Disclaimer - the behaviour I'm describing *may* be completely irregular as it is fairly certain the system has been tampered with. I am having problems getting a forward SMTP relay server (currently running "plain vanilla" 2003 Server SMTP) to route incoming mail via DNS. There are MX records for both of the mail servers for the domain and when I packet sniff using Ethereal you can see the MX queries and responses being returned correctly. But for some reason the SMTP service then tries to connect to the domain controllers (and obviously fails) to deliver the mail. I notice that there are host (A) records with the same IP addresses as the Windows Domain Controllers for the parent domain in DNS, if I delete them and then run ipconfig /registerdns then they are re-added. I can't remember if this is normal behaviour, if you try to manually add a host record for a domain, Windows prompts you that it is an invalid record (which is true). From everything I have read SMTP always uses an MX record to route mail first but I was wondering if there is some way for someone to maliciously alter this?
