Thanks for the reply and your thoughts.
There should be nothing limit FCrDNS here, despite that
these are a lot of records.
But have you tried the dig lookup below from the actual mail
server at the time (or shortly after) the time of the failure?
Yes, that was the first thing I tried, and I had those delivery failures
before and after that test. (In fact, I changed the error message to one
specific to the fcrdns check, restarted opensmtp and waited for the next
delivery attempt).
After that I started looking into the sources of OpenSMTPd and all I
found was a loop running over all records in the reply, so yeah, no
limitation there.
While the DNS record seems to be there and correct:
At the time of the connect your mail server was not be able to
resolve the record through whatever you have configured as
forwarder/lookup/recursive DNS servers.
Reasons can vary from local provider network hiccup to
global BGP issues.
Your mail server may use a different route and different
lookup servers than your local client you test dig command with.
It's a local DNS cache which forwards to some dnscrypt servers. I
verified from the logs that my manual name resolution test I did, and
the lookup from OpenSMTPd did use the same resolution.
I have often seen local ISP forwarding DNS servers being
blocked by other large ISP DNS servers already,
e.g. Hetzner DNS recursive Forwarders (and even
whole Hetzner netblocks) are blocked by Telekom
authoritative DNS servers, due to abuse reasons.
Yeah, I hear you, I had similar experiences in the past, one also with
Telekom btw., in our case it was for an online game, and we ultimately
needed to tell players that were affected to "tunnel around" some hop in
Frankfurt, as it was impossible to get in contact with anyone at
Telekom that was able or willing to get us in contact with the
technicians, there. After like 2 months that route was fine again.
I also have similar experiences the other way around with
other ISPs blocking Telekom forwarders, etc.
Sometimes you may be able to contact abuse/tech addresses
to get the relevant IPs unblocked, but often this is just
temporary anyways.
Not everything is reachable from everywhere as it should be.
This happens all the time. This is the Internet.
This is very true, this is the internet.
While looking into this I was just really surprised to see the long list
of A records this resolves to and it felt like this was maybe the
culprit... everything else worked fine and no other mail server
connecting was rejected that way.
I'll reenable the fcrdns check again, and see what happens. It was
disabled now for a while b/c of a user depending on some mails coming
from SFR.
Thanks for the feedback!
