Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 19:47, Gerald Galster wrote:
what happens if you set delay_warning_time=1h or 
delay_warning_time=300  (as in 300 seconds)?


In the template file it says hours, so everything below one hour might 
evaluate to zero?


Best regards
Gerald


/"Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
The default time unit is h (hours)."/


I've tried, but without specifying unit time it means implicitly hours. 
In our case 300 hours :-)


Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Matus UHLAR - fantomas]

On 10/03/2020 19:49, Dominic Raferd wrote:

My responses seem like OP's:
# host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 2(SERVFAIL)
# host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN)

I read this as: imake.ro exists but is not configured.


On 10.03.20 20:07, Catalin Bucur wrote:
Right. And for this type of domains (bad configured) I want that 
postfix warn me as soon as possbile, not after a few days.


This is impossible.  The error can e.g.  mean that the zone is broken and
admin as to fix it, which may be done within minutes.

This kind of error can of course last for months or years, but we can't know
that yet. Neither can postfix or DNS client.

I have similar problems with long-term unreachable addresses, where I would
prefer to block mail from/to such domains, when they are inaccessible for
some time.

Wietse advised policy service and log watcher that would extract info about
such domains:

https://marc.info/?l=postfix-users=157910384501532=2

I'm afraid I don't have enough of time to build it, otherwise I'd propose
you to use it already :)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: Warning about non-existent MX for destination domain

[Viktor Dukhovni]

On Tue, Mar 10, 2020 at 12:18:28PM -0700, Fred Morris wrote:

> NOERROR doesn't necessarily mean that there was an answer. The number of 
> answers to the question asked can be 0, even if the FQDN (fully qualified 
> domain name) exists, if some other type of information is associated with 
> it. It could also be an ENT (empty non terminal), there could be 
> subrecords.

Correct, NOERROR is the non-failure status code when the target name
(possibly after one or more CNAME redirects) exists.  Whether or not
there it has associated records of the requested type.

Non-failure means the DNS server was able to give you a definitive
answer, it may or may not be the answer you were looking for.

C: www.example.com. IN MX ?
S: NOERROR(1/1/0): www.example.com. IN CNAME www.example.net.
   example.net. IN SOA ...

The above indicates that www.example.com is aliased to www.example.net,
which exists, but has no MX records.

[ (1/1/0) means 1 answer (CNAME), 1 authority record (SOA), 0 additional ]

> NXDOMAIN means there are no records.

No, this is wrong.  NXDOMAIN is the non-failure status code when the
target name (possibly after one or more CNAME redirects) does not exist.

C: www.example.com. IN MX ?
S: NXDOMAIN(1/1/0): www.example.com. IN CNAME www.example.net.
example.net. IN SOA ...

The above indicates that www.example.com is aliased to www.example.net,
which does not exist.

> SERVFAIL means that no usable records were found. This can be returned by 
> your caching / recursive resolver. SERVFAIL is also the common result if 
> you're using DNSSEC and your resolver becomes untethered from NTP.

No. This is wrong.  SERVFAIL means that the nameserver (authoritative or
iterative) was unable to provide an answer.  It has nothing to do with
"usable records".  This is a catch-all "I tried to service your query,
but failed, sorry about that, better luck next time..."  answer.

Yes, resolvers return SERVFAIL when the upstream answer fails DNSSEC
validation (is "bogus"), but also when the domain is lame, or upstream
queries time out, ...

-- 
Viktor.

Re: Warning about non-existent MX for destination domain

[Fred Morris]

Let's try to clear up DNS even though that's not what the original querant 
is asking.


On Tue, 10 Mar 2020, Wietse Venema wrote:

Catalin Bucur:

On 10/03/2020 17:16, Wietse Venema wrote:

This is a problem with your DNS resolver WHICH IS NOT PART OF
POSTFIX. You need to use a better DNS resolver.

