Mailing List Archive: NANOG: users

Is Hotmail in the habit of ignoring MX records?

1 2

View All

Index | Next | Previous | View Threaded

lou at metron

Jul 26, 2012, 12:14 AM

Post #1 of 27 (1716 views)
Permalink

Is Hotmail in the habit of ignoring MX records?

One of my users has reported incoming mail failures, which I finally
tracked down. It turned out that Hotmail has seen fit to send the mail
to his domain's A record machine, despite the fact that he has valid MX records.

The A record points to my webserver, which does not normally accept mail
for anyone. The mail server MX records are to an entirely different machine.

Comments?

Do I need more valium?

-=[L]=-
--

ops.lists at gmail

Jul 26, 2012, 12:21 AM

Post #2 of 27 (1662 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

If the MX records are not responsive / timing out, they might be falling
back to the A record.

On Thu, Jul 26, 2012 at 12:44 PM, Lou Katz <lou [at] metron> wrote:

> One of my users has reported incoming mail failures, which I finally
> tracked down. It turned out that Hotmail has seen fit to send the mail
> to his domain's A record machine, despite the fact that he has valid MX
> records.
>
> The A record points to my webserver, which does not normally accept mail
> for anyone. The mail server MX records are to an entirely different
> machine.
>

--
Suresh Ramasubramanian (ops.lists [at] gmail)

mysidia at gmail

Jul 26, 2012, 12:38 AM

Post #3 of 27 (1661 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On 7/26/12, Lou Katz <lou [at] metron> wrote:
> One of my users has reported incoming mail failures, which I finally
> tracked down. It turned out that Hotmail has seen fit to send the mail
> to his domain's A record machine, despite the fact that he has valid MX
> records.

You looked in the mail headers and saw hotmail's mail server do that,
or the From address/return path just happens to be hotmail?
I would ask for a specific example of a domain name in which that
seems to happen, and exact DNS zone contents.

I am sure that Hotmail does not ignore MX in general, unless they
just broke something; many domains require MX processing and A record
to properly be ignored for mail to be accepted. But there may be
something else going on with a specific domain or DNS
queries/responses from its nameservers, that results in MX being
ignored or unavailable, resulting in a fallback to 'lookup A'.

An example could be some dns issue such as slow response to MX query,
'MX to a CNAME', 'MX to an invalid label that looks like an IP', MX
DNS response packet too large,
....

--
-JH

lou at metron

Jul 26, 2012, 1:35 AM

Post #4 of 27 (1687 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Thu, Jul 26, 2012 at 02:38:31AM -0500, Jimmy Hess wrote:
> On 7/26/12, Lou Katz <lou [at] metron> wrote:
> > One of my users has reported incoming mail failures, which I finally
> > tracked down. It turned out that Hotmail has seen fit to send the mail
> > to his domain's A record machine, despite the fact that he has valid MX
> > records.
>
> You looked in the mail headers and saw hotmail's mail server do that,
> or the From address/return path just happens to be hotmail?
> I would ask for a specific example of a domain name in which that
> seems to happen, and exact DNS zone contents.
>
> I am sure that Hotmail does not ignore MX in general, unless they
> just broke something; many domains require MX processing and A record
> to properly be ignored for mail to be accepted. But there may be
> something else going on with a specific domain or DNS
> queries/responses from its nameservers, that results in MX being
> ignored or unavailable, resulting in a fallback to 'lookup A'.
>
> An example could be some dns issue such as slow response to MX query,
> 'MX to a CNAME', 'MX to an invalid label that looks like an IP', MX
> DNS response packet too large,
> ....
>
>
> --
> -JH

Unfortunately, all I get from my user is a snippet, and it took me a while
to realize that I had to look at the mail logs of my web server, not my
mail server, to find the transaction. The domain is cookephoto.com - and
here is my zone file:

plaid# dig cookephoto.com any

; <<>> DiG 9.3.3 <<>> cookephoto.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55698
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8

;; QUESTION SECTION:
;cookephoto.com. IN ANY

;; ANSWER SECTION:
cookephoto.com. 172800 IN SOA ns.metron.com. hostmeister.metron.com. 2012011900 21600 3600 345600 345600
cookephoto.com. 172800 IN NS ns2.metron.com.
cookephoto.com. 172800 IN NS ns1.metron.com.
cookephoto.com. 172800 IN NS ns3.metron.com.
cookephoto.com. 172800 IN MX 12 mail2.metron.com.
cookephoto.com. 172800 IN MX 15 mail.katz.com.
cookephoto.com. 172800 IN MX 10 mail.metron.com.
cookephoto.com. 172800 IN A 192.160.193.89

;; ADDITIONAL SECTION:
ns1.metron.com. 3600 IN A 192.160.193.34
ns2.metron.com. 3600 IN A 209.204.189.89
ns2.metron.com. 3600 IN AAAA 2001:470:838d::89
ns3.metron.com. 3600 IN A 192.160.193.55
ns3.metron.com. 3600 IN AAAA 2001:470:838d::55
mail.metron.com. 3600 IN A 192.160.193.14
mail2.metron.com. 3600 IN A 209.204.189.91
mail.katz.com. 28800 IN A 192.160.193.14

and here is the maillog for the transaction, slightly redacted:

Jul 25 13:13:07 plaid sm-mta[5121]: NOQUEUE: connect from blu0-omc2-s2.blu0.hotmail.com [65.55.111.77]
Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 220 plaid.metron.com ESMTP Sendmail 8.13.8/8.13.8; Wed, 25 Jul 2012 13:13:07 -0700 (PDT)
Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: <-- EHLO blu0-omc2-s2.blu0.hotmail.com
Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 250-plaid.metron.com Hello blu0-omc2-s2.blu0.hotmail.com [65.55.111.77], pleased to meet you
Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: <-- MAIL FROM:<xxxxxxxxxxxx [at] hotmail>
Jul 25 13:13:07 plaid sm-mta[5121]: q6PKD7bH005121: --- 250 2.1.0 <xxxxxxxxxxxx [at] hotmail>... Sender ok
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: <-- RCPT TO:<xxxxx [at] cookephoto>
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: --- 550 5.7.1 <xxxxx [at] cookephoto>... Relaying denied
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: ruleset=check_rcpt, arg1=<xxxxx [at] cookephoto>, relay=blu0-omc2-s2.blu0.hotmail.com [65.55.111.77], reject=550 5.7.1 <xxxxx [at] cookephoto>... Relaying denied
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: <-- RSET
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: --- 250 2.0.0 Reset state
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bH005121: from=<xxxxxxxxxxxx [at] hotmail>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=IPv4,
relay=blu0-omc2-s2.blu0.hotmail.com [65.55.111.77]
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bI005121: <-- QUIT
Jul 25 13:13:08 plaid sm-mta[5121]: q6PKD7bI005121: --- 221 2.0.0 plaid.metron.com closing connection

The 5.7.1 relaying denied is correct, since the webserver does not accept mail for the website domains.

At the time of the transaction, nothing special was happening here, and other mail was flowing quite nicely into
the mail server. Other Hotmail servers were sending to other recipients here through the regular mailserver OK.

Thanks for looking at it.

-=[L]=-

blakjak at blakjak

Jul 26, 2012, 3:32 AM

Post #5 of 27 (1653 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On 26/07/12 20:35, Lou Katz wrote:
> On Thu, Jul 26, 2012 at 02:38:31AM -0500, Jimmy Hess wrote:
>> On 7/26/12, Lou Katz <lou [at] metron> wrote:
>>> One of my users has reported incoming mail failures, which I finally
>>> tracked down. It turned out that Hotmail has seen fit to send the mail
>>> to his domain's A record machine, despite the fact that he has valid MX
>>> records.
>> You looked in the mail headers and saw hotmail's mail server do that,
>> or the From address/return path just happens to be hotmail?
>> I would ask for a specific example of a domain name in which that
>> seems to happen, and exact DNS zone contents.
>>
>> I am sure that Hotmail does not ignore MX in general, unless they

No, they do. The exact same thing has happened to me - twice, with two
seperate scenarios being fundamentally similar. The MX is ignored, the
non-host A record is tried, if it accepts connections on Port 25 it uses
this instead.
This behavior forced me to set up the mail server on the same box as a
webserver I administer to act as a secondary MX for another domain I
administer (mail is elsewhere), in one case.
In the other, I had to simply write off the option of having
http://domain working, and live with just http://www.domain, due to the
use of a third party web host that also had an MTA on their machine that
was rejecting my email.

Like all the behemoth service providers, it's impossible to find someone
useful to talk to about these things. I posted on Mailop about it a few
months ago, but it's not new behavior - the first instance I came across
was more than 2 years ago.

Mark.

mjwise at kapu

Jul 26, 2012, 6:53 AM

Post #6 of 27 (1649 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Jul 26, 2012, at 1:35 AM, Lou Katz wrote:

> The domain is cookephoto.com

Why does mail.metron.com have MX records?
And they're different.

$ host cookephoto.com
cookephoto.com has address 192.160.193.89
cookephoto.com mail is handled by 10 mail.metron.com.
cookephoto.com mail is handled by 12 mail2.metron.com.
cookephoto.com mail is handled by 15 mail.katz.com.

$ host mail.metron.com
mail.metron.com has address 192.160.193.14
mail.metron.com mail is handled by 10 mail.metron.com.
mail.metron.com mail is handled by 20 mail.katz.com.

$ host mail.katz.com
mail.katz.com has address 192.160.193.14

$ host mail2.metron.com
mail2.metron.com has address 209.204.189.91

$ host plaid.metron.com
plaid.metron.com has address 192.160.193.135

Normally, in my experience, the actual mail server doesn't have MX records as such, but�.
Just seems 0dd.

Also, you say �

> At the time of the transaction, nothing special was happening here, ...

Was anything strange happening with any of the DNS records for any of these domains in the past two days?

Aloha,
Michael.
--
"Please have your Internet License
and Usenet Registration handy..."

ryan at u13

Jul 26, 2012, 7:05 AM

Post #7 of 27 (1664 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Jul 26, 2012, at 2:14 AM, Lou Katz wrote:

> One of my users has reported incoming mail failures, which I finally
> tracked down. It turned out that Hotmail has seen fit to send the mail
> to his domain's A record machine, despite the fact that he has valid MX records.
>
> The A record points to my webserver, which does not normally accept mail
> for anyone. The mail server MX records are to an entirely different machine.
>
> Comments?
>
> Do I need more valium?

If you subscribe to http://mailop.org and look in the archives, you'll see a thread named '[mailop] Hotmail ignoring MX, going direct to @ IN A? ' from March of this year (which carries over into April). In this thread Mark Foster encounters the same issue, and upon investigation others (including myself) see it as well.

I found that we were having the same issue after users on Hotmail were forwarding us DSNs regarding messages that our mail server had never seen, however upon checking our web servers for that hostname we found connections and delivery attempts from Hotmail.

Additionally, quoted from Tony Finch in the mailop thread regarding 'what if your MXes are broken and it is just failing back to A':

If one or more MX RRs are found for a given name, SMTP systems MUST
NOT utilize any address RRs associated with that name unless they are
located using the MX RRs; the "implicit MX" rule above applies only
if there are no MX records present. If MX records are present, but
none of them are usable, this situation MUST be reported as an error.

No solution to the issue was found in the various forks of that thread, however one individual afflicted by this issue (the OP) seems to have resolved his specific issue with Hotmail by fixing his MX records to be in stricter compliance with RFCs and best practices (removed a CNAME) - that said, per the quote above Hotmail should not have been falling back to the A records or any other RRs for the hostname.

The matter is still unresolved for us and presumably others on the list except for the OP

>
> -=[L]=-
> --
>

ryan at u13

Jul 26, 2012, 7:10 AM

Post #8 of 27 (1651 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Jul 26, 2012, at 2:21 AM, Suresh Ramasubramanian wrote:

> If the MX records are not responsive / timing out, they might be falling
> back to the A record.
>

Per RFC2821 (and later RFC5321):

If one or more MX RRs are found for a given name, SMTP systems MUST
NOT utilize any address RRs associated with that name unless they are
located using the MX RRs; the "implicit MX" rule above applies only
if there are no MX records present. If MX records are present, but
none of them are usable, this situation MUST be reported as an error.

So while it is possible they are doing this, they should not be

Ryan
>
> --
> Suresh Ramasubramanian (ops.lists [at] gmail)

gbonser at seven

Jul 26, 2012, 9:12 AM

Post #9 of 27 (1651 views)
Permalink

RE: Is Hotmail in the habit of ignoring MX records? [In reply to]

> From: Ryan Rawdon
> Sent: Thursday, July 26, 2012 7:06 AM
> To: nanog [at] nanog
> Subject: Re: Is Hotmail in the habit of ignoring MX records?

> No solution to the issue was found in the various forks of that thread,
> however one individual afflicted by this issue (the OP) seems to have
> resolved his specific issue with Hotmail by fixing his MX records to be
> in stricter compliance with RFCs and best practices (removed a CNAME) -
> that said, per the quote above Hotmail should not have been falling
> back to the A records or any other RRs for the hostname.

I would say MX pointing to a CNAME instead of pointing to an A record is the #1 cause of intermittent mail delivery problems I have seen. Some MTAs seem to tolerate it, some don't.

G

lou at metron

Jul 26, 2012, 10:29 AM

Post #10 of 27 (1644 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Thu, Jul 26, 2012 at 09:05:55AM -0500, Ryan Rawdon wrote:
>
> On Jul 26, 2012, at 2:14 AM, Lou Katz wrote:
>
> > One of my users has reported incoming mail failures, which I finally
> > tracked down. It turned out that Hotmail has seen fit to send the mail
> > to his domain's A record machine, despite the fact that he has valid MX records.
> >
> > The A record points to my webserver, which does not normally accept mail
> > for anyone. The mail server MX records are to an entirely different machine.
> >
> > Comments?
> >
> > Do I need more valium?
>
>
> If you subscribe to http://mailop.org and look in the archives, you'll see a thread named '[mailop] Hotmail ignoring MX, going direct to @ IN A? ' from March of this year (which carries over into April). In this thread Mark Foster encounters the same issue, and upon investigation others (including myself) see it as well.
>

Ahh - I knew I had seen this before, but thought it was here (nanog) rather
than on mailops. I think I may try setting the A record for the domain to
my mailserver, and letting the webserver there redirect the http requests.
I dislike putting a webserver on the unadorned domain, but out there in the
'real' world, folks seem to have become accustomed to leaving off the 'www'.

