[mailop] Microsoft/GMail MX Priority Issues.
Hi there, just joined to try and get some knowledge/help on an issue when getting emails delivered from (particularly) Hotmail/Outlook.com but occasionally Gmail addresses. I consulted RFC5321 and it does say the mail delivery will be tried in order of MX preference. Background: We have set up a Sophos UTM which is a pretty sophisticated device. This is in front of an Exchange server and filters all incoming/outgoing emails. The domain being used is, say, abc.com Our MX records for this domain are: 0 autodiscover.abc.com 10 mail.abc.com 20 mxbackup.3rdparty.com The 3rd priority MX record is in the event of an outage, the emails queue and return to the top MX entry once the mail server returns from e.g. a reboot or Internet downtime. It is hosted in a different country to the top priority MX records. What we are finding is that 90% of Hotmail/Outlook.com emails sent to the domain abc.com are coming from mxbackup.3rdparty.com. All other domains behave as expected and come in via 0 autodiscover.abc.com. Some Gmails follow this behaviour too. This is where the IETF comes in as it would appear to go against the RFC for MX delivery. What brought this to our attention was that our Sophos UTM instantly started rejecting emails from our 3rd party MX provider, all of them from Hotmail/Outlook.com. It is happening with all 3 of the UTM devices that we have fitted so far, all on different domains, different public IP addresses, all in Gibraltar. Our 3rd Party MX is located in Manchester, United Kingdom. We have obviously now added our 3rd Party as an upstream relay but this is not ideal – why are these emails going to the 3rd priority MX record in the first place? The primary MX public IP addresses on all 3 UTM's are not blacklisted and pretty much have 99% or higher availability. I am going to be asking Sophos if the UTM is in any way delaying it’s response to the Microsoft mail servers to eliminate it being the UTM taking too long to reply for Hotmail’s/Gmail’s liking. I do not think that is the case as it is only with these two email providers that we have the issue. Thanks in advance for any possible help or advice. Regards, Adrian. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft/GMail MX Priority Issues.
On 2016-02-21 01:40, Adrian Neale (iComms) wrote: Hi there, just joined to try and get some knowledge/help on an issue when getting emails delivered from (particularly) Hotmail/Outlook.com but occasionally Gmail addresses. I consulted RFC5321 and it does say the mail delivery will be tried in order of MX preference. *What we are finding is that 90% of Hotmail/Outlook.com emails sent to the domain abc.com are coming from mxbackup.3rdparty.com. All other domains behave as expected and come in via 0 autodiscover.abc.com. Some Gmails follow this behaviour too.* I haven't observed any issues with these providers, however, Facebook's "Add an email" verifications consistently use the lowest priority (highest numbered) MX, which has caused us a fair amount of issues as our lowest MX will tempfail most requests when the primary MX is reachable. If I change the MX records to only list the primary MX, the email is delivered instantly. Other Facebook mail is received successfully, it's just this one class (and possibly password resets or other account verifications, I'm not sure) I don't see any issues from the providers you named though, and given our configuration, we would absolutely notice fairly quickly if one of the major providers suddenly couldn't email us. Do you see any connection attempts or delivery attempts that could indicate Hotmail/Outlook is trying your server first? ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Microsoft/GMail MX Priority Issues.
On Sun, 21 Feb 2016, Adrian Neale (iComms) wrote: >The 3rd priority MX record is in the event of an outage, That's your intent, but that isn't how it usually works, much as having a tertiary/backup DNS provider that is only used in the event of outages -- you must expect all MX (and NS) servers to receive traffic even if there seems to you to be no reason for it. >What we are finding is that 90% of Hotmail/Outlook.com emails sent to >the domain abc.com are coming from mxbackup.3rdparty.com. All other >domains behave as expected and come in via 0 autodiscover.abc.com. >Some Gmails follow this behaviour too. As an aside, don't use fake domain names as examples, but if you feel it is necessary at least use ones that are set aside for that purpose or to be used for documentation, e.g., example.com. This sounds like your primary MX servers are slow or using greylisting where your 3rdparty provider is faster or doesn't greylist -- I would have checked but, you know, fake name. But even without either of those things contributing, the networks of the world are not uniform and always working whenever yours is working, so even when all seems well to you (e.g., you can connect to Hotmail) it may be that Hotmail is having problems connecting to you, but are able to connect to the 3rdparty. >What brought this to our attention was that our Sophos UTM instantly >started rejecting emails from our 3rd party MX provider, all of them >from Hotmail/Outlook.com. Bizarre. What's the point of having a backup MX that you won't readily accept mail from? Are they prepared for you to reject what you asked them to accept? >We have obviously now added our 3rd Party as an upstream relay but this >is not ideal - And yet it is what you designed to happen. Which design isn't nearly as simple as it may seem (just add an MX naming their server to your domain and they add your domain to their configuration). Hopefully they are an experienced backup MX service and/or the two of you have gotten together to consider address validation and reject handling so that you don't produce backscatter (or at least not too much). /mark ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
