Postfix 2.6.6: unexpected behavior in face of nameserver misconfiguration

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix 2.6.6: unexpected behavior in face of nameserver misconfiguration

ben+postfix-users
Scenario: a nameserver is misconfigured such that it doesn't set the "recursion available" (ra) bit on its replies. Postfix's relayhost has an A record but no MX record, and is specified in main.cf without [] brackets around it.

What I see is that Postfix 2.6.6 looks up the MX record, receives a successful negative reply (but with the ra bit unset), and defers with "Host or domain name not found. Name service error for name=[REDACTED] type=MX: Host not found, try again".

RFC 5321 section 5.1:

The lookup first attempts to locate an MX record associated with the name.  If a CNAME record is found, the resulting name is processed as if it were the initial name.  If a non-existent domain error is returned, this situation MUST be reported as an error.  If a temporary error is returned, the message MUST be queued and retried later (see Section 4.5.4.1).

Is a response with 'ra' unset an error? If not, then I'd expect Postfix to continue to the "implicit MX" behavior and look up the A record. If so, then I guess the observed behavior is correct. What do you think?

Best regards,
-- 
Ben Rosengart
2.3.2 418 I'm a teapot
Any attempt to brew coffee with a teapot should result in the error code
"418 I'm a teapot".  The resulting entity body MAY be short and stout.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix 2.6.6: unexpected behavior in face of nameserver misconfiguration

Viktor Dukhovni


> On Dec 10, 2018, at 7:23 PM, [hidden email] wrote:
>
> Scenario: a nameserver is misconfigured such that it doesn't set the "recursion available" (ra) bit on its replies. Postfix's relayhost has an A record but no MX record, and is specified in main.cf without [] brackets around it.

Postfix does not inspect the "RD/RA" bit in DNS replies.  That's up to your
system resolver library.  The RA bit may be a red-herring, quite possibly
something else is the real issue.

> What I see is that Postfix 2.6.6 looks up the MX record, receives a successful negative
> reply (but with the ra bit unset), and defers with "Host or domain name not found. Name
> service error for name=[REDACTED] type=MX: Host not found, try again".

The error code is generated by your system resolver library.

Postfix is just the messenger.

--
--
        Viktor.