Warning about non-existent MX for destination domain

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Warning about non-existent MX for destination domain

Catalin Bucur

Hello,

I have a question about how Postfix generate warning messages about non-existent domains, non-existent MX domain names or for timeout connecting to a destination mail server. In fact, my real problem is that postfix does not warn me about nothing when I incorrectly write the domain name for an email address AND by chance that domain exists but does not have configured MX record on its DNS.

For example for a non-existent domain I receive almost instantly the message "[hidden email]: Host or domain name not found. Name service error for name=asdasdasd.ro type=A: Host not found"
For an existing domain but without MX, I receive the error "Host or domain name not found. Name service error for name=onedomain.com type=MX: Host not found, try again)", but AFTER maximal_queue_lifetime, which is very annoying. In this case the sender finds out only after 5 days about the real problem.

Is there any way to modify postfix configuration to inform the sender about such a problem instantly and to retry to send message until maximal_queue_lifetime expires?

Thank you for your time.

Best regards,
Catalin

Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Wietse Venema
Catalin Bucur:
> For an existing domain but without MX, I receive the error /"Host or
> domain name not found. Name service error for name=onedomain.com
> type=MX: Host not found, try again)"/, but AFTER
> /maximal_queue_lifetime/, which is very annoying. In this case the
> sender finds out only after 5 days about the real problem.

This is a problem with your DNS resolver WHICH IS NOT PART OF
POSTFIX. You need to use a better DNS resolver.

With a properly functioning resolver:

$ host -t mx www.postfix.org
www.postfix.org has no MX record

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Bill Cole-3
In reply to this post by Catalin Bucur
On 10 Mar 2020, at 10:26, Catalin Bucur wrote:

> Hello,
>
> I have a question about how Postfix generate warning messages about
> non-existent domains, non-existent MX domain names or for timeout
> connecting to a destination mail server. In fact, my real problem is
> that postfix does not warn me about nothing when I incorrectly write
> the domain name for an email address AND by chance that domain exists
> but does not have configured MX record on its DNS.
>
> For example for a non-existent domain I receive almost instantly the
> message /"[hidden email] <mailto:[hidden email]>: Host or domain
> name not found. Name service error for name=asdasdasd.ro type=A: Host
> not found"/
> For an existing domain but without MX, I receive the error /"Host or
> domain name not found. Name service error for name=onedomain.com
> type=MX: Host not found, try again)"/, but AFTER
> /maximal_queue_lifetime/, which is very annoying. In this case the
> sender finds out only after 5 days about the real problem.

This should only happen in cases where the target domain has no MX
record but does have an A record, and the host at the A record's IP has
no mail service.

Fallback to A records is a standard part of how SMTP works. MX records
are not required for mail delivery and never have been.

> Is there any way to modify postfix configuration to inform the sender
> about such a problem instantly and to retry to send message until
> /maximal_queue_lifetime/ expires?

Not instantly, but you CAN warn the user sooner by setting a short
non-zero delay_warning_time. It should probably be at least as long as a
slow DNS lookup might take.

 From the postconf(5) man page:

   delay_warning_time (default: 0h)
     The time after which the sender receives a copy of the message of
mail
     that is still queued.  The  confirm_delay_cleared  parameter  
controls
     sender notification when the delay clears up.

     To enable this feature, specify a  non-zero  time  value  (an  
integral
     value plus an optional one-letter suffix that specifies the time
unit).

     Time units: s (seconds), m (minutes), h (hours), d (days),  w  
(weeks).
     The default time unit is h (hours).

     See also: delay_notice_recipient, notify_classes,
confirm_delay_cleared.




--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
In reply to this post by Wietse Venema
On 10/03/2020 17:16, Wietse Venema wrote:
This is a problem with your DNS resolver WHICH IS NOT PART OF
POSTFIX. You need to use a better DNS resolver.

