Occasionally, when my wife sends me an email from her hotmail account she gets a bounce message saying the message was undeliverable. This is the correct response, since I use google apps for my email. My DNS configuration appears to be correct. I think postfix is doing what it's supposed too, but I've included a log snippet below from yesterday when she tried to send a couple emails. Is there anything I can do to stop hotmail from trying to deliver to my node?

The domain in question is brianlance.com, and my node has never been responsible for accepting mail for this domain. Although it does accept mail for others.

Jul 20 09:26:06 wallace postfix/smtpd[18853]: connect from snt0-omc4-s23.snt0.hotmail.com[65.55.90.226]
Jul 20 09:26:06 wallace postfix/smtpd[18853]: NOQUEUE: reject: RCPT from snt0-omc4-s23.snt0.hotmail.com[65.55.90.226]: 554 5.7.1 <xxxxx@brianlance.com>: Relay access denied; from=<xxxxx@hotmail.com> to=<xxxxx@brianlance.com> proto=ESMTP helo=<snt0-omc4-s23.snt0.hotmail.com>
Jul 20 09:26:06 wallace postfix/smtpd[18853]: disconnect from snt0-omc4-s23.snt0.hotmail.com[65.55.90.226]
Jul 20 09:28:39 wallace postfix/smtpd[18859]: connect from snt0-omc4-s23.snt0.hotmail.com[65.55.90.226]
Jul 20 09:28:39 wallace postfix/smtpd[18859]: NOQUEUE: reject: RCPT from snt0-omc4-s23.snt0.hotmail.com[65.55.90.226]: 554 5.7.1 <xxxxx@brianlance.com>: Relay access denied; from=<xxxxx@hotmail.com> to=<xxxxx@brianlance.com> proto=ESMTP helo=<snt0-omc4-s23.snt0.hotmail.com>
Jul 20 09:28:39 wallace postfix/smtpd[18859]: disconnect from snt0-omc4-s23.snt0.hotmail.com[65.55.90.226]
Jul 20 09:31:59 wallace postfix/anvil[18855]: statistics: max connection rate 1/60s for (smtp:65.55.90.226) at Jul 20 09:26:06
Jul 20 09:31:59 wallace postfix/anvil[18855]: statistics: max connection count 1 for (smtp:65.55.90.226) at Jul 20 09:26:06
Jul 20 09:31:59 wallace postfix/anvil[18855]: statistics: max cache size 1 at Jul 20 09:26:06
Jul 20 16:02:58 wallace postfix/smtpd[23654]: connect from snt0-omc4-s4.snt0.hotmail.com[65.55.90.207]
Jul 20 16:02:58 wallace postfix/smtpd[23654]: NOQUEUE: reject: RCPT from snt0-omc4-s4.snt0.hotmail.com[65.55.90.207]: 554 5.7.1 <xxxxx@brianlance.com>: Relay access denied; from=<xxxxx@hotmail.com> to=<xxxxx@brianlance.com> proto=ESMTP helo=<snt0-omc4-s4.snt0.hotmail.com>
Jul 20 16:02:58 wallace postfix/smtpd[23654]: disconnect from snt0-omc4-s4.snt0.hotmail.com[65.55.90.207]
Jul 20 16:06:18 wallace postfix/anvil[23657]: statistics: max connection rate 1/60s for (smtp:65.55.90.207) at Jul 20 16:02:58
Jul 20 16:06:18 wallace postfix/anvil[23657]: statistics: max connection count 1 for (smtp:65.55.90.207) at Jul 20 16:02:58
Jul 20 16:06:18 wallace postfix/anvil[23657]: statistics: max cache size 1 at Jul 20 16:02:58

$ dig brianlance.com mx

; <<>> DiG 9.3.2 <<>> brianlance.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10191
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;brianlance.com.                        IN      MX

;; ANSWER SECTION:
brianlance.com.         300     IN      MX      10 aspmx5.googlemail.com.
brianlance.com.         300     IN      MX      0 aspmx.l.google.com.
brianlance.com.         300     IN      MX      5 alt1.aspmx.l.google.com.
brianlance.com.         300     IN      MX      5 alt2.aspmx.l.google.com.
brianlance.com.         300     IN      MX      10 aspmx2.googlemail.com.
brianlance.com.         300     IN      MX      10 aspmx3.googlemail.com.
brianlance.com.         300     IN      MX      10 aspmx4.googlemail.com.

;; ADDITIONAL SECTION:
aspmx5.googlemail.com.  965     IN      A       74.125.130.27
aspmx2.googlemail.com.  400     IN      A       173.194.69.27
aspmx4.googlemail.com.  2047    IN      A       173.194.78.27

;; Query time: 446 msec
;; SERVER: 205.133.7.2#53(205.133.7.2)
;; WHEN: Sat Jul 21 21:29:10 2012
;; MSG SIZE  rcvd: 256

Looks like your MX records are set to use Google for incoming mail. Unless Hotmail is somehow getting a different DNS response, it should never look at the A record (which points to your Linode) as a place to deliver mail.

Postfix is doing the right thing by returning a 5xx (permanent) error code - does Hotmail send a bounce message to your wife?

Since Postfix needs to accept mail for other domains, you can't just firewall it off from the outside world. The only other option I can think of would be to have Postfix return a different error code to tell Hotmail to stop doing this, but I don't think there's one more appropriate.

I concur: it is absolutely a Hotmail problem, as they are ignoring the MX records. You might have some luck getting in touch with Hotmail Postmaster.

_________________

/* TODO: need to add signature to posts */

Apparently this has been going on for a couple years. Here's a serverfault post from someone having the problem in 2010 (with some replies from earlier this year).

Since this appears to be going on for so long, I suspect waiting for Hotmail to fix it may be futile. I think Vance might be on the right path with the notion of providing a non-5xx error. Try sending a 4xx error code for any brianlance.com mail instead (which tells the sender there's a temporary error and it should try again later). It's possible that this will cause Hotmail to try your MX servers and deliver the mail properly.

As much as I like to bash hotmail, it seems like a little bit of this sort of thing is inevitable when your MX points somewhere different than the A record for the domain. A temporary failure on the MX lookup is likely to cause a sending server to fall back to the A record.

One answer would be to accept the mail and just forward it yourself. I agree though that sending a 4xx response might help, especially with your 5 minute DNS TTL setting. That of course is assuming hotmail honors the TTL

Thanks for the input everyone. Is falling back to the A record in cases of MX lookup failures a standard behavior? What 4xx code should I send (and how do I do that)? I've thought about just relaying the messages, but I'm not sure where that would be configured.

I should probably increase that TTL. Set it to that when I was testing something a long time ago and forgot set it back.

This is, in fact, the RFC-correct way of doing things. Trying all MX records and then failing back to A record is... wrong. Definitively.


DNS TTLs are irrelevant to SMTP retry timings.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

It's a not-unheard-of broken behaviour. It's not standard and it's wrong. But it's not unheard of.


Be careful about relaying; if google rejects your mail as spam at SMTP time then you'll either need to blackhole the message or will act as a back-scatter spam source in your own right.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)