Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3162
Views
0
Helpful
4
Replies

Remote SMTP server never use 2nd MX record

Go to solution
alexandre34
Level 1
Level 1

‎08-22-2012 06:45 AM

Hello,

I have 2 Ironport C370 in centralized management mode.

2 MX records in my public DNS :

10      frel01.xxx.xx     [IP_Public_frel01]

20      frel02.xxx.xx     [IP_Public_frel02]

Those 2 records work fine, I checked them with online tools (mxtoolbox.com).

If I shut frel01 or if I shut SMTP service (Clusterconfig / disconnect + suspend) on frel01, frel02 should be used to send and receive external mails.

it works for sending external mails but not to receive, external mails are still received on frel01.

There is the result when I try with http://network-tools.com (I also tried to send a mail from a personnal mail)

SMTP session

[Contacting frel01.xxx.xx [IP_Public_frel01]...]

[Connected]

421 No SMTP service here

[Unfavorable reply code, cannot continue]

RSET

Why the remote SMTP server do not try frel02 when it sees that frel01 is unavailable ??

Thanks,

Alex

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Donald Nash
Level 3
Level 3

‎08-22-2012 09:35 AM

The 421 reply code is a temporary failure. It means, "I'm not working right now but I might work later." That's not sufficient to trigger the remote MTA to move to the next MX record. The SMTP listener needs to be shut down entirely, so connections to port 25 get "connection refused" or time out.

You can get better utilization of your two appliances by giving both MX records equal weight. That will split the load between the two units, assuming your DNS servers return their results round-robin style.

++Don

View solution in original post

0 Helpful

Go to solution
Rick Williams
Level 1
Level 1
In response to Donald Nash

‎08-24-2012 04:53 AM

As Don says above. To balance the mail into your servers you should set the MX value on both to the same value.

Interestingly, spammers love to use the higher value as it's generally the less secure system.

Not all sending servers will use both MX records if they are equal, but you will get a better distribution of mail.

To test the failover to the other MX record, remove the network cable on the first system.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Donald Nash
Level 3
Level 3

‎08-22-2012 09:35 AM

The 421 reply code is a temporary failure. It means, "I'm not working right now but I might work later." That's not sufficient to trigger the remote MTA to move to the next MX record. The SMTP listener needs to be shut down entirely, so connections to port 25 get "connection refused" or time out.

You can get better utilization of your two appliances by giving both MX records equal weight. That will split the load between the two units, assuming your DNS servers return their results round-robin style.

++Don

0 Helpful

Go to solution
Rick Williams
Level 1
Level 1
In response to Donald Nash

‎08-24-2012 04:53 AM

As Don says above. To balance the mail into your servers you should set the MX value on both to the same value.

Interestingly, spammers love to use the higher value as it's generally the less secure system.

Not all sending servers will use both MX records if they are equal, but you will get a better distribution of mail.

To test the failover to the other MX record, remove the network cable on the first system.

0 Helpful

Go to solution
alexandre34
Level 1
Level 1
In response to Rick Williams

‎08-24-2012 05:57 AM

Giving both MX records equal weight fix the problem.

Thanks.

0 Helpful

Go to solution
Donald Nash
Level 3
Level 3
In response to alexandre34

‎08-24-2012 08:30 AM

It probably didn't fix the problem so much as mask it. The sending server will still defer when it gets the 421 greeting code, but it now has a 50/50 chance of getting the other server next time it connects. You could still experience significant delays on individual messages, although that's not particularly likely.

++Don

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents