliver to the Ironport because of Senderbase and are targeting the Non-Ironport MTA..

Short answer is "Yes" you can remove the non-Ironport from the MX record. But I am not sure if I understand what you are trying to accomplish. If it is a 2-tier architecture (Ironport facing the internet "infront of mail.domain.com"..e.g. Using Ironport as your Perimeter protection, I would remove mail.domain.com from the MX record and lock the non-Ironport down so it only delivers To/From the Ironport and to your internal domain. You can always enable multple listeners on the C350 if you'd like. Are you looking to use the non-Ironport only if the Ironport is down hard..for what ever reason?? I am not sure any MTA will try an A record if an MX record exists. Usually that is when NO MX exists.

New Member

Re: MX Record Best Practices

Spammers will try every MX record they see. They'll also remember old MX records after you've removed them, and they'll use port probing to discover SMTP listeners for dictionary attacks. They're relentless. What we do with our mail server is refuse all SMTP connections that don't come from our IronPorts, so there is no "back door" for the spammers to exploit.

As for being totally dependent on your C350, don't sweat it. We've been totallly dependent on our IronPorts for a few years now. They're at least as reliable as the mail server they're protecting. And in your case, if your C350 does go down, your inbound mail won't bounce. It'll be held in the mail queues of the servers which are trying to send you mail. You'll only start losing mail if you're down for longer than their queue retention times (usually at least 24 hours).

You could increase your reliability by having two C350s, both taking traffic. That way, if one goes down then the other will handle the whole load. That takes more money, of course.

New Member

My word

I would never name one of my MX records as IronPort because its a way of saying spammers "you won't go through here, please try the other MX record". If you want to have 2 MX records name one mail.domain.com and the second one mail1.domain.com. Still as mentioned before, spammers might send spam to any MX record they see....

2363
Views
0
Helpful
3
Replies
CreatePlease to create content