With a properly functioning resolver:

$ host -t mx www.postfix.org
www.postfix.org has no MX record

	Wietse

You didn't understood my issue, you didn't read enough from my message or I didn't was clear enough.
It's not a MY dns issue, in fact it's not a really dns issue. Again:
 1. I want to send mail to [hidden email]
 2. From mistake, I send message to [hidden email] (note a missing 'i')
 3. doman.com exists, BUT it doesn't have MX record defined
 4. my message stays in queue until maximal_queue_lifetime expires and postfix try to resend it
 5. I DON'T receive any warning about that error until maximal_queue_lifetime expires (implicitly 5 days), and THIS is the real problem, I don't know that my message didn't arrive at destination because I've accidentally missed a letter from destination domain name.

Regards,
Catalin Bucur
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Wietse Venema
Catalin Bucur:

> On 10/03/2020 17:16, Wietse Venema wrote:
> > This is a problem with your DNS resolver WHICH IS NOT PART OF
> > POSTFIX. You need to use a better DNS resolver.
> >
> > With a properly functioning resolver:
> >
> > $ host -t mxwww.postfix.org
> > www.postfix.org  has no MX record
> >
> > Wietse
>
> You didn't understood my issue, you didn't read enough from my message
> or I didn't was clear enough.
> It's not a MY dns issue, in fact it's not a really dns issue. Again:

You wrote:
> For an existing domain but without MX, I receive the error /"Host or
> domain name not found. Name service error for name=onedomain.com
> type=MX: Host not found, try again)"/, but AFTER
> /maximal_queue_lifetime/, which is very annoying. In this case the

THAT is a DNS resolver issue. If a domain has no MX record the
resolver should say sa IMMEDIATELY, instead of forever returning
NO RESPONSE.

Again, with proper resolver will IMMEDIATELY reply that the MX
record does not exist, allowing Postfix to proceed IMMEDIATELY.

With your broken resolver, Postfix gets NO RESPONSE, and therefore
it MUST NOT proceed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Gerald Galster
In reply to this post by Catalin Bucur

On 10/03/2020 17:16, Wietse Venema wrote:
This is a problem with your DNS resolver WHICH IS NOT PART OF
POSTFIX. You need to use a better DNS resolver.

With a properly functioning resolver:

$ host -t mx www.postfix.org
www.postfix.org has no MX record

	Wietse

You didn't understood my issue, you didn't read enough from my message or I didn't was clear enough.
It's not a MY dns issue, in fact it's not a really dns issue. Again:
 1. I want to send mail to [hidden email]
 2. From mistake, I send message to [hidden email] (note a missing 'i')
 3. doman.com exists, BUT it doesn't have MX record defined
 4. my message stays in queue until maximal_queue_lifetime expires and postfix try to resend it
 5. I DON'T receive any warning about that error until maximal_queue_lifetime expires (implicitly 5 days), and THIS is the real problem, I don't know that my message didn't arrive at destination because I've accidentally missed a letter from destination domain name.

In case there is no MX record the mail is delivered to the domain's ip (a/aaaa record).
It's up to the domain's administrator to set a NULL MX to prevent that, but it's quite new:

What postfix can do:

delay_warning_time (default: 0h)
       The time after which the sender receives a copy of the message headers of mail that is still queued

bounce_queue_lifetime = 4h
maximal_queue_lifetime = 1d
...

man 5 postconf

Best regards
Gerald
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
On 10/03/2020 17:57, Gerald Galster wrote:
In case there is no MX record the mail is delivered to the domain's ip (a/aaaa record).
It's up to the domain's administrator to set a NULL MX to prevent that, but it's quite new:

What postfix can do:

delay_warning_time (default: 0h)
       The time after which the sender receives a copy of the message headers of mail that is still queued

bounce_queue_lifetime = 4h
maximal_queue_lifetime = 1d
...

man 5 postconf

Best regards
Gerald

Gerald and Bill, you have both of you right, delay_warning_time it's the parameter I was looking for.
Anyway, after setting up delay_warning_time=5m I noticed some warnings in logs:

Mar 10 17:52:02 mail postfix/bounce[7326]: warning: [built-in]: zero result in delay template conversion of parameter "delay_warning_time_hours"
Mar 10 17:52:02 mail postfix/bounce[7326]: warning: please reduce time unit "hours" of "delay_warning_time_hours" in delay template
Mar 10 17:52:02 mail postfix/bounce[7326]: warning: for instructions see the bounce(5) manual

Thank you for your help.

Best regards,
Catalin Bucur
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
In reply to this post by Wietse Venema
On 10/03/2020 17:55, Wietse Venema wrote:

> THAT is a DNS resolver issue. If a domain has no MX record the
> resolver should say sa IMMEDIATELY, instead of forever returning
> NO RESPONSE.
>
> Again, with proper resolver will IMMEDIATELY reply that the MX
> record does not exist, allowing Postfix to proceed IMMEDIATELY.
>
> With your broken resolver, Postfix gets NO RESPONSE, and therefore
> it MUST NOT proceed.
>
> Wietse

You mean that I should modify standard configuration for my dns server
(resolver) to force reply that MX record does not exist, instead of
"Host doman.com not found: 2(SERVFAIL)" ? I don't really know that my
actual nameserver configuration it's a "broken" configuration, I belive
that it's somehow a "standard" configuration.
And what if server's resolver isn't managed by me? Let's say:

# cat /etc/resolv.conf
nameserver 8.8.8.8

Catalin Bucur

Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Wietse Venema
SERVFAIL (for a domain without MX record) means that something is
broken. If the fault is not with your local resolver, then you need
make sure that you point your resolver at a proper implementation.
I have seen nonsense results from cheap routers that expect queries
from web clients that never ask for MX.

What is the domain name? I gave an example of what the expected
response looks like.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
On 10/03/2020 19:26, Wietse Venema wrote:
SERVFAIL (for a domain without MX record) means that something is
broken. If the fault is not with your local resolver, then you need
make sure that you point your resolver at a proper implementation.
I have seen nonsense results from cheap routers that expect queries
from web clients that never ask for MX.

What is the domain name? I gave an example of what the expected
response looks like.

	Wietse
Let's say for example imake.ro
This domain it's configured wrong, but it's not managed by me. Which resolver should I use for a non-SERVFAIL error?

Google dns says:
# host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
Host imake.ro not found: 2(SERVFAIL)

Catalin Bucur
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Jaroslaw Rafa
In reply to this post by Catalin Bucur
Dnia 10.03.2020 o godz. 19:11:33 Catalin Bucur pisze:
> You mean that I should modify standard configuration for my dns
> server (resolver) to force reply that MX record does not exist,
> instead of "Host doman.com not found: 2(SERVFAIL)" ?

If you get reply 2(SERVFAIL) it means DNS server for the domain failed and
did not return any usable reply, so we actually don't know if the domain
exists or not. In that case Postfix SHOULD keep trying to deliver mail
(maybe the DNS server for the domain will resume working?) until max queue
time is exceeded.
A reply actually confirming that the domain does not exist would be
3(NXDOMAIN). In that case Postfix should return mail immediately.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Jaroslaw Rafa
In reply to this post by Catalin Bucur
Dnia 10.03.2020 o godz. 19:33:14 Catalin Bucur pisze:
> Google dns says:
> # host -t mx imake.ro 8.8.8.8
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
> Host imake.ro not found: 2(SERVFAIL)

Something's wrong with resolver library on your machine. Mine says:

raj@rafa:~$ host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 3(NXDOMAIN)

That's the correct answer - NXDOMAIN, not SERVFAIL.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
In reply to this post by Jaroslaw Rafa
On 10/03/2020 19:33, Jaroslaw Rafa wrote:
If you get reply 2(SERVFAIL) it means DNS server for the domain failed and
did not return any usable reply, so we actually don't know if the domain
exists or not. In that case Postfix SHOULD keep trying to deliver mail
(maybe the DNS server for the domain will resume working?) until max queue
time is exceeded.

