MTA Routing
I would like an email to go through the following route to get to remote mail server. I am running comms suite 5.
1. Outlook Express -> internal MTA -> either one of the mail relay (ext-MTA1 and ext-MTA2)
2. Webmail -> LMTP -> mail store -> either one of the mail relay (ext-MTA1 and ext-MTA2)
I have setup the MX records in my local DNS server to load balance between ext-MTA1 and ext-MTA2. However, in both cases the email is rejected on the first MTA it goes through. The email never reaches the mail relays.
Errors
1. 03-Jul-2007 14:59:04.75 tcp_local J 0 xxx@domain rfc822; yyy@internet-domain 550 5.7.1 Relaying not allowed: yyy@internet-domain
Which MTA does it attempt to relay the message? Nothing is written in the log.
2. The mail store is the first MTA in this case. A Delivery Notification: Delivery has failed is sent shortly after the mail is sent with the reason: Illegal host/domain name found.
I am in a simulated environment using a switch with VLANs. There is no link to the Internet yet. I plan to get the mail routing correct before attempting to connect to the Internet. The correct behaviour in both cases should be either ext-MTA1 or ext-MTA2 bounces back the message and NOT the first MTA.
Please correct me if I am wrong.
null
# 1
Hi,
> I would like an email to go through the following
> route to get to remote mail server. I am running
> comms suite 5.
>
> 1. Outlook Express -> internal MTA -> either one of
> the mail relay (ext-MTA1 and ext-MTA2)
> 2. Webmail -> LMTP -> mail store -> either one of the
> mail relay (ext-MTA1 and ext-MTA2)
Webmail talks SMTP, not LMTP. It is better to just consider webmail to be 'just another email client' and thus use the same delivery path as (1) - there are configutil options to specify the outgoing smtp host (and port) for webmail. Ideally the stores shouldn't even have SMTP enabled, send all the emails via the internal MTA servers, which then send them onto the stores.
This way you reduce your troubleshooting paths -- none of this 'oh email is kinda broken' stuff (because outlook can send but webmail can't or vice versa). Also you get to expand all lists in the internal MTA and reduce the number of systems to check for delivered email etc. Plus you only use LMTP delivery thus reducing load on the back-end servers.
> I have setup the MX records in my local DNS server to
> load balance between ext-MTA1 and ext-MTA2. However,
> in both cases the email is rejected on the first MTA
> it goes through. The email never reaches the mail
> relays.
>
> Errors
>
> 1. 03-Jul-2007 14:59:04.75 tcp_local J 0 xxx@domain
> rfc822; yyy@internet-domain 550 5.7.1 Relaying not
> allowed: yyy@internet-domain
>
> Which MTA does it attempt to relay the message?
> Nothing is written in the log.
I'm not quite sure which system this log message came from. If this was an error on the internal MTA attempting to send to one of the external MTA servers, then this error indicates that you haven't added the internal MTA's IP address to the INTERNAL_IP mapping table entry of the ext-MTA? systems. That means you are tripping over the tcp_local -> tcp_local mapping rule check. By defining the IP addresses in the INTERNAL_IP mapping table, the emails will now come in on the tcp_intranet channel so the tcp_local -> tcp_local rule doesn't match.
> 2. The mail store is the first MTA in this case. A
> Delivery Notification: Delivery has failed is sent
> shortly after the mail is sent with the reason:
> Illegal host/domain name found.
As I said earlier, set webmail to send emails via the internal MTA system and not the mail-store itself. This reduces your troubleshooting paths.
Regards,
Shane.
# 2
>Webmail talks SMTP, not LMTP. It is better to just consider webmail to be 'just another email client' and thus use the same delivery path as (1) - there are configutil options to specify the outgoing smtp host (and port) for webmail. Ideally the stores shouldn't even have SMTP enabled, send all the emails via the internal MTA servers, which then send them onto the stores.
Can you provide me the configutil options to specify the outgoing smtp host for the webmail? Is the local SMTP the default as it seems to do exactly what you have described?
>This way you reduce your troubleshooting paths -- none of this 'oh email is kinda broken' stuff (because outlook can send but webmail can't or vice versa). Also you get to expand all lists in the internal MTA and reduce the number of systems to check for delivered email etc. Plus you only use LMTP delivery thus reducing load on the back-end servers.
Do you mean I do not need to configure MTA, just the message store during initial runtime configuration? How does the internal MTA deliver email to the message store? Are you saying that LMTP work without configuring the MTA?
Here is a summary of the current observation. As you may have noticed, the recipient is addressed outside the local network. I create a zone in the local DNS so that it won't give me the invalid host/domain error.
All mails (webmail + outlook express) with invalid host/domain seem to be going through the internal MTA which then talks LMTP with the message store. The MTA for the message store is active. However I do not know if it is used at all. After switching to LMTP, the system seems to be smart enough to favor LMTP. After the mail reaches the message store, it simply bounces back stating delivery failure. Is it normal?
