0

To the best of my knowledge, the below DNS records should work as a failover for my mail servers:

example.com     A   192.0.2.1       3600
www.example.com A   192.0.2.1       3600
ftp.example.com A   192.0.2.1       3600
example.com TXT "v=spf1 a mx a:spf.batchsmtp.com ip4:198.51.100.1 ip4:203.0.113.2 -all"     86400
example.com     MX  srv1.batchsmtp.com  10  86400
example.com     MX  srv2.batchsmtp.com  10  86400
srv1.example.com    A   198.51.100.1        3600
srv2.example.com    A   203.0.113.2         3600
_smtp._tcp.example.com  SRV 2 25 srv1.example.com   10  3600
_smtp._tcp.example.com  SRV 1 25 srv2.example.com   10  3600
_imaps._tcp.example.com SRV 2 993 srv1.example.com  10  3600
_imaps._tcp.example.com SRV 1 993 srv2.example.com  10  3600
_imap._tcp.example.com  SRV 2 143 srv1.example.com  10  3600
_imap._tcp.example.com  SRV 1 143 srv2.example.com  10  3600
_submission._tcp.example.com    SRV 2 587 srv1.example.com  10  3600
_submission._tcp.example.com    SRV 1 587 srv2.example.com  10  3600

I've turned srv1.example.com off but my email clients just time out and never seem to contact srv2.example.com (short TTLs are for testing).

Online DNS tools never seem to show my SRV records, but I believe that is normal behavior.

  1. Am I doing something wrong here?
  2. Or does it maybe take a long time before mail clients start using these records (as in 48 hours)?
  3. Do I need to put something specific in my email client? (which target host)

Email clients tried: Mozilla Thunderbird, iOS Mail

This is what a dig gives:

;; QUESTION SECTION:
;_imaps._tcp.example.com.      IN      SRV

;; ANSWER SECTION:
_imaps._tcp.example.com. 3600  IN      SRV     10 2 993 srv1.example.com.
_imaps._tcp.example.com. 3600  IN      SRV     10 1 993 srv2.example.com.

;; AUTHORITY SECTION:
example.com.           86400   IN      NS      ns3.nsdomain.com.
example.com.           86400   IN      NS      ns2.nsdomain.com.
example.com.           86400   IN      NS      ns1.nsdomain.com.

;; ADDITIONAL SECTION:
srv2.example.com.      2502    IN      A       203.0.113.2
srv1.example.com.      3600    IN      A       198.51.100.1
Misterr Moron
  • 75
  • 11
  • Do your email clients support SRV lookup/discovery for IMAP? My guess is that they don't. – joeqwerty Feb 16 '18 at 19:52
  • 1
    Give the real domain name, without obfuscation. Otherwise noone could see how the zone is really provisioned. Because the problem is either that the zone has not the needed records **OR** there are correct but the clients do not use them. Since you do not provide the real zone nor details about the clients, it is impossible to separate the two cases. I will also edit your question to put valid IP addresses reserved for documentation, because 123.456.789.1 is doubly useless... – Patrick Mevzek Feb 16 '18 at 19:56
  • Also: which online DNS tools? Did you tried with `dig`? – Patrick Mevzek Feb 16 '18 at 20:01
  • My email client is thunderbird and IOS mail for now...not sure what I should put in as the target address as mail.example.com does not seem to work. I'm new to this SRV record thingie and not sure how to set things up Why would you need the real domain name? The records are exactly the same except example.com is different... – Misterr Moron Feb 16 '18 at 20:11
  • I tried `dig _imaps._tcp.example.com` and it gave me two records in the answer section, I think the srv records on itself are correctly defined, it's just, how do you use them? – Misterr Moron Feb 16 '18 at 20:25
  • For thunderbird, in https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration : "We may add DNS SRV records as supported mechanism in the future, but we currently do not." – Patrick Mevzek Feb 16 '18 at 20:31
  • @MisterrMoron knowing the domain allows to check if the zone has the correct records. You say you do not "see" them so maybe the zone is wrong, who knows? – Patrick Mevzek Feb 16 '18 at 20:32
  • For iOS Mail, see https://apple.stackexchange.com/a/130546 – Patrick Mevzek Feb 16 '18 at 20:32
  • Because if the zone is **really** like written, nothing will work, as you lack a final dot on each label, so the current zone name would get added at the end of each label resulting in completely different names... – Patrick Mevzek Feb 16 '18 at 20:34
  • Use `dig` with `SRV` selector if you want to see SRV records and add `@` + IP of one of your authoritative nameservers. First rule of DNS debugging: first check the authoritative resolvers, then the recursive ones. Since the later are feeding themselves off the former. – Patrick Mevzek Feb 16 '18 at 20:35
  • I've added the dig result.The missing dot at the end is just an interface "feature" of the webhoster I use – Misterr Moron Feb 16 '18 at 20:54
  • My aim is to create mail failover and was hoping this dns setup would be a solution. I'm on an openstack platform but their loadbalancer only supports http and https failover as far as I can see – Misterr Moron Feb 16 '18 at 21:02

1 Answers1

1

The world is not ready for SRV records. Sigh, they only exist since 1996...

https://www.rfc-editor.org/rfc/rfc2052

Community
  • 1
Misterr Moron
  • 75
  • 11