On Wed, Sep 10, 2014 at 10:02:30AM -0700, Daniel Miller wrote:
> This question is actually two questions - neither of which are
> Postfix-specific but email-generic - but this list is the best resource I
> have to ask such questions.
>
> First - I've been contributing to "Project Tarbaby", which means I have a
> pair of secondary MX records below my primary which accept anything they get
> - and those get used to build DNS blacklists. Properly configured hosts talk
> to my primary server without issue. The only question here is - does anyone
> have an objection to what I'm doing with this?
If your system ever responds with a 4XX, retries will hit the
secondaries. You need to at least exclude clients that first tried
the primary and tempfailed.
However, transient connection or DNS problems can also cause a
legitimate client to skip the primary now and then. Therefore,
such automatic blacklisting needs to be implemented with great
care, by excluding clients that have mostly gotten it right in the
not too distant past.
> Second - while this has been working for quite some time, recently my
> fax-to-email service provider has started sending everything to the
> secondaries. Which means I get no faxes. I can't configure their servers
> so I can't fix them. I've told them their systems are broken - at the least
> they need to refresh their MX lookup - but they insist everything is fine on
> their end. When I said the were in violation of the RFC's, they sent me
> back something that said the RFC's are ambiguous with how they should treat
> MX records, order, and failures.
Accusing people of "RFC violation" is unwise. Especially without
a detailed understanding of both the RFC and the observed problem.
> Based on the log exerpts they sent me I
> believe they're using Sendmail.
Sendmail processes MX records correctly. There may be DNS or
network connectivity issues.
> Is the method for working with primary vs secondary MX records clear - at
> least clear enough that my tarpit setup should work? Or is there enough of
> a grey area that this setup is doomed to failure regardless?
MTAs MUST try the highest priority (lowest value) MX records first.
However, there is no expectation that such an attempt will always
be observed by the receiving system. See above.
If a sender consistently fails to reach the primary MX, and you're
not greylisting or otherwise returning 4XX responses forcing them
to the secondaries, perhaps there is a systemic connectivity or
DNS problem.
Their Sendmail MTA could perhaps be misconfigured, but that seems
unlikely at this time.
--
Viktor.
