DNS – Fixing SMTP Banner Mismatch with Multiple MX Records

domain-name-systememailmx-record

My gut feeling says "this isn't a problem and logically cannot really be fixed". I am configuring a backup ISP connection for use with our onsite exchange mail server.

This is what I have set up:

198.51.100.30 -> primary ISP
203.0.113.40 -> backup ISP

The following added to our example.com domain DNS:

mail.example.com. A 198.51.100.30
mail2.example.com. A 203.0.113.40
example.com. MX 10 mail.example.com.
example.com. MX 20 mail2.example.com.

PTR added by relevent ISPs:

198.51.100.30 mail.example.com
203.0.113.40 mail2.example.com

Now, our mail server always worked with just mail.example.com as the banner, all is well, MXToolBox is happy. However, what do I do with the banner regarding our failover MX? Obviously the failover PTR is mail2.example.com and will produce a "Reverse DNS does not match SMTP Banner" in MXToolBox.

Do I just not worry about this or have I not set something correctly?

EDIT: SSL SAN cert installed on mail server has both mail.example.com and mail2.example.com.

Best Answer

On best practices: have two MX servers

The best option is to have two servers i.e. configure another Exchange (or alternatively an opensource based SMTP server, e.g. Postfix) as a backup/secondary MX server. In most cases the server itself may cause more downtime than the Internet connectivity. As the banner mismatch is only an issue on outbound mail, this server could perfectly fine be the mail2.example.com in your current configuration.

A single server with two Internet connections

Configuration for outbound mail

Second approach would be to have both connections configured with the same hostname, as it in fact is the same host with to different IP addresses and routes. That could be achieved with a round-robin DNS configuration + matching PTR records & SMTP banner e.g.

mail.example.com. A 198.51.100.30
mail.example.com. A 203.0.113.40
40.113.0.203.in-addr.arpa. PTR mail.example.com.
30.100.51.198.in-addr.arpa. PTR mail.example.com.

Do not forget to add an SPF record allowing both IP address to send mail, e.g.

example.com. IN TXT "v=spf1 +ip4:198.51.100.30/32 +ip4:203.0.113.40/32 -all"

Configuration for inbound mail

If you want to prefer the first ISP over the secondary on inbound mail (for example if it has better bandwidth), you could separate your MX configuration from this e.g. by adding

mx1.example.com. A 198.51.100.30
mx2.example.com. A 203.0.113.40
example.com. MX 10 mx1.example.com.
example.com. MX 20 mx2.example.com.

The banner mismatch is not a problem for inbound mail, so this would be perfectly fine.

Certificate

To keep the certificate valid for both configurations it should now have SANs for all mail.example.com, mx1.example.com and mx2.example.com. Generally this doesn't matter so much, as mail server certificates are only seldom actually valitated, and most mail systems would still allow falling back to unencrypted connections.

Instead of CA based certificate validation, DNS-based Authentication of Named Entities (DANE, RFC 6698) is a proposed alternative, allowing verification of self-signed certificates, too. For backwards compatibility it's not possible to configure an SMTP server to only allow encrypted connections, which leaves a hole for MitM attacks for connections that could be established over TLS. With DANE it's possible to declare that TLS should be used for the connection and only certificates published in the DNS zone should be allowed.

Related Solutions

How to setup reverse DNS for 2 email servers

Set up the pointer for each server to indicate the name of the server on that address. This should be the same as your mail server is using in its banner messages and when issuing HELO commands. PTR records are not significant for incoming messages as the remote server will trust your DNS MX records.

You will want to configure two MX records one for each server with different priorities. The MX records must point to A records. If your SPF records specify MX in the list of permitted senders, you should have no problems with your server addresses.

The PTR records you need are:

98.103.91.146     mail.campbellsurvey.com 
70.XXX.190.XXX    mail2.campbellsurvey.com

Get the appropriate ISP to setup the PTR record for the address they host. You appear to be missing an A record for your mail2 server. There may also some issues with verifying addresses on the second server.

EDIT: So if I was mailing from example.com but my sender's PTR resolved to mta532.mail.google.com or some.other.thing12.smtp.rackspace.com or canner46.blah.brightmail.com, you wouldn't trust my message?

rDSN does not apply to the domain on the senders address. If your envelope address is someone@example.com, I would check the SPF record for example.com. If example.com had an SPF record with a -all policy, I would refuse your email. Otherwise, it would be accepted unless it was otherwise flagged as Spam.

If your server claimed to be mail.example.com, that would trigger some actions on my side designed to determine if your server is a Spambot which it most likely would be. The lack of a valid rDNS setup would also increase your Spam spore. I have separate limits for HAM (unlikely to be not Spam), and SPAM. The messages which fall between these limits is almost entirely email from automated systems, and Spam. The person to person emails I receive almost always have correct rDNS for either or both of the IP address and name used in the HELO command.

If the DNS servers do not respond for any of the DNS lookups required to check the rDNS status of your IP address, I give a softfail. Recently, I have found this is successfully blocking a fair number of spambots. Until a few months ago this rule was rarely triggered. I believe a number of ISPs have configured there rDNS to fail for dynamic addresses ranges. If you, I appreciate their effort in reducing Spam.

How to correctly manage multiple virtual hosts with postfix

The problem is that postfix is using 10.0.0.1 for all your mail. This itself isn't a problem, as you can easily add multiple virtual domains pointing to the same IP.

Basically I would change the records for example.org, etc in this manner.

example.org A 10.0.0.3
example.org MX 10 mail.example.org
mail.example.org CNAME mail.example.com

That way your SPF record will be valid, and the MX record, A record for the mail server, etc will correspond to the correct IP.

That is, unless you have some other reason to make use of multiple IPs.