Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Problem with MX records as CNAME and email delivery

Discussion in 'Bind/DNS/Nameserver' started by petersphilo, Feb 22, 2018.

Tags:
  1. petersphilo

    petersphilo Member

    Joined:
    Nov 14, 2016
    Messages:
    19
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Paris
    cPanel Access Level:
    Reseller Owner
    Hello,

    This is just to inform you that 1&1 now refuses to interact with mail servers using the following DNS configuration:
    say the MX record points to mail.domain.tld
    if the record for mail.domain.tld is a CNAME record rather than an A record, 1&1 will refuse to accept mail from or deliver to your server!!

    i discovered this because a client of mine receives the following error messages when communicating with a domain hosted on 1&1:
    550-Requested action not taken: mailbox unavailable
    550 invalid DNS MX or A/AAAA resource record


    see this post, which seems to confirm:
    - Removed -

    Has anyone else seen this behavior?

    if this is going to be a new trend, please note that cPanel, by default, has the MX record point to a CNAME record rather than an A record..
     
    #1 petersphilo, Feb 22, 2018
    Last edited by a moderator: Feb 22, 2018
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,745
    Likes Received:
    110
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I believe this has always been the case. This is part of RFC 2181

    RFC 2181 - Clarifications to the DNS Specification

    Scroll on down to section 10.3

    I do not believe cPanel's default behavior disobeys this rule.

    What MX records are you seeing as being created by default in cPanel?
     
  3. petersphilo

    petersphilo Member

    Joined:
    Nov 14, 2016
    Messages:
    19
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Paris
    cPanel Access Level:
    Reseller Owner
    ok, thank you for the information, but i checked and every domain that i created using cPanel made the mail.domain.tld record a CNAME record rather than an A record...
    Maybe it was just the version i was using when i created the domains....

    EDIT:
    i figured out what's going on...
    i just checked my zone templates:
    Code:
    %domain%. IN A %ip%
    %domain%. IN AAAA %ipv6%
    
    %domain%. IN MX 0 %domain%.
    
    mail IN CNAME %domain%.
    www IN CNAME %domain%.
    ftp IN CNAME %domain%.
    since they are set to use domain.tld as the MX entry, they just CNAME the mail.domain.tld entry...

    is there a reason to favor domain.tld over mail.domain.tld as your MX entry? (other than cheaper SSL certificates, if you're not using LetsEncrypt)
     
    #3 petersphilo, Feb 22, 2018
    Last edited: Feb 22, 2018
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,745
    Likes Received:
    110
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Certificates have nothing to do with mail exchanges.

    The MX records just need to point to a hostname that resolves to an IP address that is where you want mail for that domain name to go.
     
  5. petersphilo

    petersphilo Member

    Joined:
    Nov 14, 2016
    Messages:
    19
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Paris
    cPanel Access Level:
    Reseller Owner
    i'm aware that certificates have nothing to do with mail exchanges...
    what i meant was that SSL certificates that include subdomains (like www or mail) are usually more expensive, so i can imagine wanting to run everything off of one domain...

    i also imagine that the traditional mail.domain being used for MX is to allow for separate servers...

    i guess what i was asking is this:
    is there any reason, on a small server with under 30 mail accounts, a low-frequentation website, and basically no other services, to use mail.domain.tld rather than just domain.tld as the MX ?
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,344
    Likes Received:
    58
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'm guessing cPanel by default creates an MX that points to domain.ext rather than mail.domain.ext, and that mail.domain.ext is a CNAME pointing to domain.ext simply for the purpose of having less records requiring editing when you migrate accounts. Just a guess. I don't think you asked that, but i'm just thinking out loud.

    Anytime a hostname is entered as an A-record versus a CNAME, that requires one less DNS lookup to resolve it. So in my mind, it's preferable to have A-records rather than CNAMEs, except in instances where using CNAMEs makes things clearer or more efficient from an administrative standpoint. Again, I realize you didn't ask that.

    I don't think there is really any preference for using domain.ext or mail.domain.ext as your MX. Just be aware that if your MX record points to domain.ext and you do something like move your website elsewhere but keep your mail on the cPanel box, you will want to make sure that you change mail.domain.ext to an A-record pointing to the local cPanel IP and then change your MX record to point to mail.domain.ext rather than domain.ext.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Did you reach out to 1&1 and confirm that to be the case? Generally, the error message you referenced stems from an invalid or non-working resolver in the cPanel server's /etc/resolv.conf file. Fixing the /etc/resolv.conf file solves the issue. To test this, try updating the /etc/resolv.conf file on your cPanel server to a public resolver (e.g. Google provides 8.8.8.8, 8.8.4.4) to see if the issue persists.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,344
    Likes Received:
    58
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Michael,

    What the OP referenced has nothing to do with the local cPanel server's resolver.

    1and1 has been doing this for a long time actually. I'm fairly certain of that.

    From RFC1912:

    Don't use CNAMEs in combination with RRs which point to other names
    like MX, CNAME, PTR and NS. (PTR is an exception if you want to
    implement classless in-addr delegation.) For example, this is
    strongly discouraged:

    podunk.xx. IN MX mailhost
    mailhost IN CNAME mary
    mary IN A 1.2.3.4


    [RFC 1034] in section 3.6.2 says this should not be done, and [RFC
    974] explicitly states that MX records shall not point to an alias
    defined by a CNAME. This results in unnecessary indirection in
    accessing the data, and DNS resolvers and servers need to work more
    to get the answer. If you really want to do this, you can accomplish
    the same thing by using a preprocessor such as m4 on your host files.

    Also, having chained records such as CNAMEs pointing to CNAMEs may
    make administration issues easier, but is known to tickle bugs in
    some resolvers that fail to check loops correctly. As a result some
    hosts may not be able to resolve such names.

    Having NS records pointing to a CNAME is bad and may conflict badly
    with current BIND servers. In fact, current BIND implementations
    will ignore such records, possibly leading to a lame delegation.
    There is a certain amount of security checking done in BIND to
    prevent spoofing DNS NS records. Also, older BIND servers reportedly
    will get caught in an infinite query loop trying to figure out the
    address for the aliased nameserver, causing a continuous stream of
    DNS requests to be sent.


    The simple answer is to not reference a hostname in an MX record if that hostname is a CNAME. Only reference a hostname in an MX record if that hostname has one or more associated A-records.

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice