Messaging Gateway DNS Validation fails for hostnames with multivalued A records

Article:TECH198845  |  Created: 2012-10-23  |  Updated: 2013-05-29  |  Article URL
Article Type
Technical Solution



Symantec Messaging Gateway (SMG), when configured with DNS Validation and set to Reject connections where the reverse
DNS record exists for the connecting IP address, but the 'A' or 'AAAA' record
of the resulting domain does not match the connecting IP address
, sometimes rejects connection from hosts which have both valid PTR records for their IP and A records for that hostname.  


2012 Oct 23 10:46:16 PDT (info) ecelerity: [15784] LUA: ML-CONNECT-INFO: connect from mx.vmnet.lab[]
2012 Oct 23 10:46:16 PDT (info) ecelerity: [15784] LUA: RDNS: Connecting IP does not match DNS record for (mx.vmnet.lab) with IP
2012 Oct 23 10:46:16 PDT (info) ecelerity: [15784] ML-REJECT: Rejection on:, sent to host:, Audit ID 0aa0f847-b7fc76d000003da8-01-5086d7e8b3cf, 554 5.7.1 Delivery not authorized
2012 Oct 23 10:46:16 PDT (info) ecelerity: [15784] ML-HOST_DISCONNECTED: disconnected. (ID 8cb5a10)


  • SMG 10.0.0
  • SMG 10.0.1



This occurs when a host or mail server with multiple IPs defined in the DNS A record connects to SMG. SMG first looks up the hostname for the connecting IP and then looks up the IP addresses associated with that hostname. In some cases, multiple IP addresses are returned by the DNS but SMG only compares the connecting IP  with the first IP returned.


This issue has been addressed with SMG v10.0.2 release.

For versions listed in the Environment section there is currently no workaround to this issue but it may be mitigated by limiting DNS Validation to Reject connections where no reverse DNS record exists for the connecting IP address via the Control Center Protocols->Domains->Settings page.

Supplemental Materials


Article URL

Terms of use for this information are found in Legal Notices