Messaging Gateway DNS Validation fails for hostnames with multivalued A records
|Article:TECH198845|||||Created: 2012-10-23|||||Updated: 2013-05-29|||||Article URL http://www.symantec.com/docs/TECH198845|
Symantec Messaging Gateway (SMG), when configured with DNS Validation and set to Reject connections where the reverse
DNS record exists for the connecting IP address, but the 'A' or 'AAAA' record
of the resulting domain does not match the connecting IP address, sometimes rejects connection from hosts which have both valid PTR records for their IP and A records for that hostname.
2012 Oct 23 10:46:16 PDT (info) ecelerity:  LUA: ML-CONNECT-INFO: connect from mx.vmnet.lab[10.160.248.80]
2012 Oct 23 10:46:16 PDT (info) ecelerity:  LUA: RDNS: Connecting IP 10.160.248.80 does not match DNS record for (mx.vmnet.lab) with IP 10.160.248.85
2012 Oct 23 10:46:16 PDT (info) ecelerity:  ML-REJECT: Rejection on: 10.160.248.71:25, sent to host: 10.160.248.80:39613, Audit ID 0aa0f847-b7fc76d000003da8-01-5086d7e8b3cf, 554 5.7.1 Delivery not authorized
2012 Oct 23 10:46:16 PDT (info) ecelerity:  ML-HOST_DISCONNECTED: 10.160.248.80:39613 disconnected. (ID 8cb5a10)
- SMG 10.0.0
- SMG 10.0.1
This occurs when a host or mail server with multiple IPs defined in the DNS A record connects to SMG. SMG first looks up the hostname for the connecting IP and then looks up the IP addresses associated with that hostname. In some cases, multiple IP addresses are returned by the DNS but SMG only compares the connecting IP with the first IP returned.
This issue has been addressed with SMG v10.0.2 release.
For versions listed in the Environment section there is currently no workaround to this issue but it may be mitigated by limiting DNS Validation to Reject connections where no reverse DNS record exists for the connecting IP address via the Control Center Protocols->Domains->Settings page.
Article URL http://www.symantec.com/docs/TECH198845