[pfx] Re: Sender address rejected, but domain is found?

[Gerald Galster via Postfix-users]

>> ;; QUESTION SECTION:
>> ;eurobank-direktna.rs .IN  
>> NS
>> 
>> ;; ANSWER SECTION:
>> eurobank-direktna.rs . 3600IN  NS  
>> bgdit01edns01.eurobank.rs .
>> 
>> This is obviously wrong, but why should a resolver query
>> @ns1.eurobank.rs for eurobank-direktna.rs  
>> nameservers as
>> this information is already known.
> 
> This can happen in a variety of ways.  Sometimes the child zone
> "helpfully" includes NS records in the authority section along with
> answers.  Sometimes this happens when the delegation records are
> being refreshed due to TTL expiration, and sometimes an explicit user
> or application query for the NS records.
> 
> In any case BIND is "entitled" to prefer the child zone NS RR, which
> then turns out to be unusable.  The zone in question is misconfigured.

Thanks for clarification, Viktor.

Alex, you might try unbound instead of bind while this error persists.

https://unbound.docs.nlnetlabs.nl/en/latest/reference/history/requirements.html

-->
Parent and child with different nameserver information

A misconfiguration that sometimes happens is where the parent and child
have different NS, glue information. The child is authoritative, and
unbound will not trust information from the parent nameservers as the
final answer. To help lookups, unbound will however use the parent-side
version of the glue as a last resort lookup. This resolves lookups for
those misconfigured domains where the servers reported by the parent are
the only ones working, and servers reported by the child do not.
<--

In case you or your customer is affiliated with eurobank, you might
tell them about that misconfiguration.

Best regards,
Gerald___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Viktor Dukhovni via Postfix-users]

On Tue, Apr 25, 2023 at 08:43:26PM +0200, Gerald Galster via Postfix-users 
wrote:

> >; Delegation NS
> >eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
> >eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
> >eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0
> > 
> >; Authoritative NS
> >eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.
> > 
> > The latter host does not exist:
> > 
> > [...]
> >
> > Once BIND learns the authoritative NS, the domain is bricked until that
> > data times out.
> 
> Is that implementation specific? It doesn't seem to be the case with unbound.

Some resolvers are "parent-centric" and some "child-centric".  The child
NS records are de jure more authoritative.

> It probably works because the NS records are already provided
> by the .rs tld nameservers:

That's typically the initial state.

> ;; QUESTION SECTION:
> ;eurobank-direktna.rs.IN  NS
> 
> ;; ANSWER SECTION:
> eurobank-direktna.rs. 3600IN  NS  bgdit01edns01.eurobank.rs.
> 
> This is obviously wrong, but why should a resolver query
> @ns1.eurobank.rs for eurobank-direktna.rs nameservers as
> this information is already known.

This can happen in a variety of ways.  Sometimes the child zone
"helpfully" includes NS records in the authority section along with
answers.  Sometimes this happens when the delegation records are
being refreshed due to TTL expiration, and sometimes an explicit user
or application query for the NS records.

In any case BIND is "entitled" to prefer the child zone NS RR, which
then turns out to be unusable.  The zone in question is misconfigured.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Gerald Galster via Postfix-users]

>; Delegation NS
>eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
>eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
>eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0
> 
>; Authoritative NS
>eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.
> 
> The latter host does not exist:
> 
> [...]
> Once BIND learns the authoritative NS, the domain is bricked until that
> data times out.

Is that implementation specific? It doesn't seem to be the case with unbound.

It probably works because the NS records are already provided
by the .rs tld nameservers:

# dig @f.nic.rs eurobank-direktna.rs ns
[...]
;; QUESTION SECTION:
;eurobank-direktna.rs.  IN  NS

;; AUTHORITY SECTION:
eurobank-direktna.rs.   3600IN  NS  ns2.eurobank.rs.
eurobank-direktna.rs.   3600IN  NS  ns1.eurobank.rs.
eurobank-direktna.rs.   3600IN  NS  ns3.eurobank.rs.


# dig @ns1.eurobank.rs eurobank-direktna.rs ns
[...]
;; QUESTION SECTION:
;eurobank-direktna.rs.  IN  NS

;; ANSWER SECTION:
eurobank-direktna.rs.   3600IN  NS  bgdit01edns01.eurobank.rs.

This is obviously wrong, but why should a resolver query
@ns1.eurobank.rs for eurobank-direktna.rs nameservers as
this information is already known. And it's not a subdomain
that might be delegated to another nameserver.

Best regards
Gerald


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Viktor Dukhovni via Postfix-users]

On Tue, Apr 25, 2023 at 12:24:04PM -0400, Alex via Postfix-users wrote:
> Hi, I realize this is probably one of the most frequently asked questions,
> but I really can't figure out why this was rejected.
> 
> Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT from
> mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 :
> Sender address rejected: Domain not found; from=<
> obaveste...@eurobank-direktna.rs> to= proto=ESMTP helo=<
> mail.email.eurobank-direktna.rs>
> 
> What am I missing? eurobank-direktna.rs and mail.email.eurobank-direktna.rs
> both have forward and reverse DNS entries.
> 
> I thought maybe it just didn't resolve properly at the time the email was
> received, but it's been happening for hours.

See:

https://dnsviz.net/d/eurobank-direktna.rs/ZEgBpw/dnssec/

The most obvious problem is that the delegation NS (parent zone) records
for the domain don't agree with the authoritative NS (child zone) records.

