Solved

CNAME in MX record (Urgent)

Posted on 2007-11-13
10
2,363 Views
Last Modified: 2013-12-18
I failed to send mail to "cficarbonfilm.com", after i do the mail test in the www.dnsstuff.com, it shows the below content. I dont understand whta is means.  Any one can kinldy explain it to me and any advise? Many thanks. I am new to MX and DNS.

Getting MX record for cficarbonfilm.com (from local DNS server, may be cached)... Got it!

Host Preference IP(s) [Country] smtpmx.cficarbonfilm.com. 10 208.70.188.60 [US] --------------------------------------------------------------------------------


Step 1:  Try connecting to the following mailserver:
         [ERROR: A CNAME appeared in the MX records; this is not valid (per RFCs 974 "Minor Special Issues" section, and 1034 section 3.6.2.
          Mailservers are not required to send E-mail to smtpmx.cficarbonfilm.com.]
CNAME(s) I found are: [smtpmx.cficarbonfilm.com. CNAME pe.vmx.terra.com.]          smtpmx.cficarbonfilm.com. - 208.70.188.60

Step 2:  If still unsuccessful, queue the E-mail for later delivery.


Note: if you enter an entire E-mail address (such as postmaster@cficarbonfilm.com), we will try to connect
to each mailserver to ensure that they are live and accept mail to the cficarbonfilm.com domain.NOTE: This tool does NOT attempt to determine if an E-mail address exists!
0
Comment
Question by:yeko
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 12

Accepted Solution

by:
benhanson earned 100 total points
Comment Utility
Using nslookup(command line tool on most OS's, Mac OS X(10.4.10) in this case) to query DNS records:

First I set the type of record I am querying for, in this case an MX record.  An MX record is a Mail eXchanger record, these are pretty much the core of how email is routed all over the internet.
> set type=mx
Then I put in the address I would like an MX record for
> cficarbonfilm.com

Non-authoritative answer:
cficarbonfilm.com       mail exchanger = 10 smtpmx.cficarbonfilm.com.

Authoritative answers can be found from:
cficarbonfilm.com       nameserver = huascaran.tdp.net.pe.
cficarbonfilm.com       nameserver = huandoy.tdp.net.pe.
huandoy.tdp.net.pe      internet address = 200.37.224.10
huascaran.tdp.net.pe    internet address = 200.37.195.10

This tells me that the MX record has a weight of 10 and an address of smtpmx.cficarbonfilm.com.  Nothing special here, just a server name

Now I set the type back to 'a' which is the default type.  An 'A' Record is just a standard name record.  Generally an A record will point to an IP address.
> set type=a
> smtpmx.cficarbonfilm.com


Non-authoritative answer:
smtpmx.cficarbonfilm.com        canonical name = pe.vmx.terra.com.
Name:   pe.vmx.terra.com
Address: 208.70.188.60
>

So the record for smtpmx.cficarbonfilm.com isn't actually an A record, but a CNAME record which means it points to another A Record, pe.vmx.terra.com to be exact.  Basically, your MX record should just point directly to pe.vmx.terra.com.  MS has a decent article on it:
http://support.microsoft.com/kb/153001

From that article:

company.com.      MX 10       mail.company.com.
mail.company.com.    IN CNAME    server.company.com.

When you address mail to "admin@company.com" with the above configuration, the sending host might detect the fact that the "mail.company.com" is an alias and rewrite the RCPT-TO command to "server.company.com". Thus, the mail envelope written during SMTP mail transmission might be changed to "admin@server.company.com". If the mail system isn't configured to accept mail for "server.company.com" the message may be returned as undeliverable. This issue can be difficult to detect since the body of the message with the TO: line is left unchanged.
0
 
LVL 1

Assisted Solution

by:maabu
maabu earned 100 total points
Comment Utility
You cannot have a CNAME in your MX record.  

It should look like this in your DNS hosts file for domain.com:

 IN MX 10 mymailserver.domain.com.

...

 mymailserver  IN  A  1.2.3.4   ; 1.2.3.4 = your numeric ip address

avoid defining mymailserver as a CNAME of another host.
0
 

Author Comment

by:yeko
Comment Utility
Thanks for the advise.
when i use web mail, such as gmail, to sent a test mail to abc@cficarbonfilm.com, the receiver can receive the mail.
My environment is using sendmail and bind as the smtp server and dns server. How can i do for make
it work as the gmail? Many thanks.
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 200 total points
Comment Utility
The above comments are all correct, but let me give you some perspective on what's going on here.