Thanks for the replies; I'll take this over to mailops if there is any more
to say. The funny thing is that this behavior with respect to Hotmail has not
affected any of the other couple of dozen domains with similar or identical
configurations here.

Oh, well.

-=[L]=-
--

marka at isc

Jul 26, 2012, 6:34 PM

Post #11 of 27 (1628 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

In message <A9A5C64B-831D-42BF-8A38-56CC3B9BAF48 [at] kapu>, Michael J Wise writ
es:
>
> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote:
>
> > The domain is cookephoto.com
>
> Why does mail.metron.com have MX records?

Why do you care? There is nothing wrong with having explict MX
records and they generally take up less room in a DNS cache then
the negative response does especially if it is DNSSEC signed.

> And they're different.

Again why do you care?

> $ host cookephoto.com
> cookephoto.com has address 192.160.193.89
> cookephoto.com mail is handled by 10 mail.metron.com.
> cookephoto.com mail is handled by 12 mail2.metron.com.
> cookephoto.com mail is handled by 15 mail.katz.com.
>
> $ host mail.metron.com
> mail.metron.com has address 192.160.193.14
> mail.metron.com mail is handled by 10 mail.metron.com.
> mail.metron.com mail is handled by 20 mail.katz.com.
>
> $ host mail.katz.com
> mail.katz.com has address 192.160.193.14
>
> $ host mail2.metron.com
> mail2.metron.com has address 209.204.189.91
>
> $ host plaid.metron.com
> plaid.metron.com has address 192.160.193.135
>
> Normally, in my experience, the actual mail server doesn't have MX
> records as such, but=85.
> Just seems 0dd.

All address record (A and AAAAA) have MX records. Some may be
implicit but as far as SMTP is concerned they all have MX records.

> Also, you say =85
>
> > At the time of the transaction, nothing special was happening here,
> ...
>
> Was anything strange happening with any of the DNS records for any of
> these domains in the past two days?
>
> Aloha,
> Michael.
> --
> "Please have your Internet License
> and Usenet Registration handy..."
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

mjwise at kapu

Jul 26, 2012, 7:28 PM

Post #12 of 27 (1629 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Jul 26, 2012, at 6:34 PM, Mark Andrews wrote:

> In message <A9A5C64B-831D-42BF-8A38-56CC3B9BAF48 [at] kapu>, Michael J Wise writ
> es:
>>
>> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote:
>>
>>> The domain is cookephoto.com
>>
>> Why does mail.metron.com have MX records?
>
> Why do you care? There is nothing wrong with having explict MX
> records and they generally take up less room in a DNS cache then
> the negative response does especially if it is DNSSEC signed.
>
>> And they're different.
>
> Again why do you care?

Why do *I* care?
I don't.

I'm just trying to find the weird bit that maybe is causing hotmail to stumble.
And maybe an endless loop for an MX lookup might be what is causing hotmail to panic and throw out the MX records.

>> $ host cookephoto.com
>> cookephoto.com has address 192.160.193.89
>> cookephoto.com mail is handled by 10 mail.metron.com.
>> cookephoto.com mail is handled by 12 mail2.metron.com.
>> cookephoto.com mail is handled by 15 mail.katz.com.
>>
>> $ host mail.metron.com
>> mail.metron.com has address 192.160.193.14
>> mail.metron.com mail is handled by 10 mail.metron.com.
>> mail.metron.com mail is handled by 20 mail.katz.com.
>>
>> $ host mail.katz.com
>> mail.katz.com has address 192.160.193.14
>>
>> $ host mail2.metron.com
>> mail2.metron.com has address 209.204.189.91
>>
>> $ host plaid.metron.com
>> plaid.metron.com has address 192.160.193.135
>>
>> Normally, in my experience, the actual mail server doesn't have MX
>> records as such, but=85.
>> Just seems 0dd.
>
> All address record (A and AAAAA) have MX records. Some may be
> implicit but as far as SMTP is concerned they all have MX records.
>
>> Also, you say =85
>>
>>> At the time of the transaction, nothing special was happening here,
>> ...
>>
>> Was anything strange happening with any of the DNS records for any of
>> these domains in the past two days?
>>
>> Aloha,
>> Michael.
>> --
>> "Please have your Internet License
>> and Usenet Registration handy..."
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

Aloha,
Michael.
--
"Please have your Internet License
and Usenet Registration handy..."

