-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keith gave the basics on mx records. The only thing I would add is mail servers talk to each other, so if you look at your mail headers you can see all of the mail servers that your email has gone to. One problem with modern spam solutions is they themselves are a mail server apppliance, as opposed to software. Allow me to elaborate with two common configurations. Mail comes in via mail.local.domain. mail.local.domain is a spam filter pointed to the internet, which results in the mx record for local.domain to be mail.local.domain. This is a less expensive solution, so it only filters one way. Behind this is a M$ exchange server with an smtp connector. When I write an email, the smtp connector stamps it's id on my email outbound to the comcast servers. See where this is going? We don't want exhange.local.domain to be an mx record for my domain, it doesn't even face the internet. By this solution that Comcast is using, all email from local.domain would be bounced. The other configuration is roughly the same, except the mail appliance filters on both directions, therefore allowing mail to pass. (Software on your mail gateway falls into this category). While this solution sounds great on paper, I think they are going to inadvertently drop a lot of legit email. Granted, I don't handle my employer's spam solution (although I used to at my last job) so I could just be blowing steam. Hope they iron out the kinks. BTW, where do I get ISP people that I can talk to on the phone who know about MX records? My guys don't even know what cable modems are. Keith Wright wrote:
From: Andy Stewart <andystewart@comcast.net>
In my town, I've noticed that other town employees with whom I send email are unable to send return email to me. This started happening about a month ago. My ISP is Comcast.
I am just going to type something crazy off the top of my head and go to sleep. Take two and call me in the morning.
This description was sent to me by a town employee:
o In an attempt to limit the amount of SPAM on the Comcast Internet system, Comcast does not allow external email servers to send mail to Comcast email accounts where the sending email server's MX records do not match.
o Because the TOWN mail server is behind our firewall our incoming mail IP address is different from our sending mail IP address. In other words our MX records do not match consequently Comcast blocks our mail from being sent to Comcast email addresses.
Your town employees are impressively well informed.
Basic questions:
- - What is an MX record?
A Mail eXchange record is given by a DNS server when you ask for it. You did not say the domain you are sending to, but you can see comcast.com mx records thus:
C:> $ dig comcast.net mx C:> C:> <Redacted> C:> C:> comcast.net. 900 IN MX 5 gateway-r.comcast.net. C:> comcast.net. 900 IN MX 5 gateway-s.comcast.net.
There you see the name of two servers that will (aledgedly) accept mail for goodguy@comcast.net.
C:> <Redacted> C:> C:> gateway-r.comcast.net. 900 IN A 216.148.227.126 C:> gateway-r.comcast.net. 900 IN A 204.127.198.26 C:> gateway-s.comcast.net. 900 IN A 63.240.76.26 C:> gateway-s.comcast.net. 900 IN A 204.127.202.26
There you see their IP addresses. You can talk to them like this
C:> $ telnet 216.148.227.126 smtp C:> Trying 216.148.227.126... C:> Connected to gateway-r.comcast.net (216.148.227.126). C:> Escape character is '^]'. C:> 220 rwcrmxc18.comcast.net - Maillennium ESMTP/MULTIBOX rwcrmxc18 #337 C:> helo dsl.keithdiane.us C:> 250 rwcrmxc18.comcast.net C:> mail from: kwright@keithdiane.us C:> 501 need MAIL FROM:<name@domain> C:> MAIL FROM: <kwright@keithdiane.us> C:> 250 ok C:> RCPT TO: <andystewart@comcast.net> C:> 250 ok C:> DATA C:> 354 ok C:> This is just kwright goofing on you. C:> Read your WLUG messages I will explain. C:> . C:> 250 ok . id=20060425052454r1800cg1fje [f] C:> quit C:> 221 rwcrmxc18.comcast.net C:> QUIT C:> Connection closed by foreign host.
It seemed to work, and I am typing this on a machine behind an NAT translation firewall (other kinds should be transparent). This is not my mail server, but it seemed to work. Only Andy can say whether they accepted the message and then trashed it in flagrant violation of RFC-2821, which tells how to do such things. They are more tight-assed than most about using the proper case, and I have never seen one that required the <brackets.com> around the address.
- - Is it normal for the mail server to be behind the firewall? I thought perhaps it would be either exposed to the net or on the DMZ.
If you have only one IP addresses, it seems that either your mail server must _be_ the firewall, or be behind it. I don't think it's crazy, but the only way to find out how "normal" it is would be to break it and see if the people who complain are normal.
I am wondering if there is some misconfiguration or perhaps a different configuration that could be used to alleviate this problem.
I am not convinced the problem has been exactly described, although your town employee seems to know a lot more than I do about it. You may be standing in the middle of a pissing contest. If a customer and a local authority work together you might get comcast's leg quite wet.
I have no expertise running a mail server and thought somebody on this list might be able to help.
I hope you have learned your lesson about expecting help from people with expertise. That reminds me of a short FAQ that appeared in the Managment School Student Newspaper:
Q: What are those strange creatures in the hall? At first, I took them for apes, but they all wear bluejeans.
A: Those are not apes, those are PhD candidates. The hair, grunting, and hunched gait become more pronounced just before Qualifying Exams. Rather than run from them, you will find that you can speak to them, if you ask questions about your homework. The answers can be helpful if you can keep them focused on your problem. If the answer begins "In equilibrium..." you know you have asked the wrong one.
-- Keith _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFETf9vaI8VEtSi4H8RApUdAJ40Z5ZleYLDzWmPDexxPhXqD+g5wgCeP5Ro I6DYshgubsdL5XiXt9TLWL0= =bMM1 -----END PGP SIGNATURE-----