Re: trouble talking to NYC Government

Tue, 26 Jan 2021 08:39:31 -0800 

On Tue, Jan 26, 2021 at 10:46:04AM -0500, Ruben Safir wrote:

> I am getting this strange rejections to talk to NYC government
> 
> Final-Recipient: rfc822; cdeut...@council.nyc.gov
> Original-Recipient: rfc822;cdeut...@council.nyc.gov
> Action: delayed
> Status: 4.4.3
> Diagnostic-Code: X-Postfix; delivery temporarily suspended: Host or domain 
> name not found. Name service error for name=mx2.nycdoitt.iphmx.com
> type=A: Host not found, try again
> Will-Retry-Until: Sun, 31 Jan 2021 04:42:53 -0500 (EST)

Are these delay notices reported by your Postfix MTA, or by a remote
MTA?  Assuming it is yours.  Make sure that your smtp(8) client is not
chrooted (or else fix resolv.conf and its permissions in the chroot)
and that unprivileged accounts can successfully perform DNS lookups.

Post the output of:

    $ postconf -M | awk '$8 == "smtp" {print $1,$5}'
    $ postconf default_transport transport_maps

> dig  mx2.nycdoitt.iphmx.com

Was this test done as "root" or an unprivileged user.

On Tue, Jan 26, 2021 at 04:02:11PM +0000, Dominic Raferd wrote:

> > ;; ANSWER SECTION:
> > mx2.nycdoitt.iphmx.com. 3326    IN      A       68.232.143.122
> > ...
> 
> Check that your postfix instance can reach resolv.conf:
> 
> |# sudo -u postfix -H cat /etc/resolv.conf|

There may also be a chroot jail involved.

On Tue, Jan 26, 2021 at 11:04:39AM -0500, Bill Cole wrote:

> > dig  mx2.nycdoitt.iphmx.com
> 
> [... list of A records snipped ...]
> 
> Assuming that the "Diagnostic-Code" field of the rejection message is in 
> fact the real reason for the failure and not doing something thatb 
> mimics DNS failure or tells outright lies, this indicates that their DNS 
> resolver is broken.

Whose DNS resolver?  And perhaps you mean authoritative server (operated
by Akamai, and working adequately):

    https://dnsviz.net/d/mx2.nycdoitt.iphmx.com/YBBCIA/dnssec/

> The fact that they are replying with a temporary code means that they
> are getting a SERVFAIL response or a timeout when trying to resolve
> mx2.nycdoitt.iphmx.com.

Again, which "they"?  The temporary failure is probably downstream,
either at the resolvers configured in /etc/resolv.conf, or even failure
to reach those in the first place.

-- 
    Viktor.

Reply via email to