marka at isc

Jul 26, 2012, 7:45 PM

Post #13 of 27 (1633 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

In message <B59A4092-CE2F-44E4-84F9-77C18493AD95 [at] kapu>, Michael J Wise writ
es:
>
> On Jul 26, 2012, at 6:34 PM, Mark Andrews wrote:
>
> > In message <A9A5C64B-831D-42BF-8A38-56CC3B9BAF48 [at] kapu>, Michael J =
> Wise writ
> > es:
> >>=20
> >> On Jul 26, 2012, at 1:35 AM, Lou Katz wrote:
> >>=20
> >>> The domain is cookephoto.com
> >>=20
> >> Why does mail.metron.com have MX records?
> >=20
> > Why do you care? There is nothing wrong with having explict MX
> > records and they generally take up less room in a DNS cache then
> > the negative response does especially if it is DNSSEC signed.
> >=20
> >> And they're different.
> >=20
> > Again why do you care?
>
> Why do *I* care?
> I don't.
>
> I'm just trying to find the weird bit that maybe is causing hotmail to =
> stumble.
> And maybe an endless loop for an MX lookup might be what is causing =
> hotmail to panic and throw out the MX records.

You don't lookup MX records for MX targets. This is basic MTA
processing.

If the MX lookup fails, as apposed to returns nodata, you don't
lookup the A/AAAA records and synthesis a MX record. You treat it
as a soft error and queue for retry later. Again this is basic MTA
processing.

You don't depend on ALL (ANY) returning MX records as they may not
be in the cache. You need to make a explict MX query you get no
MX records are returned in response to a ALL query.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

scott at doc

Jul 27, 2012, 12:04 AM

Post #14 of 27 (1628 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Thu, Jul 26, 2012 at 7:45 PM, Mark Andrews <marka [at] isc> wrote:

> You don't lookup MX records for MX targets. This is basic MTA
> processing.
>
> If the MX lookup fails, as apposed to returns nodata, you don't
> lookup the A/AAAA records and synthesis a MX record. You treat it
> as a soft error and queue for retry later. Again this is basic MTA
> processing.
>

And yet, Hotmail apparently is doing the exact opposite of that. Which
means what 'should' happen or what 'should' be done isn't as relevant as we
would all it to be. Given this, considering "unusual" things like the
target of an MX record having an MX record it - whilst completely
irrelevant for a well-behaved mail server - might actually be relevant
here...

Scott.

dot at dotat

Jul 27, 2012, 4:16 PM

Post #15 of 27 (1623 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

That would be a seriously broken violation of the SMTP specification.

Tony.
--
f.anthony.n.finch <dot [at] dotat> http://dotat.at/

On 26 Jul 2012, at 08:21, Suresh Ramasubramanian <ops.lists [at] gmail> wrote:

> If the MX records are not responsive / timing out, they might be falling
> back to the A record.
>
> On Thu, Jul 26, 2012 at 12:44 PM, Lou Katz <lou [at] metron> wrote:
>
>> One of my users has reported incoming mail failures, which I finally
>> tracked down. It turned out that Hotmail has seen fit to send the mail
>> to his domain's A record machine, despite the fact that he has valid MX
>> records.
>>
>> The A record points to my webserver, which does not normally accept mail
>> for anyone. The mail server MX records are to an entirely different
>> machine.
>>
>
>
>
> --
> Suresh Ramasubramanian (ops.lists [at] gmail)

mysidia at gmail

Jul 27, 2012, 6:00 PM

Post #16 of 27 (1623 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On 7/27/12, Tony Finch <dot [at] dotat> wrote:
> That would be a seriously broken violation of the SMTP specification.
I would definitely agree it would be quite broken behavior, but you
know, I never said Hotmail's processing wasn't broken -- only that
they seem to honor MX records in the common case. If you are doing
something unusual like "mail MX bla bla"

I would say you can't rule that out as a possible cause, just because
some RFC suggests it should be OK.

The spec does say that you're not allowed to chain MX records. But
i'm not so sure that the specification actually prohibits a SMTP
server from doing that, if someone
does try to chain MX records.

it may also be out of spec to have a "MX" record point to a
dns label that a MX record exists for in the first place.

> Tony.
> --
> f.anthony.n.finch <dot [at] dotat> http://dotat.at/
--
-JH

dmiller at tiggee

Jul 27, 2012, 6:40 PM

Post #17 of 27 (1622 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On 7/27/2012 9:00 PM, Jimmy Hess wrote:
> On 7/27/12, Tony Finch <dot [at] dotat> wrote:
>> That would be a seriously broken violation of the SMTP specification.
> I would definitely agree it would be quite broken behavior, but you
> know, I never said Hotmail's processing wasn't broken -- only that
> they seem to honor MX records in the common case. If you are doing
> something unusual like "mail MX bla bla"
>
> I would say you can't rule that out as a possible cause, just because
> some RFC suggests it should be OK.
>
> The spec does say that you're not allowed to chain MX records. But
> i'm not so sure that the specification actually prohibits a SMTP
> server from doing that, if someone
> does try to chain MX records.
>
> it may also be out of spec to have a "MX" record point to a
> dns label that a MX record exists for in the first place.

MX records don't "chain".

If they did, then

example.com. 1800 IN MX 10 example.com.

would be an infinite loop. This isn't an infinite loop and is instead a
perfectly valid configuration.

If you made a DNS query for the MX records for example.com you would get
back an answer that might include:

;; ANSWER SECTION:
example.com. 1800 IN MX 10 example.com.

;; ADDITIONAL SECTION:
example.com. 1800 IN A 10.10.10.10

From RFC 1035:

3.3.9. MX RDATA format

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| PREFERENCE |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ EXCHANGE /
/ /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

where:

PREFERENCE A 16 bit integer which specifies the preference given to
this RR among others at the same owner. Lower values
are preferred.

EXCHANGE A <domain-name> which specifies a host willing to act as
a mail exchange for the owner name.

MX records cause type A additional section processing for the host
specified by EXCHANGE. The use of MX RRs is explained in detail in
[RFC-974].

-DMM

mjwise at kapu

Jul 27, 2012, 7:30 PM

Post #18 of 27 (1620 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Jul 27, 2012, at 6:40 PM, David Miller wrote:

> MX records don't "chain".

But they do, "Expand".
And I can think of a way whereby if an MX record referenced itself, *AND* included something extra � (did you see the something extra?)

That it would be possible (and I'm not saying this is what is happening, but � it could be) �
That an internal process could go resolving MX records, and adds them all to an internal table, until it figures it's got 'em all�

"Gotta Get 'Em All!"

� and maybe, just maybe � it exhausts the table space, and gives up, and tries the A record.

I'm not saying this would be "Standard".
I'm not saying this is the best, or perhaps even an acceptable way to do it.
Or that it is in fact what is happening.

But the config looked weird, and I can imagine � a system being written as described � and breaking just this way given that MX configuration.
I can imagine Test � not catching it.

Aloha,
Michael.
--
"Please have your Internet License
and Usenet Registration handy..."

marka at isc

Jul 27, 2012, 8:47 PM

Post #19 of 27 (1617 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

In message <25F0B21A-0319-45E3-9DBF-9906CB77AC6C [at] kapu>, Michael J Wise writ
es:
>
> On Jul 27, 2012, at 6:40 PM, David Miller wrote:
>
> > MX records don't "chain".
>
> But they do, "Expand".
> And I can think of a way whereby if an MX record referenced itself, =
> *AND* included something extra =85 (did you see the something extra?)
>
> That it would be possible (and I'm not saying this is what is happening, =
> but =85 it could be) =85
> That an internal process could go resolving MX records, and adds them =
> all to an internal table, until it figures it's got 'em all=85
>
> "Gotta Get 'Em All!"
>
> =85 and maybe, just maybe =85 it exhausts the table space, and gives up, =
> and tries the A record.
>
> I'm not saying this would be "Standard".

It would be broken. MX records say which machines are set up to receive
email for a domain. Delivering it elsewhere, unless explicitly overridden
(e.g. smarthost), is a security flaw in the MTA.

> I'm not saying this is the best, or perhaps even an acceptable way to do =
> it.
> Or that it is in fact what is happening.
>
> But the config looked weird, and I can imagine =85 a system being =
> written as described =85 and breaking just this way given that MX =
> configuration.
> I can imagine Test =85 not catching it.
>
> Aloha,
> Michael.
> --=20
> "Please have your Internet License =20
> and Usenet Registration handy..."
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka [at] isc

mjwise at kapu

Jul 27, 2012, 9:45 PM

Post #20 of 27 (1626 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Jul 27, 2012, at 8:47 PM, Mark Andrews wrote:

> In message <25F0B21A-0319-45E3-9DBF-9906CB77AC6C [at] kapu>, Michael J Wise writ
> es:
>>
>> On Jul 27, 2012, at 6:40 PM, David Miller wrote:
>>
>>> MX records don't "chain".
>>
>> But they do, "Expand".
>> And I can think of a way whereby if an MX record referenced itself, =
>> *AND* included something extra =85 (did you see the something extra?)
>>
>> That it would be possible (and I'm not saying this is what is happening, =
>> but =85 it could be) =85
>> That an internal process could go resolving MX records, and adds them =
>> all to an internal table, until it figures it's got 'em all=85
>>
>> "Gotta Get 'Em All!"
>>
>> =85 and maybe, just maybe =85 it exhausts the table space, and gives up, =
>> and tries the A record.
>>
>> I'm not saying this would be "Standard".
>
> It would be broken.

I'm not disputing it.
I'm also not saying it is, or it isn't, because I don't know.
What I am saying is, what I do know is, that you probably can't open a Sev A DCR ticket with HotMail, and neither can I.

That, and � it would seem there may be two things broken.
And that fixing the MX "recursion" may re-cloak the apparent bug in HotMail.
Maybe.

