APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Secondary MX

© April 2005 Tony Lawrence

If you want to run your own mail server, you need at least one MX Record in your DNS. You can, however, have more than one record, and it used to be a good idea: the idea was (and is) that if your primary server is unavailable, the secondary can be used to collect mail, which will then be sent to the primary when it comes back up or becomes less busy than it was previously.

The servers have a number associated with them, and the idea is that a connecting server wishing to send mail should try them in order:

xyz.com.         60      IN      MX      5 xyz.com.
xyz.com.         60      IN      MX      10 second.xyz.com.

So the "xyz.com" is the primary for this fictional domain.

Great idea, but the spammers soon realized that many secondary mail servers don't have spam or virus filters and worse, the primary may be set to not bother scanning stuff the secondary gives it. Even if spam and viruses are still scanned, quite likely prohibited IP's (blacklists) are maintained only on the primary or are out of date on the secondary, and they of course don't get checked when the mail is sent over (servers should never be set up this way but apparently people do stupid things like this). So they deliberately seek out your secondary MX record, ignoring the primary entirely.

One thing to do (besides applying the same blacklists, etc. to all servers, which you may not be able to do if the secondary is a service provided by someone else and not under your control), is to confuse the spammers by multiple host names pointing to your primary server, and then mix in those as (fake) secondary MX records. That won't affect legitimate use of these records; a legitimate mailer will just go down the list until it finds something that responds. At least at this time, the spammers apparently aren't looking very deeply into MX records so won't notice that some of the "secondaries" are really the primary.

However, spammers learn from their mistakes, so that ploy probably won't be effective for too long. The only real way to do this is to control your secondary MX's and make sure the same filtering policies are in effect.

Another problem with secondaries can be unnecessarily delayed mail. Any momentary issue at the primary will cause a sender to use the secondary. If there were no secondary, they'd probably try you again in a few minutes, and slowly back off to longer and longer times between tries. But if the mail does go to the secondary, it may not get relayed to the primary for a longer time: maybe the next day.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Secondary MX

Inexpensive and informative Apple related e-books:

iOS 8: A Take Control Crash Course

Take Control of Automating Your Mac

Take Control of IOS 11

Sierra: A Take Control Crash Course

Photos for Mac: A Take Control Crash Course

More Articles by © Tony Lawrence

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

The computer is a moron. (Peter Drucker)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode