siskinds
asked on
Exchange SMTP 5.5.0 "Not permitted to relay" - possible issues with MX record resolution
We have a member of our staff who is attempting to send e-mail to a partner organization (domain barringtongroup.org) and is periodically receiving SMTP 5.5.0 bounce messages which indicate that our Exchange server is unable to relay. After a great deal of waiting for the intermittent problem to happen again with SMTP logging enabled, it has and it comes to light that the failed relay attempts are connecting to the wrong SMTP server.
It goes like this: the partner organization uses a web and email services company called Roar Solutions. The actual mail servers for the domain barringtongroup.org are listed in their MX records to be:
mx1.emailsrvr.com and
mx2.emailsrvr.com
which appear to be part of a mail service provided by Rackspace. In every instance where we have successfully delivered mail to the barringtongroup.org domain, it's been to one of those hosts. However, the recently logged failure showed an SMTP session (and subsequent relay rejection) with the host 204.11.51.196. This machine is tin.niatech.ca, which is the primary nameserver listed in the SOA for barringtongroup.org.
It also happens to be, in addition to a nameserver:
a) the web server for barringtongroup.org
b) an SMTP server
which gels with the relay rejection when we try to deliver to the barringtongroup.org domain.
Anyway, three nameservers are listed in the SOA record for barringtongroup.org:
tin.niatech.ca
graphite.niatech.ca
tiger.roarsolutions.com
However, tiger.roarsolutions.com is not listed in the NS records at the parent server, and while the MX records for barringtongroup.org are present on the tiger NS, there are no A records for the aforementioned mx1 and mx2 hosts.
Now, I know that when an MX record can't be resolved for a domain successfully, Exchange will fall back on the A record for the domain. And, no surprise, the A record for barringtongroup.org is for 204.11.51.196.
Therefore, my thinking goes like this:
Successful instances:
1) DNS resolves using tin.niatech.ca, graphite.niatech.ca, or another server with the appropriate MX and A records
2) SMTP connection is made to mx1 or mx2 and the mail goes through
Failed instances:
1) DNS resolves using tiger.roarsolutions.com, which has the MX records but no A records for the MX hosts. This NS is authoritative, so MX lookup ultimately fails.
2) Exchange falls back to the A record for barringtongroup.org, 204.11.51.196.
3) 204.11.51.196 tells us to buzz off, given that we're trying to relay.
This is what I have put together from the evidence available to me and my (middling) knowledge of DNS. What I'm really looking for is a confirmation or denial of my suspicions from someone more knowledgeable about DNS than me, as the technical staff at Roar Solutions have flatly asserted that the problem is on our end and I can't agree with that assessment. I'm really looking to prove my case to them, more than anything else.
Anyone? :-)
It goes like this: the partner organization uses a web and email services company called Roar Solutions. The actual mail servers for the domain barringtongroup.org are listed in their MX records to be:
mx1.emailsrvr.com and
mx2.emailsrvr.com
which appear to be part of a mail service provided by Rackspace. In every instance where we have successfully delivered mail to the barringtongroup.org domain, it's been to one of those hosts. However, the recently logged failure showed an SMTP session (and subsequent relay rejection) with the host 204.11.51.196. This machine is tin.niatech.ca, which is the primary nameserver listed in the SOA for barringtongroup.org.
It also happens to be, in addition to a nameserver:
a) the web server for barringtongroup.org
b) an SMTP server
which gels with the relay rejection when we try to deliver to the barringtongroup.org domain.
Anyway, three nameservers are listed in the SOA record for barringtongroup.org:
tin.niatech.ca
graphite.niatech.ca
tiger.roarsolutions.com
However, tiger.roarsolutions.com is not listed in the NS records at the parent server, and while the MX records for barringtongroup.org are present on the tiger NS, there are no A records for the aforementioned mx1 and mx2 hosts.
Now, I know that when an MX record can't be resolved for a domain successfully, Exchange will fall back on the A record for the domain. And, no surprise, the A record for barringtongroup.org is for 204.11.51.196.
Therefore, my thinking goes like this:
Successful instances:
1) DNS resolves using tin.niatech.ca, graphite.niatech.ca, or another server with the appropriate MX and A records
2) SMTP connection is made to mx1 or mx2 and the mail goes through
Failed instances:
1) DNS resolves using tiger.roarsolutions.com, which has the MX records but no A records for the MX hosts. This NS is authoritative, so MX lookup ultimately fails.
2) Exchange falls back to the A record for barringtongroup.org, 204.11.51.196.
3) 204.11.51.196 tells us to buzz off, given that we're trying to relay.
This is what I have put together from the evidence available to me and my (middling) knowledge of DNS. What I'm really looking for is a confirmation or denial of my suspicions from someone more knowledgeable about DNS than me, as the technical staff at Roar Solutions have flatly asserted that the problem is on our end and I can't agree with that assessment. I'm really looking to prove my case to them, more than anything else.
Anyone? :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much. You're right, graphite doesn't have the A records either. Thank you for catching that; I thought it did but I've been looking at too many DNS records recently. ;-)
Here's a quick question to do with the resolution: when the A query is done on tiger or graphite, no direct result is obtained but the A records for the global TLD servers are returned in the ADDITIONAL section of the answer. If we query one of them for mx1 or mx2, we get the parent nameservers for emailsrvr.com, and then querying one of those parents finally gives an A record for mx1 or 2.
Now, recursive queries are disabled on tin, graphite, and tiger. Judging from what is happening, it seems that our Exchange server is not making iterative queries back "up" the chain to get the A records; I can understand this, as those queries would add up to a fair bit of latency under certain circumstances. Am I correct then in guessing that Exchange's default behaviour is to not perform iterative queries and just fall back on the A record as I discussed in my original post?
Do resolvers ever go back "upstream" to parent nameservers based on the records returned in the ADDITIONAL section of a response?
Anyway, that question may be a bit too broad at the end. :-) I'm just trying to put the final shells in the proverbial arsenal. Thanks very much again for your help, Akhater, whenever I close this question you've earned your share of the points.