With a properly functioning resolver:

$ host -t mxwww.postfix.org
www.postfix.org  has no MX record



By the same logic that we should be looking at postfix logs rather than 
thunderbird logs, we should probably be looking at the DNS logs rather 
than the output of some tool.



type=MX: Host not found, try again)"/, but AFTER
/maximal_queue_lifetime/, which is very annoying.


NOERROR doesn't necessarily mean that there was an answer. The number of 
answers to the question asked can be 0, even if the FQDN (fully qualified 
domain name) exists, if some other type of information is associated with 
it. It could also be an ENT (empty non terminal), there could be 
subrecords.


NXDOMAIN means there are no records.

SERVFAIL means that no usable records were found. This can be returned by 
your caching / recursive resolver. SERVFAIL is also the common result if 
you're using DNSSEC and your resolver becomes untethered from NTP.


Interactions between search lists and wildcarded domains (in the DNS) can 
result in an unexpected mailserver receiving the email. The behavior of 
that mailserver is determined by the configuration of that mailserver. If 
you fatfingered the domain and it ends up here you may get lucky and 
recognize the address of the remote MTA.


Any given domain can choose to do any number of things with received email 
(a policy issue outside of the DNS), including dropping it silently or 
kicking unexpected errors. If you fatfingered the domain and they choose 
to send your submission silently to /dev/null your message was 
"successfully" delivered.


--

Fred Morris

Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 19:49, Dominic Raferd wrote:

My responses seem like OP's:
# host -t mx imake.ro  8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro  not found: 2(SERVFAIL)
# host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN)

I read this as: imake.ro  exists but is not configured.


Right. And for this type of domains (bad configured) I want that postfix 
warn me as soon as possbile, not after a few days.


Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Dominic Raferd]

On Tue, 10 Mar 2020 at 17:37, Jaroslaw Rafa  wrote:

> Dnia 10.03.2020 o godz. 19:33:14 Catalin Bucur pisze:
> > Google dns says:
> > # host -t mx imake.ro 8.8.8.8
> > Using domain server:
> > Name: 8.8.8.8
> > Address: 8.8.8.8#53
> > Aliases:
> > Host imake.ro not found: 2(SERVFAIL)
>
> Something's wrong with resolver library on your machine. Mine says:
>
> raj@rafa:~$ host -t mx imake.ro 8.8.8.8
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> Host imake.ro not found: 3(NXDOMAIN)
>
> That's the correct answer - NXDOMAIN, not SERVFAIL.
>
> My responses seem like OP's:
# host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 2(SERVFAIL)
# host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN)

I read this as: imake.ro exists but is not configured.

Re: Warning about non-existent MX for destination domain

[Gerald Galster]

> Gerald and Bill, you have both of you right, delay_warning_time it's the 
> parameter I was looking for.
> Anyway, after setting up delay_warning_time=5m I noticed some warnings in 
> logs:
> 
> Mar 10 17:52:02 mail postfix/bounce[7326]: warning: [built-in]: zero result 
> in delay template conversion of parameter "delay_warning_time_hours"
> Mar 10 17:52:02 mail postfix/bounce[7326]: warning: please reduce time unit 
> "hours" of "delay_warning_time_hours" in delay template
> Mar 10 17:52:02 mail postfix/bounce[7326]: warning: for instructions see the 
> bounce(5) manual

what happens if you set delay_warning_time=1h or delay_warning_time=300  (as in 
300 seconds)?

In the template file it says hours, so everything below one hour might evaluate 
to zero?

Best regards
Gerald

Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 19:33, Jaroslaw Rafa wrote:
If you get reply 2(SERVFAIL) it means DNS server for the domain failed 
and

did not return any usable reply, so we actually don't know if the domain
exists or not. In that case Postfix SHOULD keep trying to deliver mail
(maybe the DNS server for the domain will resume working?) until max queue
time is exceeded.


You're right, but it should be nice if sender would receive an warning 
about that, as soon as possible. And that happened ONLY after I modified 
/delay_warning_time/ parameter to a couple of minutes.



A reply actually confirming that the domain does not exist would be
3(NXDOMAIN). In that case Postfix should return mail immediately.


Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Jaroslaw Rafa]

Dnia 10.03.2020 o godz. 19:33:14 Catalin Bucur pisze:
> Google dns says:
> # host -t mx imake.ro 8.8.8.8
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
> Host imake.ro not found: 2(SERVFAIL)

Something's wrong with resolver library on your machine. Mine says:

raj@rafa:~$ host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host imake.ro not found: 3(NXDOMAIN)

That's the correct answer - NXDOMAIN, not SERVFAIL.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: Warning about non-existent MX for destination domain

[Jaroslaw Rafa]

Dnia 10.03.2020 o godz. 19:11:33 Catalin Bucur pisze:
> You mean that I should modify standard configuration for my dns
> server (resolver) to force reply that MX record does not exist,
> instead of "Host doman.com not found: 2(SERVFAIL)" ?

If you get reply 2(SERVFAIL) it means DNS server for the domain failed and
did not return any usable reply, so we actually don't know if the domain
exists or not. In that case Postfix SHOULD keep trying to deliver mail
(maybe the DNS server for the domain will resume working?) until max queue
time is exceeded.
A reply actually confirming that the domain does not exist would be
3(NXDOMAIN). In that case Postfix should return mail immediately.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 19:26, Wietse Venema wrote:

SERVFAIL (for a domain without MX record) means that something is
broken. If the fault is not with your local resolver, then you need
make sure that you point your resolver at a proper implementation.
I have seen nonsense results from cheap routers that expect queries
from web clients that never ask for MX.

What is the domain name? I gave an example of what the expected
response looks like.

Wietse

Let's say for example imake.ro
This domain it's configured wrong, but it's not managed by me. Which 
resolver should I use for a non-SERVFAIL error?


Google dns says:
# host -t mx imake.ro 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
Host imake.ro not found: 2(SERVFAIL)

Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Wietse Venema]

SERVFAIL (for a domain without MX record) means that something is
broken. If the fault is not with your local resolver, then you need
make sure that you point your resolver at a proper implementation.
I have seen nonsense results from cheap routers that expect queries
from web clients that never ask for MX.

What is the domain name? I gave an example of what the expected
response looks like.

Wietse

Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 17:55, Wietse Venema wrote:

THAT is a DNS resolver issue. If a domain has no MX record the
resolver should say sa IMMEDIATELY, instead of forever returning
NO RESPONSE.

Again, with proper resolver will IMMEDIATELY reply that the MX
record does not exist, allowing Postfix to proceed IMMEDIATELY.

With your broken resolver, Postfix gets NO RESPONSE, and therefore
it MUST NOT proceed.

Wietse


You mean that I should modify standard configuration for my dns server 
(resolver) to force reply that MX record does not exist, instead of 
"Host doman.com not found: 2(SERVFAIL)" ? I don't really know that my 
actual nameserver configuration it's a "broken" configuration, I belive 
that it's somehow a "standard" configuration.

And what if server's resolver isn't managed by me? Let's say:

# cat /etc/resolv.conf
nameserver 8.8.8.8

Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 17:57, Gerald Galster wrote:
In case there is no MX record the mail is delivered to the domain's ip 
(a/ record).
It's up to the domain's administrator to set a NULL MX to prevent 
that, but it's quite new:

https://tools.ietf.org/html/rfc7505

What postfix can do:

delay_warning_time (default: 0h)
       The time after which the sender receives a copy of the message 
headers of mail that is still queued


bounce_queue_lifetime = 4h
maximal_queue_lifetime = 1d
...

man 5 postconf

Best regards
Gerald


Gerald and Bill, you have both of you right, /delay_warning_time/ it's 
the parameter I was looking for.
Anyway, after setting up delay_warning_time=5m I noticed some warnings 
in logs:


Mar 10 17:52:02 mail postfix/bounce[7326]: warning: [built-in]: zero 
result in delay template conversion of parameter "delay_warning_time_hours"
Mar 10 17:52:02 mail postfix/bounce[7326]: warning: please reduce time 
unit "hours" of "delay_warning_time_hours" in delay template
Mar 10 17:52:02 mail postfix/bounce[7326]: warning: for instructions see 
the bounce(5) manual


Thank you for your help.

