The messages sent to domain A with multiple mx records are not delivered, returned, and marked as undeliverable once the retry limit is reached. The first MX server for domain accepts a TCP connection. However, it does not respond with an SMTP banner.
After the InterScan Messaging Security Suite (IMSS) times out, it fails to try the second or third MX server for this domain. It attempts to deliver via the first MX server again, repeating the same process until the maximum number of delivery attempt expires.
This issue happens because IMSS is designed that way. If IMSS can establish the initial connection but failed to send the mail, IMSS will not try to send it to the next MX or A record. However, if IMSS already has problems connecting to the downstream MTA (e.g. TCP handshake failed) or it received a 4xx response, then IMSS will try to send the mail to the next MX or A record.
If there is just a delay sending the SMTP banner, you may increase the "IdleWaitingSecond" value to "300" (5 mins) as a workaround. This allows IMSS to wait until it receives a response from the remote MTA server.
- Go to the ..Program Files\Trend Micro\IMSS\ config folder.
- Locate and back up the tsmtpd.ini file.
- Open the original tsmtpd.ini file using a text editor.
- Look for the "IdleWaitingSecond=30" parameter and change the value to "60".
- Make sure that the "#" sign is removed to enable the parameter.
- Save and close the file.
- Restart the following services:
- Trend Micro IMSS SMTP service
- Trend Micro Scanner service
If there is no banner response being sent back, or if the respond takes too long (more than 5 minutes), you can create a smarthost entry for domain A, and then assign the second and third MX record IP to prevent IMSS from sending mails to slow-responding MTA.