Undestanding MX records, Mail Relay/Authentication and Open Relay

Undestanding MX records, Mail Relay/Authentication and Open Relay

MX Records (Mail exchanger record) are a type of record in the DNS zone that specifies a mail server responsible for receiving emails on the behalf of a recipient’s domain. It also acts as a preference value used to prioritise mail delivery if multiple mail servers are available.

Here we consider MX records of google.com for example:

google.com. 600 IN MX 30 alt2.aspmx.l.google.com.
google.com. 600 IN MX 40 alt3.aspmx.l.google.com.
google.com. 600 IN MX 20 alt1.aspmx.l.google.com.
google.com. 600 IN MX 50 alt4.aspmx.l.google.com.
google.com. 600 IN MX 10 aspmx.l.google.com.

aspmx.l.google.com is the mail server with highest priority, because it got number 10.
alt4.aspmx.l.google.com is the mail server with least priority because of its number 50.

In short, lowest the number is, the highest is priority and highest the number is, the lowest is priority. Any number greater than or equal to ZERO(0) can be used as priority number.

In the above setup, a mail from [email protected] will be delivered to [email protected] via aspmx.l.google.com. The mail will only be delivered to alt4.aspmx.l.google.com only if aspmx.l.google.com, alt1.aspmx.l.google.com, alt2.aspmx.l.google.com & alt3.aspmx.l.google.com are down.

The domain can have any number of MX records. If a domain has two MX records of same priority number, mail will be delivered to only one in an unpredictable manner.
Two mail servers with same priority is used very rarely.

Mail relay

A mail server that allows its SMTP service to be used to send email without authentication
1. If recipient email address is a locally hosted email address
2. If the email sending script is connecting to localhost or

Mail Authentications

A mail server that allows its SMTP to be used to send email with authentication to any email address or IP address. This is the normal way of email server configuration. There are 2 kinds of SMTP authentications.
1. POP before SMTP

POP before SMTP utilizes authentication method in dovecot POP3 server or courier POP3 server. Once a user logged in POP3, his IP address will be added in white-list file and then the user is allowed to send email for next 30 minutes without any authentication. In Cpanel mail server (exim) such IPs are kept in /etc/relayhosts. It holds the IP addresses found by the antirelayd daemon which collects them from /var/log/maillog and puts them into that file to allow relaying from those IP addresses through the server .

SMTPAuth is an authentication method of SMTP server itself. SMTPAuth is better than POP before SMTP and it is more secure. In first method if a user have authenticated with POP, then anyone can send email from that IP without authentication. There is a big loop hole in POP before SMTP method that could be used by spammers to send spam. In SMTPAuth, email sender has to authenticate before sending each email.

Open Relay

Now, we will go to another important term, “Open Relay”. Mail Relay is not bad in itself as long as it is not allowing a remote user to send emails without authentication. If a mail server is allowing remote users to send emails to other email addresses that are not hosted on local server, that server is called “Open Relay”.

You can check open relay server by using telnet command

# telnet 25

mail from: [email protected]
rcpt to: [email protected]
$ telnet sh1-eqx3-syd.ha-node.net 25

220-sh1-eqx3-syd.ha-node.net ESMTP Exim 4.77 #2 Fri, 14 Sep 2012 17:05:51 +1000
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
Relay access denied

As you see access denied to send email i.e. mail server is NOT open relay.

You can use one of the following tools to check for open relay.