Which one can be fixed faster?

Aloha,
Michael.
--
"Please have your Internet License
and Usenet Registration handy..."

bill at herrin

Jul 29, 2012, 6:46 PM

Post #21 of 27 (1600 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Thu, Jul 26, 2012 at 10:45 PM, Mark Andrews <marka [at] isc> wrote:
> In message <B59A4092-CE2F-44E4-84F9-77C18493AD95 [at] kapu>, Michael J Wise writ
> es:
>> And maybe an endless loop for an MX lookup might be what is causing =
>> hotmail to panic and throw out the MX records.
>
> You don't lookup MX records for MX targets. This is basic MTA
> processing.

Correct. An MX record points to a label containing one or more address
records. It does not chain. In principle the MX record could point to
a CNAME record which then chains until it reaches an address record
but I wouldn't depend on such a configuration working correctly. Ditto
the MX lookup fetching a CNAME which chains until it reaches a label
with an MX record.

> You don't depend on ALL (ANY) returning MX records as they may not
> be in the cache. You need to make a explict MX query you get no
> MX records are returned in response to a ALL query.

Also correct.

> If the MX lookup fails, as apposed to returns nodata, you don't
> lookup the A/AAAA records and synthesis a MX record. You treat it
> as a soft error and queue for retry later. Again this is basic MTA
> processing.

Maybe. In principle this is correct but as you wander through various
bits of software in the name lookup process (which often consults more
than just the DNS -- even today DNS isn't the only game in town) it's
pretty easy to lose track of the difference between lookup failure and
success:no data.

Think about it... how is the MTA to respond if the primary lookup
reports success:no data (e.g. /etc/hosts) but a second tier lookup
(e.g. DNS) reports lookup failure? What if DNS is third tier and the
second tier is some kind of CIFS or NIS lookup which fails? Or reports
success:no data. Or the DNS gets translated through a middleman (like
NIS) which doesn't preserve the difference between fail and success no
data. Does the whole lookup fail because part did? Gets ambiguous.

Further, falling back to the address lookup in the absence of MX
records is correct behavior for an MTA.

What *should* happen here is that the guy's web server should reject
the port 25 connection (an SMTP soft fail condition) and on the next
retry hotmail should find the MX record and follow it.

Either way, I think I'd have to consider this -advanced- MTA
processing. You have to really know your stuff to get this one right.

Regards,
Bill Herrin

--
William D. Herrin ................ herrin [at] dirtside bill [at] herrin
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

marka at isc

Jul 30, 2012, 10:03 AM

Post #22 of 27 (1599 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

In message <CAP-guGVuNoqRhGw_UMVQtkJ-zToM8NGB2aLk=wjtc0J7Fh8XUw [at] mail>, William Herrin writes:
> On Thu, Jul 26, 2012 at 10:45 PM, Mark Andrews <marka [at] isc> wrote:
> > In message <B59A4092-CE2F-44E4-84F9-77C18493AD95 [at] kapu>, Michael J Wise writ
> > es:
> >> And maybe an endless loop for an MX lookup might be what is causing =
> >> hotmail to panic and throw out the MX records.
> >
> > You don't lookup MX records for MX targets. This is basic MTA
> > processing.
>
> Correct. An MX record points to a label containing one or more address
> records. It does not chain. In principle the MX record could point to
> a CNAME record which then chains until it reaches an address record
> but I wouldn't depend on such a configuration working correctly. Ditto
> the MX lookup fetching a CNAME which chains until it reaches a label
> with an MX record.
>
> > You don't depend on ALL (ANY) returning MX records as they may not
> > be in the cache. You need to make a explict MX query you get no
> > MX records are returned in response to a ALL query.
>
> Also correct.
>
> > If the MX lookup fails, as apposed to returns nodata, you don't
> > lookup the A/AAAA records and synthesis a MX record. You treat it
> > as a soft error and queue for retry later. Again this is basic MTA
> > processing.
>
> Maybe. In principle this is correct but as you wander through various
> bits of software in the name lookup process (which often consults more
> than just the DNS -- even today DNS isn't the only game in town) it's
> pretty easy to lose track of the difference between lookup failure and
> success:no data.

But it is the only ones that returns MX records. If that step
errors you need to retry later. If you get NXDOMAIN you go onto
other address sources.

> Think about it... how is the MTA to respond if the primary lookup
> reports success:no data (e.g. /etc/hosts) but a second tier lookup
> (e.g. DNS) reports lookup failure? What if DNS is third tier and the
> second tier is some kind of CIFS or NIS lookup which fails?

MX records can't be lookup up in /etc/hosts or in CIFS / NIS. You
only look for address records *after* the MX lookup fails.

> Or reports
> success:no data. Or the DNS gets translated through a middleman (like
> NIS) which doesn't preserve the difference between fail and success no
> data. Does the whole lookup fail because part did? Gets ambiguous.
>
> Further, falling back to the address lookup in the absence of MX
> records is correct behavior for an MTA.