Mails with valid host/domain configured in the local DNS is queued on the tcp_local channel of the internal MTA.
Here are my questions:
1. I am very new to DNS. How do I configure the internal MTA to relay the mail to external MTAs using DNS MX records? The message store MTA seems to deliver the email directly to the Internet. I do not want this behavior.
2. For external mail access, do you recommend installing an external MTA local to webmail or just use an external MTA on another host?
Thank you.
Message was edited by:
JoeChris@Sun
# 3
Hi,
> >Webmail talks SMTP, not LMTP. It is better to just
> consider webmail to be 'just another email client'
> and thus use the same delivery path as (1) - there
> are configutil options to specify the outgoing smtp
> host (and port) for webmail. Ideally the stores
> shouldn't even have SMTP enabled, send all the emails
> via the internal MTA servers, which then send them
> onto the stores.
>
> Can you provide me the configutil options to specify
> the outgoing smtp host for the webmail? Is the local
> SMTP the default as it seems to do exactly what you
> have described?
service.http.smtphost & service.http.smtpport
> >This way you reduce your troubleshooting paths --
> none of this 'oh email is kinda broken' stuff
> (because outlook can send but webmail can't or vice
> versa). Also you get to expand all lists in the
> internal MTA and reduce the number of systems to
> check for delivered email etc. Plus you only use LMTP
> delivery thus reducing load on the back-end servers.
>
> Do you mean I do not need to configure MTA, just the
> message store during initial runtime configuration?
> How does the internal MTA deliver email to the
> message store? Are you saying that LMTP work without
> configuring the MTA?
No thats not what I mean. The message store system needs an MTA - the store just _stores_ the emails, the MTA is needed to deliver emails into the store. Email can be injected via either the LMTP daemon or the ims-ms (SMTP) daemon.
The traditional mail-server layout looks like this:
(internally destined emails e.g. good.user@mydomain.com)
Email client -> SMTP -> system 1 (internal MTA) -> LMTP -> system 2 (mail-store)
(externally destined emails e.g. someuser@gmail.com)
Email client -> SMTP -> system 1 (internal MTA) -> system 3/4 ('external' MTAs) -> gmail or whatever non-organizational server
The internal MTA is a completely different install. Your original descriptions didn't make it clear whether 'internal MTA' was just the MTA associated with the mail-store or whether it was an 'internal MTA' within your organisation.
> Here is a summary of the current observation. As you
> may have noticed, the recipient is addressed outside
> the local network. I create a zone in the local DNS
> so that it won't give me the invalid host/domain
> error.
>
> All mails (webmail + outlook express) with invalid
> host/domain seem to be going through the internal MTA
> which then talks LMTP with the message store. The MTA
> for the message store is active. However I do not
> know if it is used at all. After switching to LMTP,
> the system seems to be smart enough to favor LMTP.
> After the mail reaches the message store, it simply
> bounces back stating delivery failure. Is it normal?
I think you have a fundamental knowledge gap with regards to how email routing and non-delivery notifications work. By operating in an environment which sounds like it doesn't have a workable DNS configuration is only making life even more difficult.
The email is most likely bouncing back because it can't be delivered, the MTA does an MX record for the invalid domain, can't resolve it, creates a bounce email and sends it back to the sender. You need to read the information in the bounce email very carefully - it should explain why you have the bounce email.
> Mails with valid host/domain configured in the local
> DNS is queued on the tcp_local channel of the
> internal MTA.
>
> Here are my questions:
>
> 1. I am very new to DNS. How do I configure the
> internal MTA to relay the mail to external MTAs using
> DNS MX records? The message store MTA seems to
> deliver the email directly to the Internet. I do not
> want this behavior.
I already answered this. You add the 'daemon <external MTA MX address'> to the channel which handles 'external' emails, i.e. the tcp_local channel.
> 2. For external mail access, do you recommend
> installing an external MTA local to webmail or just
> use an external MTA on another host?
This depends on how big your email load is, whether you want room for growth, whether you want to isolate of email routing vs. email storage and any number of factors.
Regards,
Shane.
# 4
Thanks for sharing the knowledge. You are right. I have knowledge gap here and there especially on the DNS. My life would definitely be easier if there are guys like you active in the forum. I really appreciate that.
>I think you have a fundamental knowledge gap with regards to how email routing and non-delivery notifications work. By operating in an environment which sounds like it doesn't have a workable DNS configuration is only making life even more difficult.
>The email is most likely bouncing back because it can't be delivered, the MTA does an MX record for the invalid domain, can't resolve it, creates a bounce email and sends it back to the sender. You need to read the information in the bounce email very carefully - it should explain why you have the bounce email.