Best regards,

Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Gerald Galster]

> On 10/03/2020 17:16, Wietse Venema wrote:
>> This is a problem with your DNS resolver WHICH IS NOT PART OF
>> POSTFIX. You need to use a better DNS resolver.
>> 
>> With a properly functioning resolver:
>> 
>> $ host -t mx www.postfix.org 
>> www.postfix.org  has no MX record
>> 
>>  Wietse
> 
> You didn't understood my issue, you didn't read enough from my message or I 
> didn't was clear enough.
> It's not a MY dns issue, in fact it's not a really dns issue. Again:
>  1. I want to send mail to someb...@domain.com 
>  2. From mistake, I send message to someb...@doman.com 
>  (note a missing 'i')
>  3. doman.com exists, BUT it doesn't have MX record defined
>  4. my message stays in queue until maximal_queue_lifetime expires and 
> postfix try to resend it
>  5. I DON'T receive any warning about that error until maximal_queue_lifetime 
> expires (implicitly 5 days), and THIS is the real problem, I don't know that 
> my message didn't arrive at destination because I've accidentally missed a 
> letter from destination domain name.

In case there is no MX record the mail is delivered to the domain's ip (a/ 
record).
It's up to the domain's administrator to set a NULL MX to prevent that, but 
it's quite new:
https://tools.ietf.org/html/rfc7505

What postfix can do:

delay_warning_time (default: 0h)
   The time after which the sender receives a copy of the message headers 
of mail that is still queued

bounce_queue_lifetime = 4h
maximal_queue_lifetime = 1d
...

man 5 postconf

Best regards
Gerald

Re: Warning about non-existent MX for destination domain

[Wietse Venema]

Catalin Bucur:
> On 10/03/2020 17:16, Wietse Venema wrote:
> > This is a problem with your DNS resolver WHICH IS NOT PART OF
> > POSTFIX. You need to use a better DNS resolver.
> >
> > With a properly functioning resolver:
> >
> > $ host -t mxwww.postfix.org
> > www.postfix.org  has no MX record
> >
> > Wietse
> 
> You didn't understood my issue, you didn't read enough from my message 
> or I didn't was clear enough.
> It's not a MY dns issue, in fact it's not a really dns issue. Again:

You wrote:
> For an existing domain but without MX, I receive the error /"Host or
> domain name not found. Name service error for name=onedomain.com
> type=MX: Host not found, try again)"/, but AFTER
> /maximal_queue_lifetime/, which is very annoying. In this case the

THAT is a DNS resolver issue. If a domain has no MX record the
resolver should say sa IMMEDIATELY, instead of forever returning
NO RESPONSE.

Again, with proper resolver will IMMEDIATELY reply that the MX
record does not exist, allowing Postfix to proceed IMMEDIATELY.

With your broken resolver, Postfix gets NO RESPONSE, and therefore
it MUST NOT proceed.

Wietse

Re: Warning about non-existent MX for destination domain

[Catalin Bucur]

On 10/03/2020 17:16, Wietse Venema wrote:

This is a problem with your DNS resolver WHICH IS NOT PART OF
POSTFIX. You need to use a better DNS resolver.

With a properly functioning resolver:

$ host -t mxwww.postfix.org
www.postfix.org  has no MX record

Wietse


You didn't understood my issue, you didn't read enough from my message 
or I didn't was clear enough.

It's not a MY dns issue, in fact it's not a really dns issue. Again:
 1. I want to send mail to someb...@domain.com
 2. From mistake, I send message to someb...@doman.com (note a missing 'i')
 3. doman.com exists, BUT it doesn't have MX record defined
 4. my message stays in queue until /maximal_queue_lifetime/ expires 
and postfix try to resend it
 5. I DON'T receive any warning about that error until 
/maximal_queue_lifetime/ expires (implicitly 5 days), and THIS is the 
real problem, I don't know that my message didn't arrive at destination 
because I've accidentally missed a letter from destination domain name.


