Secondary MX
I've removed advertising from most of this site and will eventually clean up the few pages where it remains.
While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.
If you found something useful today, please consider a small donation.
Some material is very old and may be incorrect today
© April 2005 Tony Lawrence
2005/04/03
If you want to run your own mail server, you need at least one MX Record in your DNS. You can, however, have more than one record, and it used to be a good idea: the idea was (and is) that if your primary server is unavailable, the secondary can be used to collect mail, which will then be sent to the primary when it comes back up or becomes less busy than it was previously.
The servers have a number associated with them, and the idea is that a connecting server wishing to send mail should try them in order:
xyz.com. 60 IN MX 5 xyz.com. xyz.com. 60 IN MX 10 second.xyz.com.
So the "xyz.com" is the primary for this fictional domain.
Great idea, but the spammers soon realized that many secondary mail servers don't have spam or virus filters and worse, the primary may be set to not bother scanning stuff the secondary gives it. Even if spam and viruses are still scanned, quite likely prohibited IP's (blacklists) are maintained only on the primary or are out of date on the secondary, and they of course don't get checked when the mail is sent over (servers should never be set up this way but apparently people do stupid things like this). So they deliberately seek out your secondary MX record, ignoring the primary entirely.
One thing to do (besides applying the same blacklists, etc. to all servers, which you may not be able to do if the secondary is a service provided by someone else and not under your control), is to confuse the spammers by multiple host names pointing to your primary server, and then mix in those as (fake) secondary MX records. That won't affect legitimate use of these records; a legitimate mailer will just go down the list until it finds something that responds. At least at this time, the spammers apparently aren't looking very deeply into MX records so won't notice that some of the "secondaries" are really the primary.
However, spammers learn from their mistakes, so that ploy probably won't be effective for too long. The only real way to do this is to control your secondary MX's and make sure the same filtering policies are in effect.
Another problem with secondaries can be unnecessarily delayed mail. Any momentary issue at the primary will cause a sender to use the secondary. If there were no secondary, they'd probably try you again in a few minutes, and slowly back off to longer and longer times between tries. But if the mail does go to the secondary, it may not get relayed to the primary for a longer time: maybe the next day.
If you found something useful today, please consider a small donation.
Got something to add? Send me email.
Inexpensive and informative Apple related e-books:
iOS 8: A Take Control Crash Course
Take Control of Automating Your Mac
Take Control of IOS 11
Sierra: A Take Control Crash Course
Photos for Mac: A Take Control Crash Course
More Articles by Tony Lawrence © 2012-07-17 Tony Lawrence
The computer is a moron. (Peter Drucker)
This post tagged:
Skills Tests
Unix/Linux Book Reviews
My Unix/Linux Troubleshooting Book
This site runs on Linode
Printer Friendly Version
Secondary MX: Tech Words of the Day Copyright © April 2005 Tony Lawrence
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version