DNS is obvioulsy useful, or we would be using IP addresses in web sites and e-mail.  Can you imagine having to reach this question as http://64.156.132.140/Software/Server_Software/Email_Servers/Q_22959207.html?cid=359

...or sending messages to george.w.bush@63.161.169.140 instead of george.w.bush@whitehouse.gov

So the basic DNS record is to translate a name to a number.

Mail needs special handling.  Why? A few reasons. First, it was very common to have the following servers:
file transfer -- ftp.****.com
web -- www.****.com
mail -- ****.com
Notice how most web servers started with www, ftp servers started with ftp, but mail addresses are not usually @smtp.****.com or @mail.****.com? People wanted the mail addresses simpler, so they typically wanted only one dot, not two (i.e., two parts in the name not three). But you don't want to "reserve" the whole top-level name just for the mail server!

Also, mail is typically the busiest server in a domain, because it processes all those individual mail messages. Web servers and ftp servers usually have less connections. Also, if a web server is down, people would generally try again later. If a mail server was down, a backlog was created. So technicians wanted to be able to specify multiple mail srevers for a domain, with different priorities (main, backup). So a special type of address was set up in DNS that satisfied these two needs, the MX record (for Mail eXchanger).

What the MX record does is that it sits outside the usual name/address set of records. I can have qwaltee.com point to 1.2.3.4, yet put mail servers at 5.6.7.8 and 5.6.7.9, even though the mail server also services qwaletee.com. This allows me to separate the functions of qwaletee.com into mail-handling and "everything-else-handling" addresses. Also, with MX, I can add a priority (called an MX preference level).

OK, so now I can have my regular qwaltee.com at 1.2.3.4 (called an A record)
And my mail servers at 5.6.7.8 priority 10 / 5.6.7.9 priority 20

But the MX designers added one more trick. Since my mail server is also a regular computer, with unique names for the two different priority servers, I might have an A record associated with each one anyway. Why not allow the MX to point to the NAME instead of the NUMBER?  Otherwise, if I change the address of my server, I have to change it in two places -- the A record *and* the MX record. If I allow the MX to point to a name instead of an IP address, then I only have to change the A record if my mail server address changes. The MX stays the same, but everything still works, since MX -> A, and A -> new IP address anyway.

So, what's a CNAME? Well, it is sort of like an MX record for non-mail purposes. Let's say I have a web site. Same type of setup -- multiple servers, each with their own name, but www.qwaletee.com also pointing to each of them. If I change IP addresses, I have to update their regualr names (say, web1.qwaltee.com and web2.qwaletee.com), but I also have to update both of the www.qwaletee.com to point to the same two new addresses. With mail servers that was no problem, because the MX record pointed to the A, and I only had to change one A for each server. But here, I have to change each one twice.  Enter the CNAME. I only use A for the unique server names, one A per server. the CNAME, www.qwaletee.com, points to the two A records. If the A record changes, the CNAME that matches up to the A names, automatically reflects the change.

So, an "A" type name always resolves to an IP address

And, an "MX" type name normally resolves to one or more A names (with priorities), and a second DNS check is done to get the final address form an A name

Finally, a CNAME always resolves to one or more A names, and a second DNS check is done to get the final address from an A name.

Notice how CNAMEs do almost the same thing as A names? Then why would you have an MX point to a CNAME instead of an A name? It would require a third DNS check, without providing that much benefit.  Truth is, I can see some good reasons for having MX point to CNAME, but it wouldn't be a major difference, and the speciifcations were never set up to allow it, so we just don't do it.  Once in a while, someone sets up an A name, and later changes it to a CNAME to avoid future update problems, and forgets that there was an MX pointing to the old A, ergo, the MX which still points to the same name, is now pointing to a CNAME instead of an A name, and is technically out of compliance.  That may be what happened to you!

To fix it, your MX should point to 208.70.188.60 instead of pe.vmx.terra.com. Now I realize that means if your ISP, terra.com, ever changes the IP address of their SMTP relay that you rely on, you will have to update it at the same time that they update it. That's why I think the MX specification SHOULD allow CNAMEs. But it doesn't, so you should fix it.
0
 
LVL 31

Expert Comment

by:qwaletee
Comment Utility
Hmm, just realized, you are trying to SEND to cficarbonflm.com. They are the ones out of compliance.

Even so, if you are using a SendMail server, I believe you can configure it to allow CNAME lookups... I think it even does this by default (it just tries to open a socket to one of the MX targets, and that will work whether the target is an IP, or a name that reislves via either A or CNAME. So there may be a more complicated problem going on there.

Check your SendMail logs to see where it tried sending the message.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Expert Comment

by:maabu
Comment Utility
I think we need more information on your issue.

Where are you trying to send e-mail from that you are having a problem?  What other error messages are you getting besides the DNSstuff report?  I assume you don't control the domain cficarbonflm.com?  You are running a different server trying to send mail to that host, which you don't control?
0
 
LVL 12

Expert Comment

by:benhanson
Comment Utility
So you don't control carbonfilm.com, you are just trying to get bind to disregard the carbonfilm.com DNS problems?

I believe you are looking for the following config option in Sendmail, adding define(`confDONT_EXPAND_CNAMES', `True') to your sendmail config.  Are familiar with sendmail config files?

confDONT_EXPAND_CNAMES      DontExpandCnames
                              [False] If set, $[ ... $] lookups that
                              do DNS based lookups do not expand
                              CNAME records.  This currently violates
                              the published standards, but the IETF
                              seems to be moving toward legalizing
                              this.  For example, if "FTP.Foo.ORG"
                              is a CNAME for "Cruft.Foo.ORG", then
                              with this option set a lookup of
                              "FTP" will return "FTP.Foo.ORG"; if
                              clear it returns "Cruft.FOO.ORG".  N.B.
                              you may not see any effect until your
                              downstream neighbors stop doing CNAME
                              lookups as well.
0
 
LVL 31

Assisted Solution

by:qwaletee
qwaletee earned 200 total points
Comment Utility
From RFC 2821 @ http://www.ietf.org/rfc/rfc2821.txt

CNAME is clearly allowed, but it is unclear whether the CNAME can only vector INTO the MX, or whether the MX can also vector to a CNAME.

. Address Resolution and Mail Handling

   Once an SMTP client lexically identifies a domain to which mail will
   be delivered for processing (as described in sections 3.6 and 3.7), a
   DNS lookup MUST be performed to resolve the domain name [22].  The
   names are expected to be fully-qualified domain names (FQDNs):
   mechanisms for inferring FQDNs from partial names or local aliases
   are outside of this specification and, due to a history of problems,
   are generally discouraged.  The lookup first attempts to locate an MX
   record associated with the name.  If a CNAME record is found instead,
   the resulting name is processed as if it were the initial name.  If
   no MX records are found, but an A RR is found, the A RR is treated as
   if it was associated with an implicit MX RR, with a preference of 0,
   pointing to that host.  If one or more MX RRs are found for a given
   name, SMTP systems MUST NOT utilize any A RRs associated with that
   name unless they are located using the MX RRs; the "implicit MX" rule
   above applies only if there are no MX records present.  If MX records
   are present, but none of them are usable, this situation MUST be
   reported as an error.

   When the lookup succeeds, the mapping can result in a list of
   alternative delivery addresses rather than a single address, because
   of multiple MX records, multihoming, or both.  To provide reliable
   mail transmission, the SMTP client MUST be able to try (and retry)
   each of the relevant addresses in this list in order, until a
   delivery attempt succeeds.  However, there MAY also be a configurable
   limit on the number of alternate addresses that can be tried.  In any
   case, the SMTP client SHOULD try at least two addresses.



Klensin                     Standards Track                    [Page 60]

RFC 2821             Simple Mail Transfer Protocol            April 2001


   Two types of information is used to rank the host addresses: multiple
   MX records, and multihomed hosts.

   Multiple MX records contain a preference indication that MUST be used
   in sorting (see below).  Lower numbers are more preferred than higher
   ones.  If there are multiple destinations with the same preference
   and there is no clear reason to favor one (e.g., by recognition of an
   easily-reached address), then the sender-SMTP MUST randomize them to
   spread the load across multiple mail exchangers for a specific
   organization.

   The destination host (perhaps taken from the preferred MX record) may
   be multihomed, in which case the domain name resolver will return a
   list of alternative IP addresses.  It is the responsibility of the
   domain name resolver interface to have ordered this list by
   decreasing preference if necessary, and SMTP MUST try them in the
   order presented.

0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 100 total points
Comment Utility
MX record should point to IN A record
CNAME or IP literal will fail.

That works this way because SMTP was on internet before CNAME

Maabu answered question,
If recipients are important then while explaining problem to them you can manually add smarthost for their domain to their IP.

I have two such entries for ~1500 users in my domain.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
If you have both CNAME and MX it leads to dual interpretation.
Firsthand mailer should look up MX record then A record.
But DNS resolver in case of CNAME should direct all further requests to CNAME destination.

As a result your mailer may get MX and A from CNAME destination without ability to distinguish.

Only use for CNAME is when WWW server uses virtual hosting somewhere else like
www.someone.org CNAME hosting.company.com
nobody will send mail to @www.someone.org and nobody will run into unclear interpreation of DNS content
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Suggested Solutions

Easy CSR creation in Exchange 2007,2010 and 2013
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now