Regards,

Catalin Bucur

Re: Warning about non-existent MX for destination domain

[Bill Cole]

On 10 Mar 2020, at 10:26, Catalin Bucur wrote:


Hello,

I have a question about how Postfix generate warning messages about 
non-existent domains, non-existent MX domain names or for timeout 
connecting to a destination mail server. In fact, my real problem is 
that postfix does not warn me about nothing when I incorrectly write 
the domain name for an email address AND by chance that domain exists 
but does not have configured MX record on its DNS.


For example for a non-existent domain I receive almost instantly the 
message /"t...@asdasdasd.ro : Host or domain 
name not found. Name service error for name=asdasdasd.ro type=A: Host 
not found"/
For an existing domain but without MX, I receive the error /"Host or 
domain name not found. Name service error for name=onedomain.com 
type=MX: Host not found, try again)"/, but AFTER 
/maximal_queue_lifetime/, which is very annoying. In this case the 
sender finds out only after 5 days about the real problem.


This should only happen in cases where the target domain has no MX 
record but does have an A record, and the host at the A record's IP has 
no mail service.


Fallback to A records is a standard part of how SMTP works. MX records 
are not required for mail delivery and never have been.


Is there any way to modify postfix configuration to inform the sender 
about such a problem instantly and to retry to send message until 
/maximal_queue_lifetime/ expires?


Not instantly, but you CAN warn the user sooner by setting a short 
non-zero delay_warning_time. It should probably be at least as long as a 
slow DNS lookup might take.


From the postconf(5) man page:

  delay_warning_time (default: 0h)
The time after which the sender receives a copy of the message of 
mail
that is still queued.  The  confirm_delay_cleared  parameter  
controls

sender notification when the delay clears up.

To enable this feature, specify a  non-zero  time  value  (an  
integral
value plus an optional one-letter suffix that specifies the time 
unit).


Time units: s (seconds), m (minutes), h (hours), d (days),  w  
(weeks).

The default time unit is h (hours).

See also: delay_notice_recipient, notify_classes, 
confirm_delay_cleared.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: Warning about non-existent MX for destination domain

[Wietse Venema]

Catalin Bucur:
> For an existing domain but without MX, I receive the error /"Host or 
> domain name not found. Name service error for name=onedomain.com 
> type=MX: Host not found, try again)"/, but AFTER 
> /maximal_queue_lifetime/, which is very annoying. In this case the 
> sender finds out only after 5 days about the real problem.

This is a problem with your DNS resolver WHICH IS NOT PART OF
POSTFIX. You need to use a better DNS resolver.

With a properly functioning resolver:

$ host -t mx www.postfix.org
www.postfix.org has no MX record

Wietse

Warning about non-existent MX for destination domain

[Catalin Bucur]

Hello,

I have a question about how Postfix generate warning messages about 
non-existent domains, non-existent MX domain names or for timeout 
connecting to a destination mail server. In fact, my real problem is 
that postfix does not warn me about nothing when I incorrectly write the 
domain name for an email address AND by chance that domain exists but 
does not have configured MX record on its DNS.


For example for a non-existent domain I receive almost instantly the 
message /"t...@asdasdasd.ro : Host or domain 
name not found. Name service error for name=asdasdasd.ro type=A: Host 
not found"/
For an existing domain but without MX, I receive the error /"Host or 
domain name not found. Name service error for name=onedomain.com 
type=MX: Host not found, try again)"/, but AFTER 
/maximal_queue_lifetime/, which is very annoying. In this case the 
sender finds out only after 5 days about the real problem.


Is there any way to modify postfix configuration to inform the sender 
about such a problem instantly and to retry to send message until 
/maximal_queue_lifetime/ expires?


Thank you for your time.

Best regards,
Catalin