4xx when host not found

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

4xx when host not found

Helmut Schneider
Hi,

I'm running postfix with spamassassin as a relay (before-queue). The host is
connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA: to=<info@>,
relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4, status=bounced
(Host or domain name not found. Name service error for name=exchange01
type=AAAA: Host not found)

I already created an entry in the hosts file without success.

Where can I change the DSN to 4xx and ensure that mails are delivered when
the tunnel is up again?

helmut@h2786452:~$ postfix.sh -l
Getting Instances ... done
Instance '-': -               -               y         /etc/postfix
Instance 'postfix-in': postfix-in      -               y
/etc/postfix-in
Instance 'postfix-out': postfix-out     -               y
/etc/postfix-out
helmut@h2786452:~$

Thank you!

Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Bill Cole-3
On 16 Sep 2019, at 7:44, Helmut Schneider wrote:

> I already created an entry in the hosts file without success.

This (name resolution) is the ideal place to address your problem. If
your OS name resolver is not using an entry in your hosts file, it may
be because the entry isn't correct OR because your nsswitch.conf file
directs the resolver to ask DNS first. If you're running a system that
does not use nsswitch.conf and can't be made to check local files first,
you may benefit from running a recursing/caching resolver daemon like
Unbound which supports its own local data.

Note that hosts file entries are ONLY for A and AAAA resolution, NOT MX
resolution, so if you are routing m ail in Postfix via a mechanism that
does MX resolution and you have a cached MX record from the last time
that the VPN was up, it is possible that you are chasing a name that is
different from what you expect.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Helmut Schneider
Bill Cole wrote:

> On 16 Sep 2019, at 7:44, Helmut Schneider wrote:
>
> > I already created an entry in the hosts file without success.
>
> This (name resolution) is the ideal place to address your problem. If
> your OS name resolver is not using an entry in your hosts file, it
> may be because the entry isn't correct OR because your nsswitch.conf
> file directs the resolver to ask DNS first. If you're running a
> system that does not use nsswitch.conf and can't be made to check
> local files first, you may benefit from running a recursing/caching
> resolver daemon like Unbound which supports its own local data.

Ubuntu 16.

> Note that hosts file entries are ONLY for A and AAAA resolution, NOT
> MX resolution, so if you are routing m ail in Postfix via a mechanism
> that does MX resolution and you have a cached MX record from the last
> time that the VPN was up, it is possible that you are chasing a name
> that is different from what you expect.

The transport address is static via a transport file.

I'm wondering about the "type=AAAA", is postfix trying to resolve ip6
first? The remote host does not have a static ip6 address so an entry
in /etc/hosts makes not sense.

Anyway, no way to tell postfix that resolving a remote host is a
temporary and not a permanent problem?

Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Viktor Dukhovni
In reply to this post by Helmut Schneider
On Mon, Sep 16, 2019 at 01:44:38PM +0200, Helmut Schneider wrote:

> Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA: to=<info@>,
> relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4, status=bounced
> (Host or domain name not found. Name service error for name=exchange01
> type=AAAA: Host not found)

You should explain how the name "exchange01" becomes the nexthop
destination for mail to "<info@>" (which does not look like a
valid email address).

> I already created an entry in the hosts file without success.

By default, the Postfix smtp(8) delivery agent does not consult
/etc/hosts:

        http://www.postfix.org/postconf.5.html#smtp_host_lookup

> Where can I change the DSN to 4xx and ensure that mails are delivered when
> the tunnel is up again?

Normally, if a tunnel goes down, DNS lookups that require access
to a server on the far side of the tunnel tempfail, and Postfix
would automatically return 4XX.  If your system returns hard errors
when the network is partly down, then that's a configuration defect
with the system.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Helmut Schneider
Viktor Dukhovni wrote:

> On Mon, Sep 16, 2019 at 01:44:38PM +0200, Helmut Schneider wrote:
>
> > Where can I change the DSN to 4xx and ensure that mails are
> > delivered when the tunnel is up again?
>
> Normally, if a tunnel goes down, DNS lookups that require access
> to a server on the far side of the tunnel tempfail, and Postfix
> would automatically return 4XX.  If your system returns hard errors
> when the network is partly down, then that's a configuration defect
> with the system.

Well, I add / remove internal DNS entries on OpenVPN start / stop. But
I also have other (public) DNS servers in /etc/resolv.conf. And when
the internal ones are not available there is no tempfail because the
public servers reply with NXDOMAIN. I might be wrong but I see no
"defect" here.

smtp_delivery_status_filter does what I need.

Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Matus UHLAR - fantomas
>> On Mon, Sep 16, 2019 at 01:44:38PM +0200, Helmut Schneider wrote:
>>
>> > Where can I change the DSN to 4xx and ensure that mails are
>> > delivered when the tunnel is up again?

>Viktor Dukhovni wrote:
>> Normally, if a tunnel goes down, DNS lookups that require access
>> to a server on the far side of the tunnel tempfail, and Postfix
>> would automatically return 4XX.  If your system returns hard errors
>> when the network is partly down, then that's a configuration defect
>> with the system.

On 17.09.19 09:07, Helmut Schneider wrote:
>Well, I add / remove internal DNS entries on OpenVPN start / stop.

This is your problem then.  If you remove record, it clearly doesn't exist
anymore. You should want the record to exist, but be unreachable.

> But I also have other (public) DNS servers in /etc/resolv.conf.  And when
> the internal ones are not available there is no tempfail because the
> public servers reply with NXDOMAIN.

And this is another part of the problem. Using nameservers that clearly
return NXDOMAIN for internal hosts is not as good idea.

