No announcement yet.

MX record versus fixed IP

  • Filter
  • Time
  • Show
Clear All
new posts

  • MX record versus fixed IP

    I currently have six MX records for my and the actual names of our mail severs, and Right now we use a third party spam filtering company (POSTINI) that has our first four MX records pointing to them. The problem is, spammers are starting at the bottom of our mx records,, bypassing the spam filtering.

    I'd like to get rid of the MX record and move all the remote users outlook configuration from SMTP - to just the IP address and then get rid of the MX record. That way the four mx records out there for typical legit mail would go through POSTINI, but the spammers that try to bypass it and go with the bottom MX record would no longer have an MX record to go with.

    Is this possible and does this work to just have the IP address used for the smtp server section in the outlook client? I am pretty sure mail would continue without problem for [email protected], since that would fall under the first four MX records pointing to POSTINI.

    Am I missing something or will this work.


    Last edited by kevins74; 29th November 2005, 22:21. Reason: change icon from paper to question?

  • #2
    Re: MX record versus fixed IP

    I can't understand what is happening.

    You have 6 MX records??

    I have one MX record with 3 entries that are prioritised using the preference.

    If you have a spam filter external to your network yo should be pointing to that IP address then the hoster of your spam filter should then forward legitimate mail to your exchange servers IP address, thus your actual addresss is never published in DNS.


    • #3
      Re: MX record versus fixed IP

      We have multiple MX records for different mail servers that we have.

      All of them are MX records like the following

      1 MX points to POSTINI
      2 MX points to POSTINI
      3 MX points to POSTINI
      4 MX points to POSTINI

      west and east are used by our pop/smtp configured remote users.

      When a legit company sends mail, they use the standard preference of the MX records starting with 1,2,3,4 if needed.

      Spammers are starting from the bottom of the MX records (20 and bypassing POSTINI

      Remote users can't use a MX record because postini is only for outbound internal, not outbound remote users. The mail that remote users get comes through postini, but when they send, it doesn't go out of postini, which creates the problem of having a back door open for spammers.

      I want to get rid of the last two MX records and just use an IP address that resolves to. also has an A record associated with it. So my understanding is I could actually keep their configuration the same (using as their smtp setting and just getting rid of the MX record. That way still would resolve with DNS to the same IP.

      Hope this helps clear some things up.


      • #4
        Re: MX record versus fixed IP

        You need the MX record in DNS for mail servers to find your server.

        Can you not utilise the POSTINI for all inbound and outbound mail??


        • #5
          Re: MX record versus fixed IP

          Postini can do both inbound and outbound, but that comes at an extra price, so we are trying to look at the other options first.

          Even though mail servers might need MX records to find our mail servers, our remote users are using our mail server for both pop and smtp and do not need to look at other mail servers to find our mail servers. Because of this, I am thinking that we do not need the MX record in place for them. Since we also have an A record for, those remote users should just be able to keep their outlook settings with their SMTP server as, and this will still resolve to the IP of the mail server.

          When legit e-mail is sent to my e-mail address the senders mail server will look for the First priority MX record which will send them to POSTINI.

          When a spammer trys to start at the bottom, they will not find an open MX record and instead find the 4th MX record on the list which will send them to POSTINI.

          When a remote Outlook user configured with pop ( smtp ( tries to send mail, they will be able to resolve with an A record out there. From there the firewall will let SMTP traffic for that IP come down to the mail server.

          I think this should work?

          I hope I am not missing something.




          • #6
            Re: MX record versus fixed IP


            You are correct. Removing the last 2 mx records will not cause any problems, as your Outlook clients do not use mx records to send or recieve mail. Leave the correspoding A records in place if you want to use the and names instead of ip addresses. Also Postini may use the A records to relay the mail back to you after scanning for spam etc.


            • #7
              Re: MX record versus fixed IP

              Thanks for all the replies. I am sure less spam coming in will not be missed.



              • #8
                Re: MX record versus fixed IP

                If the remote users VPN in to your network and receive an IP address on your network then all you need to do is get your IS, or whoever controls your external DNS, to remove the entries for east and west.

                You MX record is only used when another external mail server needs to connect to your mail server. This will query DNS looking for these specific records. If it can only see the POSTINI server then all is good and well.

                Another little thing. You have turned off relaying from all except internal users??

                No-one should be able to relay from your exchange server other than authenticated users on your LAN.


                • #9
                  Re: MX record versus fixed IP

                  Hi Kevins74,

                  I am facing the same scenario as you.

                  This is what I understood from my antispam vendor - If you remove your and MX records, spammers can still spam your front end servers. This is because spammers have already cached your MX information. They only need to resolve your A records to send spam to you. In addition, spammers will discover your port 25 is still opened if they run port scan.

                  To effectively stop spam and still allow access for pop3/smtp users, I think a better way is to:
                  1. remove anonymous authentication at frontend smtp virtual server.
                  - this will force all external smtp servers to talk to POSTINI.

                  2. use authentication between POSTINI and frontend servers.
                  - this allow POSTINI to relay filtered email to frontend servers.

                  What do you think? Any other suggestions?




                  • #10
                    Re: MX record versus fixed IP

                    My antispam vendor has suggested another solution which I have implemented in my front end exchange server.

                    The solution help me to
                    1. create a trust based on IP address between my antispam system and my frontend exchange server. Spammer or legitimate smtp servers are not allowed to talk to frontend. They are forced to talk to my antispam system first before filtered emails are relayed to frontend. Hence, the spam "MX loophole" is closed.

                    2. Allow POP3/SMTP authenticated users to send emails thru my frontend server to both internal and external domains regardless what IP address they are are using.


                    Configuring SMTP for Both Authenticated and Anonymous Connections at Microsoft
                    - To reduce administrative overhead, the Microsoft Information Technology (Microsoft IT) group needed to change the way Microsoft® Exchange Server 2003 makes internal Simple Mail Transfer Protocol (SMTP) connections. Microsoft IT set the SmtpIpRestrictionFlag attribute to 1 to configure an SMTP virtual server to allow anonymous connections from an explicit list of IP addresses, yet allow all authenticated connections from other Exchange servers.