; Delegation NS
eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0

; Authoritative NS
eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.

The latter host does not exist:

; <<>> DiG 9.18.7 <<>> -t a bgdit01edns01.eurobank.rs.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19772
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
;; QUESTION SECTION:
;bgdit01edns01.eurobank.rs. IN  A

Once BIND learns the authoritative NS, the domain is bricked until that
data times out.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Matus UHLAR - fantomas via Postfix-users]

Hi, I realize this is probably one of the most frequently asked questions, but 
I really can't figure out why this was rejected.

Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT from mail.email.eurobank.rs 
[195.242.76.237]: 450 4.1.8 mailto:u...@eurobank-direktna.rs>>: Sender address rejected: Domain not found; from=mailto:obaveste...@eurobank-direktna.rs>> to=mailto:mi...@example.com>> proto=ESMTP 
helo=http://mail.email.eurobank-direktna.rs/>>

What am I missing? eurobank-direktna.rs  and 
mail.email.eurobank-direktna.rs  both have 
forward and reverse DNS entries.

I thought maybe it just didn't resolve properly at the time the email was 
received, but it's been happening for hours.


On 25.04.23 19:02, Gerald Galster via Postfix-users wrote:

Negative dns answers may be cached but usually not for hours.
Verify that the resolver running on the postfix server can
resolve that domain because this sounds like a dns problem.

https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

Query the resolvers listed in /etc/resolv.conf directly, e.g.

dig @127.0.0.1 eurobank-direktna.rs a
dig @127.0.0.1 eurobank-direktna.rs mx

Alternatively try a public resolver in /etc/resolv.conf:

nameserver 8.8.8.8
or
nameserver 1.1.1.1


If you have any kind of spam filtering that uses DNS based lists, at postfix 
or spam filter level, do NOT do this. 


install full recursive DNS server for your mailserver instead.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Bill Cole via Postfix-users]

On 2023-04-25 at 12:24:04 UTC-0400 (Tue, 25 Apr 2023 12:24:04 -0400)
Alex via Postfix-users 
is rumored to have said:

Hi, I realize this is probably one of the most frequently asked 
questions,

but I really can't figure out why this was rejected.

Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT 
from
mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 
:

Sender address rejected: Domain not found; from=<
obaveste...@eurobank-direktna.rs> to= proto=ESMTP 
helo=<

mail.email.eurobank-direktna.rs>

What am I missing? eurobank-direktna.rs and 
mail.email.eurobank-direktna.rs

both have forward and reverse DNS entries.

I thought maybe it just didn't resolve properly at the time the email 
was

received, but it's been happening for hours.


The 450 error code implies a transient failure, e.g. a SERVFAIL reply or 
a timeout. One of the authoritative nameservers for eurobank-direktna.rs 
(the domain part of the sender address) times out for me at the moment, 
which may be related to what you're seeing.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Alex via Postfix-users]

Hi,

On Tue, Apr 25, 2023 at 1:03 PM Gerald Galster via Postfix-users <
postfix-users@postfix.org> wrote:

> Hi, I realize this is probably one of the most frequently asked questions,
> but I really can't figure out why this was rejected.
>
> Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT
> from mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 <
> u...@eurobank-direktna.rs>: Sender address rejected: Domain not found;
> from= to=
> proto=ESMTP helo=
>
> What am I missing? eurobank-direktna.rs and
> mail.email.eurobank-direktna.rs both have forward and reverse DNS entries.
>
> I thought maybe it just didn't resolve properly at the time the email was
> received, but it's been happening for hours.
>
>
> Negative dns answers may be cached but usually not for hours.
> Verify that the resolver running on the postfix server can
> resolve that domain because this sounds like a dns problem.
>
> https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain
>
> Query the resolvers listed in /etc/resolv.conf directly, e.g.
>
> dig @127.0.0.1 eurobank-direktna.rs a
> dig @127.0.0.1 eurobank-direktna.rs mx
>

That was the problem, thanks. I think it may be due to a low memory issue
on the mail server. Simply restarting bind fixed it, but it is definitely
curious to me that it was responding properly for so long.

Thanks for taking the time to help.

>
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Gerald Galster via Postfix-users]

> Hi, I realize this is probably one of the most frequently asked questions, 
> but I really can't figure out why this was rejected.
> 
> Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT from 
> mail.email.eurobank.rs [195.242.76.237]: 450 
> 4.1.8 mailto:u...@eurobank-direktna.rs>>: Sender 
> address rejected: Domain not found; from= > to= > proto=ESMTP helo= >
> 
> What am I missing? eurobank-direktna.rs  and 
> mail.email.eurobank-direktna.rs  
> both have forward and reverse DNS entries.
> 
> I thought maybe it just didn't resolve properly at the time the email was 
> received, but it's been happening for hours.

Negative dns answers may be cached but usually not for hours.
Verify that the resolver running on the postfix server can
resolve that domain because this sounds like a dns problem.

https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

Query the resolvers listed in /etc/resolv.conf directly, e.g.

dig @127.0.0.1 eurobank-direktna.rs a
dig @127.0.0.1 eurobank-direktna.rs mx

Alternatively try a public resolver in /etc/resolv.conf:

nameserver 8.8.8.8
or
nameserver 1.1.1.1

Best regards,
Gerald

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org