>I might be wrong but I see no "defect" here.
>
>smtp_delivery_status_filter does what I need.

yes, smtp_delivery_status_filter is a workaround to the defective design you
use.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Helmut Schneider
Matus UHLAR - fantomas wrote:

> > But I also have other (public) DNS servers in /etc/resolv.conf.
> > And when the internal ones are not available there is no tempfail
> > because the public servers reply with NXDOMAIN.
>
> And this is another part of the problem. Using nameservers that
> clearly return NXDOMAIN for internal hosts is not as good idea.
>
> > I might be wrong but I see no "defect" here.
> >
> > smtp_delivery_status_filter does what I need.
>
> yes, smtp_delivery_status_filter is a workaround to the defective
> design you use.

I'm open for improvements. It's for my home usage, a relay in the
internet with a static ip forwarding mails to my server at home with an
ip changing every 24h connected via OpenVPN. What's you suggestions?

Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Jan Ceuleers
On 18/09/2019 10:15, Helmut Schneider wrote:
> I'm open for improvements. It's for my home usage, a relay in the
> internet with a static ip forwarding mails to my server at home with an
> ip changing every 24h connected via OpenVPN. What's you suggestions?
>
>
Fetchmail?

Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Erwan David
Le 18/09/2019 à 14:10, Jan Ceuleers a écrit :
> On 18/09/2019 10:15, Helmut Schneider wrote:
>> I'm open for improvements. It's for my home usage, a relay in the
>> internet with a static ip forwarding mails to my server at home with an
>> ip changing every 24h connected via OpenVPN. What's you suggestions?
>>
>>
> Fetchmail?
>
>
Fetchmail looses informations, UUCP would be more fitted to this task
(no need to separate malboxes upstream).


Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Matus UHLAR - fantomas
>> On 18/09/2019 10:15, Helmut Schneider wrote:
>>> I'm open for improvements. It's for my home usage, a relay in the
>>> internet with a static ip forwarding mails to my server at home with an
>>> ip changing every 24h connected via OpenVPN. What's you suggestions?

>Le 18/09/2019 à 14:10, Jan Ceuleers a écrit :
>> Fetchmail?

On 18.09.19 14:19, Erwan David wrote:
>Fetchmail looses informations, UUCP would be more fitted to this task
>(no need to separate malboxes upstream).

which information does it lose?

transport map pointing to internal (openvpn) static IP could work too, and
doesn't require playing with DNS.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Erwan David
Le 18/09/2019 à 14:44, Matus UHLAR - fantomas a écrit :

>>> On 18/09/2019 10:15, Helmut Schneider wrote:
>>>> I'm open for improvements. It's for my home usage, a relay in the
>>>> internet with a static ip forwarding mails to my server at home
>>>> with an
>>>> ip changing every 24h connected via OpenVPN. What's you suggestions?
>
>> Le 18/09/2019 à 14:10, Jan Ceuleers a écrit :
>>> Fetchmail?
>
> On 18.09.19 14:19, Erwan David wrote:
>> Fetchmail looses informations, UUCP would be more fitted to this task
>> (no need to separate malboxes upstream).
>
> which information does it lose?


The envelop...


> transport map pointing to internal (openvpn) static IP could work too,
> and
> doesn't require playing with DNS.
>
Yes it could work


Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Arjen Van Drie
In reply to this post by Jan Ceuleers


On 9/18/19 2:10 PM, Jan Ceuleers wrote:
> On 18/09/2019 10:15, Helmut Schneider wrote:
>> I'm open for improvements. It's for my home usage, a relay in the
>> internet with a static ip forwarding mails to my server at home with an
>> ip changing every 24h connected via OpenVPN. What's you suggestions?
>>
>>
> Fetchmail?
>

ehlo?


Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Matus UHLAR - fantomas
In reply to this post by Erwan David
>>>> On 18/09/2019 10:15, Helmut Schneider wrote:
>>>>> I'm open for improvements. It's for my home usage, a relay in the
>>>>> internet with a static ip forwarding mails to my server at home
>>>>> with an
>>>>> ip changing every 24h connected via OpenVPN. What's you suggestions?
>>
>>> Le 18/09/2019 à 14:10, Jan Ceuleers a écrit :
>>>> Fetchmail?
>>
>> On 18.09.19 14:19, Erwan David wrote:
>>> Fetchmail looses informations, UUCP would be more fitted to this task
>>> (no need to separate malboxes upstream).

>Le 18/09/2019 à 14:44, Matus UHLAR - fantomas a écrit :
>> which information does it lose?

On 18.09.19 14:53, Erwan David wrote:
>The envelop...

the envelope addresses can be added on the remote host.
If the OP is postmaster on both hosts, this should not be a problem.

And, fetchmail would mean no queue delays, temporary failt, queueing for
"unlimited" time...

>> transport map pointing to internal (openvpn) static IP could work too,
>> and doesn't require playing with DNS.

>Yes it could work

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: 4xx when host not found

Viktor Dukhovni
In reply to this post by Helmut Schneider
On Wed, Sep 18, 2019 at 08:15:28AM -0000, Helmut Schneider wrote:

> > > smtp_delivery_status_filter does what I need.
> >
> > yes, smtp_delivery_status_filter is a workaround to the defective
> > design you use.
>
> I'm open for improvements. It's for my home usage, a relay in the
> internet with a static ip forwarding mails to my server at home with an
> ip changing every 24h connected via OpenVPN. What's you suggestions?

An improvement would be to configure your system to have the local
resolver immediately return "SERVFAIL" for the no longer-reachable
domains when the VPN is down.  That would avoid long delays in
applications waiting to resolve known unreachable hosts, but avoid
false NXDOMAIN answers.

--
        Viktor.