Hi Chris:
Was out-of-town for a week.
We tried the
server 0.0.0.0/0 {
edns no;
}
in our BIND and although we were able to receive email from
grupedecor.com a bunch of other websites failed. Is there a way to
restrict the 'edns no' to a particular sending domain? And what server
IP address goes into that directive - the IP of the MX record or the IP
of the DNS server for grupodecor.com?
Thanks, Jeff
On 6/21/2017 9:27 PM, Chris wrote:
Hi Jeff,
Let me know how it goes. I've been playing with adding the
following block to various nameservers in my network, with mixed success:
server0.0.0.0/0 <http://0.0.0.0/0> {
edns no;
};
Adding the above block to the instance of BIND that resides on my
qmail server, and setting 127.0.0.1 as the primary nameserver in
/etc/resolv.conf worked.
Adding that same block to my ns1 and ns2 nameservers, that are used
for recursive lookups within my network, was a complete bust. Still
experimenting with that.
-Chris
On Wed, Jun 21, 2017 at 6:18 PM, Jeff Koch <jeffk...@intersessions.com
<mailto:jeffk...@intersessions.com>> wrote:
Hi Chris:
Thank you for troubleshooting this. Adding 'edns no' to our BIND
dns server looks like a great solution to the issue. I'll give it
a try and let you know.
Thanks, Jeff
On 6/21/2017 12:09 PM, Chris wrote:
Howdy Jeff,
My apologies. I guess I should have gone into more technical
detail, rather than just supplying solutions. My original reply
was sent from my iPhone, and I was just trying to get you a quick
solution while I was on a train.
First one bit of explanation, then the meat of it all, and a
new third option you can implement: The reason I routed email
through mailcleaner had nothing to do with the content of the
email. It had to do with mailcleaner not using qmail under the
hood, and therefore not having the same problem with the returned
DNS for the outlook hosted domain I was trying to mail to. The
particular email server I applied the mailcleaner fix to is an
OLD FreeBSD box that I'm in the process of replacing, and as such
I didn't want to waste time shoehorning in a new DNS server when
I had a ready fix available. Again, not a content issue, just
trying to get qmail/BIND out of the equation.
So, the crux of my issue was that qmail doesn't like it when a
DNS query returns more than 512 bytes of data. There is another
issue, solved the same way, where some name servers give a
malformed response when edns is enabled. qmail doesn't try to
figure out malformed responses, as that would go against its
philosophy. This can be seen in the thread that Eric sent you on
6/12
(https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg40505.html
<https://www.mail-archive.com/qmailtoaster-list@qmailtoaster.com/msg40505.html>)
where one of the viable solutions was to disable the edns option
in the bind config. (So, solution #3: Add "edns no;" to the
server block in your bind config of the dns server that your
qmailtoaster is using for resolution.)
qmail's issue with large DNS packets is also documented here:
https://www.webfactory.de/blog/patch-qmail-in-ubuntu-to-avoid-cname-lookup-failed-temporarily-errors
<https://www.webfactory.de/blog/patch-qmail-in-ubuntu-to-avoid-cname-lookup-failed-temporarily-errors>
The crux of the above post was an issue with CNAME responses, but
that's not what's happening to you.
In troubleshooting the domain you were trying to send to,
grupodecor.com <http://grupodecor.com>, I discovered something
very interesting. The DNSSEC analysis tool at
http://dnsviz.net/d/grupodecor.com/dnssec/
<http://dnsviz.net/d/grupodecor.com/dnssec/> reported the
following: "grupodecor.com/A <http://grupodecor.com/A>: *The
response (160 bytes) was malformed until EDNS was disabled.*
(34.194.232.55, 34.197.49.47, 34.197.219.118, 52.207.176.29,
54.236.164.22, 54.236.167.176, 54.236.168.41,
UDP_0_EDNS0_32768_4096)"
So, there is something borked with the DNS at grupodecor.com
<http://grupodecor.com> when the querying server has edns
enabled. My suggestion of using djbdns works because djbdns
doesn't do edns. My suggestion of relaying through something
like mailcleaner works because it isn't running qmail and doesn't
flat out reject the malformed response the way qmail does. The
latest suggestion of turning off edns in your bind server will
work because it won't ask for edns responses anymore.
Does that help explain the why's of this issue?
-Chris
-Sent from my Pip-Boy 3000
On Jun 21, 2017, at 5:01 AM, Jeff Koch
<jeffk...@intersessions.com <mailto:jeffk...@intersessions.com>>
wrote:
Hi Boheme:
Sorry If I was rude - I do appreciate your response on 6/12 and
I considered the two solutions you recommended.
With respect to routing the mail through mailcleaner - if I
understand the purpose of this recommendation - I don't think
the problem has anything to the contents of the email we are
trying to send. Qmail is saying that it couldn't find any host
named grupodecor.com <http://grupodecor.com>. So it's an issue
on the side of our sending mailserver and I'd really like to
understand how our mailserver came to that conclusion - what
exactly is qmail testing to determine that.
With respect to your second recommendation about installing
djbdns we already have a BIND server running on our network and
I prefer not to install another DNS server ( I will if I
absolutely have to.)
The problem here does not seem to be related to Outlook 365
since we are able to send email to many other domains with email
hosted by Outlook.
I really would like to understand what's going on in the qmail
code that is causing qmail to come to the conclusion that it
can't find this host. ( What exactly does qmail mean by 'host' ?
Does this mean qmail can't find the DNS zone? Can't find an 'A'
record or host? Can't find the MX record or host?)
Jeff
On 6/20/2017 11:34 PM, Boheme wrote:
I replied with two solutions to this problem on 6/12.
You never replied, so I have no idea whether you tried my
suggestions.
-Sent from my Pip-Boy 3000
On Jun 20, 2017, at 8:10 PM, Jeff Koch
<jeffk...@intersessions.com
<mailto:jeffk...@intersessions.com>> wrote:
I'm having trouble sending email to anyone at grupodecor.com
<http://grupodecor.com>. All of my qmail mailservers say:
Sorry, I couldn't find any host named grupodecor.com
<http://grupodecor.com>. (#5.1.2)
And yet I can send from my hotmail account and the MX host -
grupodecor-com.mail.protection.outlook.com
<http://grupodecor-com.mail.protection.outlook.com> - responds
to smtp connections. Try sending an email to anyone at that
domain ( like ab...@grupodecor.com <http://grupodecor.com> )
Anyone know why thisis happening?
Jeff
