Why is my email broken? Cpanel, CNAMES and MX records

I have set-up dozens of web applications firewalls (WAF), but often I’m asked to fix other peoples set-ups after they’ve had a go of setting them up themselves.

The most common issue I see always has the same cause, the default DNS configuration for a domain and web server combination package from the major retailers is configured something like this:

default-dns

What happens is, user changes their DNS “A” record for the “naked domain’s” IP address to the firewall’s IP address, the websites nice and secure and if it has a proxy, fast. But a few hours later they realise that they have no email, of course they contact the firewall vendor who will tell them their mail.domain.com is pointing the web firewall and they should point it back to the hosting server, and they can do that in cPanel.

Now this is where it gets frustrating for them, they try to connect to their cPanel, but that fails, both cpanel.domain.com and domain.com:8023 are also pointing to the web firewall, web application firewalls only protect websites, not control panels or email, so they just reject non website traffic.

So they will now ask “why can’t I connect to my cPanel”, and they will learn that 192.169.0.1:8023 will work.

And the frustration will only get worse when they change their mail. CNAME record to an “A” record, and give it the correct IP address, and still the email is not flowing, they will one way or the other learn that for some inexplicable reason, the MX record, the one that actually directs the mail where to go is still pointing to the “naked domain” domain.com, they would have noticed this, but for some inexplicable reason, many of these default domain control panels have separated MX record management from the DNS management, putting it in the Email management section. Personally I think they should put it in both sections.

But the maddening thing is, the RFCs that are authoritative on internet protocols and “stuff” like DNS and MX records say that an MX record should not be a CNAME, its actually common sense if you think about it, it’s an extra DNS lookups everytime you send an email, both sides for the sender and the receiver if they are doing reverse lookups.

Anyway, rant over, not only does this cause issues as I’ve highlighted, it’s just not best practice, but “everyone” is doing it, causing a lot of frustration for users, many of who are moving to a firewall following some sort of traumatic “event”, probably a malware or DDoS attack.

Leave a Reply

Your email address will not be published. Required fields are marked *