You're right, but it should be nice if sender would receive an warning about that, as soon as possible. And that happened ONLY after I modified delay_warning_time parameter to a couple of minutes.

A reply actually confirming that the domain does not exist would be
3(NXDOMAIN). In that case Postfix should return mail immediately.

Catalin Bucur
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Gerald Galster
In reply to this post by Catalin Bucur

Gerald and Bill, you have both of you right, delay_warning_time it's the parameter I was looking for.
Anyway, after setting up delay_warning_time=5m I noticed some warnings in logs:

Mar 10 17:52:02 mail postfix/bounce[7326]: warning: [built-in]: zero result in delay template conversion of parameter "delay_warning_time_hours"
Mar 10 17:52:02 mail postfix/bounce[7326]: warning: please reduce time unit "hours" of "delay_warning_time_hours" in delay template
Mar 10 17:52:02 mail postfix/bounce[7326]: warning: for instructions see the bounce(5) manual

what happens if you set delay_warning_time=1h or delay_warning_time=300  (as in 300 seconds)?

In the template file it says hours, so everything below one hour might evaluate to zero?

Best regards
Gerald
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Dominic Raferd
In reply to this post by Jaroslaw Rafa


On Tue, 10 Mar 2020 at 17:37, Jaroslaw Rafa <[hidden email]> wrote:
Dnia 10.03.2020 o godz. 19:33:14 Catalin Bucur pisze:
> Google dns says:
> # host -t mx imake.ro 8.8.8.8
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
> Host imake.ro not found: 2(SERVFAIL)

Something's wrong with resolver library on your machine. Mine says:

raj@rafa:~$ host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 3(NXDOMAIN)

That's the correct answer - NXDOMAIN, not SERVFAIL.

My responses seem like OP's:
# host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 2(SERVFAIL)
# host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN)

I read this as: imake.ro exists but is not configured. 
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
On 10/03/2020 19:49, Dominic Raferd wrote:
My responses seem like OP's:
# host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 2(SERVFAIL)
# host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN)

I read this as: imake.ro exists but is not configured. 

Right. And for this type of domains (bad configured) I want that postfix warn me as soon as possbile, not after a few days.

Catalin Bucur
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Fred Morris
In reply to this post by Wietse Venema
Let's try to clear up DNS even though that's not what the original querant
is asking.

On Tue, 10 Mar 2020, Wietse Venema wrote:

> Catalin Bucur:
>> On 10/03/2020 17:16, Wietse Venema wrote:
>>> This is a problem with your DNS resolver WHICH IS NOT PART OF
>>> POSTFIX. You need to use a better DNS resolver.
>>>
>>> With a properly functioning resolver:
>>>
>>> $ host -t mxwww.postfix.org
>>> www.postfix.org  has no MX record
>>>

By the same logic that we should be looking at postfix logs rather than
thunderbird logs, we should probably be looking at the DNS logs rather
than the output of some tool.

>> type=MX: Host not found, try again)"/, but AFTER
>> /maximal_queue_lifetime/, which is very annoying.

NOERROR doesn't necessarily mean that there was an answer. The number of
answers to the question asked can be 0, even if the FQDN (fully qualified
domain name) exists, if some other type of information is associated with
it. It could also be an ENT (empty non terminal), there could be
subrecords.

NXDOMAIN means there are no records.

SERVFAIL means that no usable records were found. This can be returned by
your caching / recursive resolver. SERVFAIL is also the common result if
you're using DNSSEC and your resolver becomes untethered from NTP.

Interactions between search lists and wildcarded domains (in the DNS) can
result in an unexpected mailserver receiving the email. The behavior of
that mailserver is determined by the configuration of that mailserver. If
you fatfingered the domain and it ends up here you may get lucky and
recognize the address of the remote MTA.

Any given domain can choose to do any number of things with received email
(a policy issue outside of the DNS), including dropping it silently or
kicking unexpected errors. If you fatfingered the domain and they choose
to send your submission silently to /dev/null your message was
"successfully" delivered.