The email is bounced back with the error "Ilegal host/domain name found". The email is sent from Outlook Express or the webmail. As I have mentioned before, I have a simulated network with no Internet connection. The email is sent to xxx@gmail.com.
I have created a gmail.com zone in my local DNS to simulate further without the Internet. The email is no longer bounced back. It is queued on the tcp_local channel of the internal MTA.
I have also created the MX records in my local DNS. As far as I know there are two ways to load balance between two external MTAs using MX record. The first method is to define multiple MX records with the same priority. For example
mydomain.com.MX10smtp1.mydomain.com.
mydomain.com.MX10smtp2.mydomain.com.
This method requires the MTA to have built-in logic to load balance between the two MTMAs. Can you confirm if Sun Messaging Server 6.3 (comes with Comms Suite 5) supports this method?
The second method is to define multiple A records with the same name and different IP addresses.
mydomain.com. MX10smtp
smtp.mydomain.comAIN172.16.2.x
AIN172.16.2.y
This method is readily supported by using the "daemon <gateway>" channel keyword because it requires only one gateway FQDN. However, the down side of the method is the load balancing logic is dependent on the DNS service itself. Please correct me if I am wrong.
>This depends on how big your email load is, whether you want room for growth, whether you want to isolate of email routing vs. email storage and any number of factors.
I definitely would like maximum room for growth and isolation between email routing and storage. Please advise the current best practices.
Thank you.
# 5
Hi,
> The email is bounced back with the error "Ilegal
> host/domain name found". The email is sent from
> Outlook Express or the webmail. As I have mentioned
> before, I have a simulated network with no Internet
> connection. The email is sent to xxx@gmail.com.
The bounce email then sounds to be entirely consistent with the setup you describe.
> I have created a gmail.com zone in my local DNS to
> simulate further without the Internet. The email is
> no longer bounced back. It is queued on the tcp_local
> channel of the internal MTA.
Ok good, this is the behaviour I would expect. For instance my test server also has no access via port 25 to the outside world (firewall drops outgoing smtp) but it can resolve the MX records for gmail.com, so I also end up with emails stuck in tcp_local.
> I have also created the MX records in my local DNS.
> As far as I know there are two ways to load balance
> between two external MTAs using MX record. The first
> method is to define multiple MX records with the same
> priority. For example
> > mydomain.com.MX10smtp1.mydomain.com.
> mydomain.com.MX10smtp2.mydomain.com.
>
> This method requires the MTA to have built-in logic
> to load balance between the two MTMAs. Can you
> confirm if Sun Messaging Server 6.3 (comes with Comms
> Suite 5) supports this method?
Yes. In fact this is how the vast majority of the internet operates e.g.
# host -t mx gmail.com
gmail.comMX10 alt1.gmail-smtp-in.l.google.com
gmail.comMX10 alt2.gmail-smtp-in.l.google.com
gmail.comMX50 gsmtp163.google.com
gmail.comMX50 gsmtp183.google.com
gmail.comMX5 gmail-smtp-in.l.google.com
> The second method is to define multiple A records
> with the same name and different IP addresses.
By default messaging server uses the MX records first and if those don't exist, it falls back to A records. That is what the "mx" means on the tcp_local channel definition in imta.cnf. Using "nomx" would mean just use the A records and ignore the MX records.
> > mydomain.com. MX10smtp
> smtp.mydomain.comAIN172.16.2.x
>AIN172.16.2.y
> readily supported by using the "daemon <gateway>"
> channel keyword because it requires only one gateway
> FQDN. However, the down side of the method is the
> load balancing logic is dependent on the DNS service
> itself. Please correct me if I am wrong.
Your assumption that "gateway" only applies to the A records is incorrect as I explained above. Also this approach doesn't give you the option of MX priorities and as you noted relies on the DNS server round-robining the A records for each query.
Why not have:
[code]
extsmtp.mydomain.com.MX10smtp1.mydomain.com.
extsmtp.mydomain.com.MX10smtp2.mydomain.com.
The use daemon extsmtp.mydomain.com
> >This depends on how big your email load is, whether
> you want room for growth, whether you want to isolate
> of email routing vs. email storage and any number of
> factors.
>
> I definitely would like maximum room for growth and
> isolation between email routing and storage. Please
> advise the current best practices.
In which case you would want to have a separate system(s) to handle your internal MTA traffic. Ideally you place this system(s) behind a layer-4 load-balancing switch so you can have a single address that can be directed to multiple backend MTA's. This allows for things like least-connection load balancing etc. (depends on the capabilities of the switch).
Then these MTA systems handle things like incoming email from webmail/outlook, expansion of mailing lists, virus scanning/spam scanning, autoreplies etc. Once the email has been process/munged appropriately it is sent via LMTP to the backend servers IF the email is destined for the backend server user, or to the extsmtp outgoing email systems to be delivered elsewhere.
Regards,
Shane.
