About messages bounced due name resolution issues using IPv6

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: About messages bounced due name resolution issues using IPv6

Viktor Dukhovni
On Thu, Dec 03, 2020 at 11:22:29PM -0200, Viktor Dukhovni wrote:

> The only possible explanations are:
>
>    - Your resolver erroneously reported NODATA for IPv4
>    - The authoritative nameservers reported NODATA for IPv4
>    - Neither of us was able to spot a subtle bug
>
> To distinguish between these, it would be helpful if you
> set:
>
>    debug_peer_list = another-example-com.mail.protection.outlook.com
>    debug_peer_level = 1

Unfortunately, it looks like "debug_peer_list" kicks in only after
connection establishment, and produces verbose logging of the SMTP
dialogue, but does not cover DNS resolution.  For the latter, you'd
need a dedicated transport, with "smtp -v" in master.cf.

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        transport_maps = ${indexed}transport

    transport:
        another-example.com     debug-smtp

    master.cf:
        # Just like "smtp", but with "-v"
        debug-smtp unix ... smtp -v

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: About messages bounced due name resolution issues using IPv6

Sergio Belkin
El mar, 8 dic 2020 a las 17:50, Viktor Dukhovni (<[hidden email]>) escribió:
On Thu, Dec 03, 2020 at 11:22:29PM -0200, Viktor Dukhovni wrote:

> The only possible explanations are:
>
>    - Your resolver erroneously reported NODATA for IPv4
>    - The authoritative nameservers reported NODATA for IPv4
>    - Neither of us was able to spot a subtle bug
>
> To distinguish between these, it would be helpful if you
> set:
>
>    debug_peer_list = another-example-com.mail.protection.outlook.com
>    debug_peer_level = 1

Unfortunately, it looks like "debug_peer_list" kicks in only after
connection establishment, and produces verbose logging of the SMTP
dialogue, but does not cover DNS resolution.  For the latter, you'd
need a dedicated transport, with "smtp -v" in master.cf.

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        transport_maps = ${indexed}transport

    transport:
        another-example.com     debug-smtp

    master.cf:
        # Just like "smtp", but with "-v"
        debug-smtp unix ... smtp -v

--
    Viktor.

VIktor, I'm considering replace dnsmasq with unbound. Meanwhile, I'm loggind the DNS queries made by dnsmasq.
The debug method you suggest needs SNI support, isn't it? Because my postfix versions lacks support of it :(

--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
Reply | Threaded
Open this post in threaded view
|

Re: About messages bounced due name resolution issues using IPv6

Viktor Dukhovni
> On Dec 11, 2020, at 12:21 PM, Sergio Belkin <[hidden email]> wrote:
>
> VIktor, I'm considering replace dnsmasq with unbound. Meanwhile, I'm loggind the DNS queries made by dnsmasq.
> The debug method you suggest needs SNI support, isn't it? Because my postfix versions lacks support of it :(

No, SNI is not needed and completely irrelevant here.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: About messages bounced due name resolution issues using IPv6

Sergio Belkin
El vie, 11 dic 2020 a las 12:30, Viktor Dukhovni (<[hidden email]>) escribió:
> On Dec 11, 2020, at 12:21 PM, Sergio Belkin <[hidden email]> wrote:
>
> VIktor, I'm considering replace dnsmasq with unbound. Meanwhile, I'm loggind the DNS queries made by dnsmasq.
> The debug method you suggest needs SNI support, isn't it? Because my postfix versions lacks support of it :(

No, SNI is not needed and completely irrelevant here.

--
        Viktor.


Ok, I thought so because of the 'indexed' parameter that I don't found in documentation except in tls_server_sni_maps (http://www.postfix.org/postconf.5.html)
Is that parameter supported in postfix 2.10.1?

--
--
Sergio Belkin
LPIC-2 Certified - http://www.lpi.org
Reply | Threaded
Open this post in threaded view
|

Re: About messages bounced due name resolution issues using IPv6

Wietse Venema
Sergio Belkin:

> El vie, 11 dic 2020 a las 12:30, Viktor Dukhovni (<
> [hidden email]>) escribi?:
>
> > > On Dec 11, 2020, at 12:21 PM, Sergio Belkin <[hidden email]> wrote:
> > >
> > > VIktor, I'm considering replace dnsmasq with unbound. Meanwhile, I'm
> > loggind the DNS queries made by dnsmasq.
> > > The debug method you suggest needs SNI support, isn't it? Because my
> > postfix versions lacks support of it :(
> >
> > No, SNI is not needed and completely irrelevant here.
> >
> > --
> >         Viktor.
> >
> >
> Ok, I thought so because of the 'indexed' parameter that I don't found in
> documentation except in tls_server_sni_maps (
> http://www.postfix.org/postconf.5.html)
> Is that parameter supported in postfix 2.10.1?

Again, SNI is irrelevant to the issue.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: About messages bounced due name resolution issues using IPv6

Viktor Dukhovni
In reply to this post by Sergio Belkin
> On Dec 11, 2020, at 1:46 PM, Sergio Belkin <[hidden email]> wrote:
>
> Ok, I thought so because of the 'indexed' parameter that I don't found in documentation except in tls_server_sni_maps (http://www.postfix.org/postconf.5.html)
> Is that parameter supported in postfix 2.10.1?

There is no built-in "indexed" parameter.  It is just a convenience
macro I use to avoid repeating myself in map definitions and to avoid
hardcoding the default map type and location in multiple places.

You can define and use whatever variables you want in main.cf,
for another example:

        my_pcre = pcre:${config_directory}/
        header_checks = ${my_pcre}header-checks.pcre

--
        Viktor.

12