Sign in to follow this  
Followers 0
Telarin

CNAMEs, MXs and AT&T

5 posts in this topic

This is a totally non-spamcop related question, thus its posting in the Geek/Tech Things forum, however, this forum seems to have a pretty good collection of people with an understanding of mailservers and the SMTP process. I've recently run into some issues with my personal mailserver at home, and wanted to get a second opinion on it.

The setup for said mailserver is pretty convoluted (due to it being on a dynamic IP address and me being cheap).

The primary domain chimera-tech.com uses the tzo server to provide dynamic name resolution.

I host a secondary domain (intuitmassage.com) for a friend of mine who is a massage therapist. She has an email address at that domain. She only receives email through my server, her outgoing mail goes through her ISP so there are no problems with the lack of PTR record. The domain intuitmassage.com has a CNAME record that points it back to chimera-tech.com (because it is much cheaper than hosting a second domain on tzo). Because it is a CNAME, it has no MX, as a mailserver SHOULD pull the CNAME for intuitmassage.com, which returns chimera-tech.com, and then pull the MX for that.

In most cases, this works just fine, mail flows in just as it should.

However, I recently ran into a problem with someone sending her (my friend with the intuitmassage.com email address) an email from SBC. Instead of going through, she got the following bounce from SBCs mailserver (note the left hand side of addresses have been munged to protect the guilty... err, I mean innocent):

------ Forwarded Message

From: Mail Delivery Subsystem <MAILER-DAEMON[at]ylpvm12.prodigy.net>

Date: Wed, 30 Aug 2006 12:15:22 -0400

To: <xxxx[at]worrellcreative.com>

Subject: Returned mail: see transcript for details

The original message was received at Wed, 30 Aug 2006 12:15:20 -0400

from ppp-70-255-182-127.dsl.hstntx.swbell.net [70.255.182.127]

----- The following addresses had permanent fatal errors -----

<xxxx[at]intuitmassage.com>

(reason: 550 5.7.1 Unable to relay for xxxx[at]www.chimera-tech.com)

----- Transcript of session follows -----

... while talking to mail.chimera-tech.com.:

>> DATA

<<< 550 5.7.1 Unable to relay for xxxx[at]www.chimera-tech.com

550 5.1.1 <xxxx[at]intuitmassage.com>... User unknown

<<< 554 5.5.2 No valid recipients

Reporting-MTA: dns; ylpvm12.prodigy.net

Received-From-MTA: DNS; ppp-70-255-182-127.dsl.hstntx.swbell.net

Arrival-Date: Wed, 30 Aug 2006 12:15:20 -0400

Final-Recipient: RFC822; xxxx[at]www.chimera-tech.com

Action: failed

Status: 5.7.1

Remote-MTA: DNS; mail.chimera-tech.com

Diagnostic-Code: SMTP; 550 5.7.1 Unable to relay for

xxxx[at]www.chimera-tech.com

Last-Attempt-Date: Wed, 30 Aug 2006 12:15:22 -0400

------ End of Forwarded Message

Now, from looking at this, it looks to me as if the SBC mail server is rewriting the recipient using the cname record, so instead of sending to xxxx[at]intuitmassage.com, SBC pulls the CNAME for intuitmassage.com which is www.chimera-tech.com and rewrites the Recipient as xxxx[at]www.chimera-tech.com, which doesn't exist.

So first, am I reading that correct, or is there something else going on here that I am missing?

Second, if that is what is happening, is this RFC compliant? I can't find anywhere in the RFCs for SMTP that I have looked for that indicate recipient addresses should ever be rewritten with the CNAME values.

Share this post


Link to post
Share on other sites

You don't have any NS records for intuitmassage.com, is the problem.

break# dig +short [at]a.gtld-servers.net NS intuitmassage.com

ns0.directnic.com.

ns1.directnic.com.

The root servers list ns0 and ns1 .directnic.com as the glue servers for intuitmassage.com, but when you query them...

break# dig [at]ns0.directnic.com ANY intuitmassage.com

; <<>> DiG 9.3.2 <<>> [at]ns0.directnic.com ANY intuitmassage.com

; (1 server found)

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6532

;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:

;intuitmassage.com. IN ANY

;; ANSWER SECTION:

intuitmassage.com. 86400 IN SOA ns0.directnic.com. hostmaster.ns0.directnic.com. 1144250083 28800 14400 604800 86400

intuitmassage.com. 86400 IN CNAME www.chimera-tech.com.

www.chimera-tech.com. 86400 IN A 204.251.15.175

www.chimera-tech.com. 86400 IN MX 0 iris1.directnic.com.

www.chimera-tech.com. 86400 IN MX 10 iris2.directnic.com.

;; Query time: 66 msec

;; SERVER: 204.251.10.100#53(204.251.10.100)

;; WHEN: Sat Nov 11 06:33:02 2006

;; MSG SIZE rcvd: 281

... you get absolutely no NS records for that domain at all. This is very, very broken - you should never have a domain without NS records. It's fine to CNAME the A record for the domain as you have above, but there should be NS records, and they should match the glue at the root servers.

Share this post


Link to post
Share on other sites

Hmm, not sure why you're getting no NS records, they should be set up with directnic. I'll fire them an email to find out why no NS records are being returned.

Share this post


Link to post
Share on other sites

Hmm, not sure why you're getting no NS records, they should be set up with directnic. I'll fire them an email to find out why no NS records are being returned.

Lemme know if you need any more help figuring it out. Might want to email me at jim[AT]youcanprobablyfigurethedomainoutifyoutryreallyhard if you do, I don't monitor forums here so much and may forget they exist entirely if not reminded. =)

Share this post


Link to post
Share on other sites
I don't monitor forums here so much and may forget they exist entirely if not reminded. =)

Your posts thus far have been appreciated. Thanks for the time spent thus far ...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0