--

Fred Morris

Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Viktor Dukhovni
On Tue, Mar 10, 2020 at 12:18:28PM -0700, Fred Morris wrote:

> NOERROR doesn't necessarily mean that there was an answer. The number of
> answers to the question asked can be 0, even if the FQDN (fully qualified
> domain name) exists, if some other type of information is associated with
> it. It could also be an ENT (empty non terminal), there could be
> subrecords.

Correct, NOERROR is the non-failure status code when the target name
(possibly after one or more CNAME redirects) exists.  Whether or not
there it has associated records of the requested type.

Non-failure means the DNS server was able to give you a definitive
answer, it may or may not be the answer you were looking for.

    C: www.example.com. IN MX ?
    S: NOERROR(1/1/0): www.example.com. IN CNAME www.example.net.
                       example.net. IN SOA ...

The above indicates that www.example.com is aliased to www.example.net,
which exists, but has no MX records.

[ (1/1/0) means 1 answer (CNAME), 1 authority record (SOA), 0 additional ]

> NXDOMAIN means there are no records.

No, this is wrong.  NXDOMAIN is the non-failure status code when the
target name (possibly after one or more CNAME redirects) does not exist.

    C: www.example.com. IN MX ?
    S: NXDOMAIN(1/1/0): www.example.com. IN CNAME www.example.net.
                        example.net. IN SOA ...

The above indicates that www.example.com is aliased to www.example.net,
which does not exist.

> SERVFAIL means that no usable records were found. This can be returned by
> your caching / recursive resolver. SERVFAIL is also the common result if
> you're using DNSSEC and your resolver becomes untethered from NTP.

No. This is wrong.  SERVFAIL means that the nameserver (authoritative or
iterative) was unable to provide an answer.  It has nothing to do with
"usable records".  This is a catch-all "I tried to service your query,
but failed, sorry about that, better luck next time..."  answer.

Yes, resolvers return SERVFAIL when the upstream answer fails DNSSEC
validation (is "bogus"), but also when the domain is lame, or upstream
queries time out, ...

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Matus UHLAR - fantomas
In reply to this post by Catalin Bucur
>On 10/03/2020 19:49, Dominic Raferd wrote:
>>My responses seem like OP's:
>># host -t mx imake.ro 8.8.8.8
>>Using domain server:
>>Name: 8.8.8.8
>>Address: 8.8.8.8#53
>>Aliases:
>>
>>Host imake.ro not found: 2(SERVFAIL)
>># host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8
>>Using domain server:
>>Name: 8.8.8.8
>>Address: 8.8.8.8#53
>>Aliases:
>>
>>Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN)
>>
>>I read this as: imake.ro exists but is not configured.

On 10.03.20 20:07, Catalin Bucur wrote:
>Right. And for this type of domains (bad configured) I want that
>postfix warn me as soon as possbile, not after a few days.

This is impossible.  The error can e.g.  mean that the zone is broken and
admin as to fix it, which may be done within minutes.

This kind of error can of course last for months or years, but we can't know
that yet. Neither can postfix or DNS client.

I have similar problems with long-term unreachable addresses, where I would
prefer to block mail from/to such domains, when they are inaccessible for
some time.

Wietse advised policy service and log watcher that would extract info about
such domains:

https://marc.info/?l=postfix-users&m=157910384501532&w=2

I'm afraid I don't have enough of time to build it, otherwise I'd propose
you to use it already :)

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
Reply | Threaded
Open this post in threaded view
|

Re: Warning about non-existent MX for destination domain

Catalin Bucur
In reply to this post by Gerald Galster
On 10/03/2020 19:47, Gerald Galster wrote:
what happens if you set delay_warning_time=1h or delay_warning_time=300  (as in 300 seconds)?

In the template file it says hours, so everything below one hour might evaluate to zero?

Best regards
Gerald

"Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is h (hours)."

I've tried, but without specifying unit time it means implicitly hours. In our case 300 hours :-)

Catalin Bucur