A while ago I added a new anti-spam technique to my mail server setup called “No Listing”.
No listing basically means putting a high priority MX record in the DNS that always rejects mail server connections..
It seems, however, that the qmail mail server can’t cope with that. It’s not RFC compliant.
My mail server configuration goes something like this…
Highest priority MX record (lowest number) |
Dummy IP address that always rejects mail. |
Medium priority MX record (higher number) |
Real mail server that accepts and processes mail (also uses grey-listing). |
Lowest priority MX record (highest number) |
Dummy mail server that accepts connections, but always rejects mail with a soft failure. |
I call this technique “Monkey in the Middle“.
Real mail servers don’t have a problem with this … when they try the IP address on the first MX record (which they should), they will get a connection error and try the next one. That connection will work normally.
If the real mail server happens to try connecting to the 2nd IP on the second MX record, and gets an error, they will try the 3rd MX. This MX will tell them to try again later (soft failure).
At this point a real mail server will just put the message back into it’s queue and try again later.
Spammers, however, aren’t big on retrying. They operate on a more “Fire and forget” methodology.
Spammers also have a tendency to try and send spam to the servers that have the lowest priority MX … on the theory that they have less protection against spam (which is often true).
So, in the case of a spammer, if they try to deliver to the IP on the highest priority MX, they will get an error and (hopefully) not retry.
If they try the IP on the lowest priority MX, they will be told to try again (and not try again).
OK, so that’s all background on my mail server configuration … here’s the meat of the problem I encountered.
Someone was trying to send mail to my server but it wasn’t getting sent. The reason was, the first IP on the highest priority MX was rejecting connections. The mail server, qmail, did not try deliver to any other MX’s … it just gave up.
This behavior is not compliant with RFC‘s and does not try subsequent MX records.
So if you want your mail to be delivered properly … don’t use a provider that implements qmail.
Of course, qmail has been around for a long time, and a lot of people use it. Makes me wonder why though. Since it’s not RFC compliant, people must not care if their mail is delivered or aren’t aware when it happens.