Non Deliverable or Bounce Messages are not coming back

03/26/2020 1111 12201

DESCRIPTION:

Non Deliverable or Bounce messages are not coming back. How to configure a internal MX record on a Microsoft DNS server. 

Unable to receive bounced/undelivered/log emails when using email security. The email security does use the extrenal MX-record which is used on the internet.

RESOLUTION:

If the client has a UTM with EnhancedOS, a loopback rule can be created. However, the recommended resolution is to create an internal MX record. This document explains how to create such a mx record.

Requirements: Microsoft DNS server (which is used by the email sec in the host configuration)

Example: Windows 2003 SP1

Procedure:

• Start the DNS manager snap-in.

• The client should already have a local forward lookup zone, similar to:

For the purposes of this example, the mail server is represented by the record “server” pointing to 192.168.100.25. 

• In the local lookup zone, ensure that an A host record exists for both the email security and the email server

• Create a new forward lookup zone, this one with the public domain (eg. sonicwall.com)

(right click on “Forward Lookup Zones” | New Zone). In the options that follow, ensure that “primary zone” is selected and enter the public zone in the zone name. All the other options can be left as default. You should have something similar to:

• In the new zone, create a new MX record:

In the dialog box leave everything as is, and click the “browse” button: 

Click on the server | forward lookup zones and then click on the local domain and select the mail server:

Click OK, and the internal MX record is created. To ensure all is as it should, run nslookup and type: 

> set type=mx
> sonicwall.com (or whatever the public domain is)

And you should get an output similar to:

Note:
- The internet address is the address of the mail server, the internal MX record has been created successfully.
- For these changes to propagate to the email security appliance, the DNS cache must be flushed. This happens periodically however to flush this manually obtain SSH access to the device, point the device to a different DNS server, and change it back to force an update.