SMTP Bug? MX records pointing to A records in other domains

Giganews Newsgroups
Subject: SMTP Bug? MX records pointing to A records in other domains
Posted by:  Sean-usenet (sean-usen…@mchsi.com)
Date: 11 Nov 2006

I've run across a reproducible problem while using Microsoft's IIS
6.0 SMTP server.  If I try to send email to a domain whose 'MX'
record points to an 'A' record in another domain, it ignores the MX
records and sends to the 'A' record of the domain (not the A record
listed in the MX response).

For example, I setup the following on our DNS server (notice how
FirstDomain.com's MX record points to mail.SecondDomain.com):

FirstDomain.com
(root)    A        10.0.0.99
(root)    MX    10    mail.SecondDomain.com.

SecondDomain.com
(root)    MX    10    mail.SecondDomain.com.
mail    A        192.168.0.10

I setup a sniffer and using the IIS 6.0 SMTP server, I sent an email to
se…@FirstDomain.com.  I saw the server send a DNS MX record request
for FirstDomain.com.  The DNS server replied with mail.SecondDomain.com
(priority 10) and included an addition record stating that
mail.SecondDomain.com resolves to 192.168.0.10.  All of that is exactly
what I expected and how it should work. The DNS response is perfect, no
errors.

However, then the SMTP server sends a DNS A record request for
FirstDomain.com.  The DNS server replies with 10.0.0.99, as it would.
Then the SMTP server attempts to establish a connection to 10.0.0.99 on
port 25 to send the email.  It fails, as there isn't a SMTP server
running on that IP address, and the email bounces after all of the
retries are finished.  I can send email after email with the exact same
result.

Why is it connecting to 10.0.0.99 instead of 192.168.0.10 like the MX
record says????  By the way, if I send an email to
se…@SecondDomain.com it sends just fine, even though the same IP
address handles mail for both FirstDomain.com and SecondDomain.com.  I
can even send an email to se…@FirstDomain.com using the From Address
of se…@SecondDomain.com and the bounce message (saying unable to
deliver to se…@FirstDomain.com) is successfully delivered to
se…@SecondDomain.com.

If I change the DNS to the following (notice the MX change for
FirstDomain.com):

FirstDomain.com
(root)    A        10.0.0.99
(root)    MX    10    mail.FirstDomain.com.
mail    A        192.168.0.10

SecondDomain.com
(root)    MX    10    mail.SecondDomain.com.
mail    A        192.168.0.10

Then I clear the DNS cache (ipconfig /flushdns) and send an email again
to se…@FirstDomain.com.  With my sniffer running I see the SMTP server
send a DNS MX record request for FirstDomain.com.  The DNS server
replies with mail.FirstDomain.com (priority 10) and includes an
addition record stating that mail.FirstDomain.com resolves to
192.168.0.10.  The server then connects to 192.168.0.10 on port 25 and
sends the email just fine.  I can send email after email and it works
perfect.

I've been able to reproduce the problem with 100% accuracy each time.
We are running Windows 2003 Server Enterprise server on both the
IIS/SMTP server and the DNS server (running Microsoft DNS Server).
Both servers are up to date with every patch as of November 9th, 2006.

Anyone have any ideas on why the SMTP server is ignoring the MX record
response if the response includes an 'A' record of a host in
another domain?  That is perfectly legal and somewhat common, I checked
the RFCs, and CNN.com does it also (nslookup details):

Default Server:  ns1.earthlink.net
Address:  207.217.126.41

> set type=mx
> cnn.com.
Server:  ns1.earthlink.net
Address:  207.217.126.41

Non-authoritative answer:
cnn.com MX preference = 10, mail exchanger = atlmail3.turner.com
cnn.com MX preference = 10, mail exchanger = atlmail5.turner.com
cnn.com MX preference = 20, mail exchanger = nycmail2.turner.com
cnn.com MX preference = 30, mail exchanger = nycmail1.turner.com

cnn.com nameserver = twdns-03.ns.aol.com
cnn.com nameserver = twdns-04.ns.aol.com
cnn.com nameserver = twdns-01.ns.aol.com
cnn.com nameserver = twdns-02.ns.aol.com
atlmail3.turner.com    internet address = 64.236.240.169
atlmail5.turner.com    internet address = 64.236.221.40
nycmail2.turner.com    internet address = 64.236.170.102
nycmail1.turner.com    internet address = 64.236.170.101

I've never noticed this issue before, so it may be related to a
recent Microsoft patch, but I haven't gone through the trouble of
uninstalling patches to see if SMTP starts working correctly again.

Does anyone have any ideas?  Is it a bug that cropped up with a recent
patch?  I've been able to reproduce this on multiple servers.

Thanks

Replies