The key words above are "in the absence". Until you have determined
that they are absent you don't fall back.

> What *should* happen here is that the guy's web server should reject
> the port 25 connection (an SMTP soft fail condition) and on the next
> retry hotmail should find the MX record and follow it.

No. It is perfectly legal for A to accept mail for B, B for C, C
for D and D for A with all mail being delivered to a host with a
different name than the mail domain. It is not and never has been
correct processing to lookup addresses records for a domain if the
MX lookup fails. nodata/nxdomain are not failures.

> Either way, I think I'd have to consider this -advanced- MTA
> processing. You have to really know your stuff to get this one right.

No. This is the behaviour you get with a MX oblivious MTA.

> Regards,
> Bill Herrin
>
>
>
> --
> William D. Herrin ................ herrin [at] dirtside bill [at] herrin
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
--
Mark Andrews, ISC 1 Seymour St., Dundas
Valley, NSW 2117, Australia PHONE: +61 2 9871 4742
INTERNET: marka [at] isc

bill at herrin

Jul 30, 2012, 1:07 PM

Post #23 of 27 (1585 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Mon, Jul 30, 2012 at 7:03 AM, Mark Andrews <marka [at] isc> wrote:
> In message <CAP-guGVuNoqRhGw_UMVQtkJ-zToM8NGB2aLk=wjtc0J7Fh8XUw [at] mail>, William Herrin writes:
>> What *should* happen here is that the guy's web server should reject
>> the port 25 connection (an SMTP soft fail condition) and on the next
>> retry hotmail should find the MX record and follow it.
>
> No. It is perfectly legal for A to accept mail for B, B for C, C
> for D and D for A with all mail being delivered to a host with a
> different name than the mail domain. It is not and never has been
> correct processing to lookup addresses records for a domain if the
> MX lookup fails. nodata/nxdomain are not failures.

Hi Mark,

If you can reference where in the SMTP RFC it offers an authoritative
explanation what to do when merging results from various naming
systems where one but not all of the naming systems has generated an
error then let's read it. If not... your common sense says one thing,
mine says another and folks implementing mail systems should be aware
the implications.

Until then, my view is that a lookup failure when seeking an MX record
should only block the MTA from seeking an address record in the DNS.
It should still seek an address record in higher priority naming
systems and use it if it finds one. If correct, and I think it is,
that's a pretty subtle thing to program for... something easily gotten
wrong.

Regards,
Bill Herrin

--
William D. Herrin ................ herrin [at] dirtside bill [at] herrin
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

valdis.kletnieks at vt

Jul 30, 2012, 1:26 PM

Post #24 of 27 (1575 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On Mon, 30 Jul 2012 10:07:37 -1000, William Herrin said:

> If you can reference where in the SMTP RFC it offers an authoritative
> explanation what to do when merging results from various naming
> systems where one but not all of the naming systems has generated an
> error then let's read it.

RFC5321, section 5.1 is pretty clear on it:

5.1. Locating the Target Host

Once an SMTP client lexically identifies a domain to which mail will
be delivered for processing (as described in Sections 2.3.5 and 3.6),
a DNS lookup MUST be performed to resolve the domain name (RFC 1035
[2]). The names are expected to be fully-qualified domain names
(FQDNs): mechanisms for inferring FQDNs from partial names or local
aliases are outside of this specification.

The Internet uses DNS. You use some other scheme at your own peril,
and probably shouldn't expect said other scheme to work outside the
range of your administrative control.

mysidia at gmail

Jul 30, 2012, 7:27 PM

Post #25 of 27 (1573 views)
Permalink

Re: Is Hotmail in the habit of ignoring MX records? [In reply to]

On 7/30/12, valdis.kletnieks [at] vt <valdis.kletnieks [at] vt> wrote:
> On Mon, 30 Jul 2012 10:07:37 -1000, William Herrin said:
> The Internet uses DNS. You use some other scheme at your own peril,

Aside from that RFC974 [Page 3] gives mailers significant leeway in
deciding how to handle errors:

" Mailers are expected to do something reasonable in the face of an
error. The behaviour for each type of error is not specified here,
but implementors should note that different types of errors should
probably be treated differently. "

Attempting to find another path for an apparently unroutable message
(all MX offline) is not entirely out of the question. You may not
assume that such measures will not be attempted, if anyone could
consider it a 'reasonable' error handling procedure.

I will echo that; go back to the robustness principal of being
liberal in what you accept.... You should either not listen on port
25, or you should not create that A record pointing to a mail
server that won't actually accept mail.

When "yourdomain.example.com" has an A record, all the services
listening on that address are services for the domain.

"Relay not allowed" to the same domain may be considered
nonsensical, and a mailer converting its error recovery attempt into
a permanent error at that point, may be reasoned.

--
-JH

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads