# DNS and sendmail



## qsecofr (Apr 29, 2010)

Having troubles with sendmail on FBSD7.2.  One of the issues might be DNS maybe.  I'm not exactly sure what the following maillog error means:

```
Apr 28 11:32:49 motive sm-msp-queue[54444]: o3S42j7r040474: to=marc, delay=14:30:04, xdelay=00:00:00, mailer=relay, pri=6051213, relay=
[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Name server: [127.0.0.1]: host name lookup failure
Apr 28 11:32:50 motive sm-msp-queue[54444]: o3S002ZC029776: to=marc, ctladdr=marc (1000/1000), delay=18:32:48, xdelay=00:00:00, mailer=relay, 
pri=6589884, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
```

I believe this mail originated on my local host sent to my local host.  I get the sense either sendmail couldn't reach the nameserver, or the nameserver didn't return an MX record.  Not sure.


```
sockstat -4 | grep 'named'
bind     named      1121  20 tcp4   67.40.25x.yz:53       *:*
bind     named      1121  21 tcp4   *:953                 *:*
bind     named      1121  512udp4   67.40.25x.yz:53       *:*
```

I have 2 views set up in named, internal & external.  my workstation is internal view obviously.  External view doesn't include the 192.168/16 interfaces.


```
dig @67.40.25x.yz myown.net MX

; <<>> DiG 9.4.3-P2 <<>> @67.40.25x.yz myown.net MX
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;myown.net.             IN      MX

;; ANSWER SECTION:
myown.net.      3600    IN      MX      0 host.myown.net.

;; AUTHORITY SECTION:
myown.net.      3600    IN      NS      host.myown.net.

;; ADDITIONAL SECTION:
host.myown.net. 3600  IN      A       192.168.1.1
host.myown.net. 3600  IN      A       192.168.111.2
host.myown.net. 3600  IN      A       67.40.25x.yz

;; Query time: 18 msec
;; SERVER: 67.40.25x.yz#53(67.40.25x.yz)
;; WHEN: Wed Apr 28 18:13:50 2010
;; MSG SIZE  rcvd: 120
```

I do have the domain registered.  And everything appeared to be running smoothly till several days ago.  incoming mail arrived fine, especially spam.  Never a problem with outgoing mail, or delivery on localhost.  Upgrading to perl 5.10 and libpng preceded the sendmail meltdown.  Since then incoming mail is stopped.  When I send myself email from an external net, like Yahoo or from my corporate net, I now get the deferred error and delivery ultimately fails.  The error report from my corporate email exchange server says something like MX record not found.  (or maybe just not responsive, not sure).


```
sockstat -4 | grep 'sendmail'
root     sendmail   5507  5  udp4   67.40.25x.yz:58624    67.40.25x.yz:53
root     sendmail   1511  4  tcp4   *:25                  *:*
root     sendmail   1511  5  tcp4   *:587                 *:*

telnet 67.40.25x.yz 25
Trying 67.40.25x.yz...
Connected to host.myown.net.
Escape character is '^]'.
220 host.myown.net ESMTP Sendmail 8.14.3/8.14.3; Wed, 28 Apr 2010 18:25:41 -0700 (PDT)
HELO
501 5.0.0 HELO requires domain address
```


```
more /etc/resolv.conf
domain  myown.net
nameserver      67.40.25x.yz
options timeout:2
```

I've not rebuilt sendmail or anything in /etc/mail.  They didn't seem to depend on perl or png.

Would really appreciate some extra insight into where the communication between sendmail & bind is breaking down.


----------



## qsecofr (Apr 29, 2010)

*DNS reverse lookup*

Still searching.  Is it possible my reverse map is not set up correctly for local host?


```
tail -100 /var/named/var/log/queries.log | grep '1.0.0.127' | more
28-Apr-2010 22:02:52.205 queries: info: client 67.40.25x.yz#63291: view me: query: 1.0.0.127.in-addr.arpa IN PTR +
28-Apr-2010 22:02:52.208 queries: info: client 67.40.25x.yz#64547: view me: query: 1.0.0.127.sbl-xbl.spamhaus.org IN A +
28-Apr-2010 22:15:36.710 queries: info: client 67.40.25x.yz#62315: view me: query: 1.0.0.127 IN A +
```


```
dig @67.40.25x.yz 1.0.0.127

; <<>> DiG 9.4.3-P2 <<>> @67.40.25x.yz 1.0.0.127
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62648
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.127.                     IN      A

;; AUTHORITY SECTION:
.                       10516   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2010042801 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 67.40.25x.yz#53(67.40.25x.yz)
;; WHEN: Wed Apr 28 22:20:20 2010
;; MSG SIZE  rcvd: 102
```


```
tail -100 maillog | grep '22:02:52' | grep '127'
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3T42p7r006083: to=marc, delay=01:00:00, xdelay=00:00:00, mailer=relay, pri=4399422, relay=
[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Name server: [127.0.0.1]: host name lookup failure
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3T002fs005158: to=marc, ctladdr=marc (1000/1000), delay=05:02:50, xdelay=00:00:00, mailer=relay, 
pri=4938093, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3S42j7r040474: to=marc, delay=1+01:00:07, xdelay=00:00:00, mailer=relay, pri=7941213, relay=
[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3S002ZC029776: to=marc, ctladdr=marc (1000/1000), delay=1+05:02:50, xdelay=00:00:00, mailer=relay, 
pri=8479884, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3R42d7r071302: to=marc, delay=2+01:00:12, xdelay=00:00:00, mailer=relay, pri=9427202, relay=
[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3R000up066982: to=marc, ctladdr=marc (1000/1000), delay=2+05:02:52, xdelay=00:00:00, mailer=relay, 
pri=10055831, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3R42d7s071302: to=marc, delay=2+01:00:12, xdelay=00:00:00, mailer=relay, pri=10201764, relay=
[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
Apr 28 22:02:52 motive sm-msp-queue[6308]: o3R00ntQ067036: to=marc, ctladdr=marc (1000/1000), delay=2+05:02:03, xdelay=00:00:00, mailer=relay, 
pri=10830435, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: 451 4.3.2 Please try again later
```


```
more /var/named/etc/namedb/master/localhost.rev
;       From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.6 2000/01/10 15:31:40 peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

$TTL    1h

@       IN SOA  host.myown.net. postmaster.myown.net.  (
                                20071025        ; Serial
                                1h              ; Refresh
                                1h              ; Retry
                                1h              ; Expire
                                1h )            ; Minimum
        IN      NS      host.myown.net.
1       IN      PTR     localhost.myown.net.
```


```
cat /etc/hosts | grep 'local'
# This file should contain the addresses and aliases for local hosts that
::1                     localhost localhost.myown.net
127.0.0.1               localhost localhost.myown.net
```


----------



## SirDice (Apr 29, 2010)

qsecofr said:
			
		

> ```
> dig @67.40.25x.yz 1.0.0.127
> ```


Try [cmd=]dig @67.40.25x.yz 127.0.0.1[/cmd]

No need to reverse the IP address.


----------



## DutchDaemon (Apr 29, 2010)

`dig @yourdns -x 127.0.0.1` and [cmd=]dig @yourdns localhost[/cmd] in this case.


----------



## qsecofr (Apr 30, 2010)

*DNS localhost zones*

I think my localhost zones are unmatched.  But I'd like to clarify..

Here's zone records

```
# more /var/named/etc/namedb/master/localhost.rev
;       From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.6 2000/01/10 15:31:40 peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

$TTL    1h

@       IN SOA  host.myown.net. postmaster.myown.net.  (
                                20071025        ; Serial
                                1h              ; Refresh
                                1h              ; Retry
                                1h              ; Expire
                                1h )            ; Minimum
        IN      NS      host.myown.net.
1       IN      PTR     localhost.myown.net.
```


```
# more /var/named/etc/namedb/master/named.localhost
$ORIGIN localhost.
$TTL 1h
@   IN  SOA localhost. postmaster.localhost. (
            20071025    ; serial
            1h          ; refresh
            1h          ; retry
            1h          ; expiration
            1h )        ; minimum
    IN  NS  localhost.
    IN  A   127.0.0.1
```

Does the SOA record (host & domain) need to match between forward & reverse?

Does the NS record need to match between forward & reverse, and should it name an IP/interface that BIND actually runs on?  The localhost resolves to an address that BIND is not listening on.  Though 

```
# more /etc/resolv.conf
domain  myown.net
nameserver      67.40.25x.yz
options timeout:2
```

Do I need an MX record in both forward & reverse for localhost ?  With this recent problem I'm having, I'd guess yes.. but don't know for sure

dig output forward

```
# dig @67.40.25x.yz localhost.myown.net   

; <<>> DiG 9.4.3-P2 <<>> @67.40.25x.yz localhost.myown.net
; (1 server found)                                                
;; global options:  printcmd                                      
;; Got answer:                                                    
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4915          
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;localhost.myown.net.   IN      A

;; ANSWER SECTION:
localhost.myown.net. 3600 IN    A       127.0.0.1

;; AUTHORITY SECTION:
myown.net.      3600    IN      NS      host.myown.net.

;; ADDITIONAL SECTION:
host.myown.net. 3600  IN      A       67.40.25x.yz
host.myown.net. 3600  IN      A       192.168.1.1
host.myown.net. 3600  IN      A       192.168.111.2

;; Query time: 0 msec
;; SERVER: 67.40.25x.yz#53(67.40.25x.yz)
;; WHEN: Thu Apr 29 17:28:39 2010
;; MSG SIZE  rcvd: 130

[/var/log]
 319# dig @67.40.25x.yz localhost

; <<>> DiG 9.4.3-P2 <<>> @67.40.25x.yz localhost
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15219
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;localhost.                     IN      A

;; ANSWER SECTION:
localhost.              3600    IN      A       127.0.0.1

;; AUTHORITY SECTION:
localhost.              3600    IN      NS      localhost.

;; Query time: 0 msec
;; SERVER: 67.40.25x.yz#53(67.40.25x.yz)
;; WHEN: Thu Apr 29 17:28:51 2010
;; MSG SIZE  rcvd: 57
```

And reverse

```
# dig @67.40.25x.yz -x 127.0.0.1

; <<>> DiG 9.4.3-P2 <<>> @67.40.25x.yz -x 127.0.0.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65342
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 3600    IN      PTR     localhost.myown.net.

;; AUTHORITY SECTION:
0.0.127.in-addr.arpa.   3600    IN      NS      host.myown.net.

;; ADDITIONAL SECTION:
host.myown.net. 3600  IN      A       192.168.111.2
host.myown.net. 3600  IN      A       67.40.25x.yz
host.myown.net. 3600  IN      A       192.168.1.1

;; Query time: 0 msec
;; SERVER: 67.40.25x.yz#53(67.40.25x.yz)
;; WHEN: Thu Apr 29 17:31:54 2010
;; MSG SIZE  rcvd: 150
```


----------



## qsecofr (May 2, 2010)

*DNS configuration*

I used http://www.squish.net/dnscheck to test the DNS config of my external zone.  A SOA NS queries all worked 100%.  MX queries were 50%.  

network solutions prevented me at registration from using the same IP address twice, even with 2 different host names (one alias, one CNAME).  So I used 2 different IPs from a block of 8 routable given by my ISP.  I edited the IP for the alias such that both hosts now have the same IP, and net-sol seemed to accept it.  I've still got a third host name record (retired computer, good IP) which I can't seem to delete.  But that didn't seem to cause squish any errors.  Getting the MX queries 100% successful could only help.

But apart from that the immediate problems seem to be on my internal view.  Either DNS still not configured right, or sendmail flaked out.  Or this might have something to do with the whole mess:

```
01-May-2010 17:03:08.398 queries: info: client 67.40.25x.yz#56659: view me: query: 1.0.0.127.in-addr.arpa IN PTR +
01-May-2010 17:03:08.401 queries: info: client 67.40.25x.yz#58333: view me: query: 1.0.0.127.sbl-xbl.spamhaus.org IN A +
```

Just above these entries I see a connection inbound to my mail server, and a reverse IP spamhaus name lookup.  The loopback address in block above makes me think sendmai is checking my loopback as a known spammer for some reason.  The time of day matches to the second with maillog error for host name lookup failed.


----------



## qsecofr (May 2, 2010)

*Solved sendmail*

I have an mc feature that used an outdated dnsbl host.  the new host is zen.spamhaus.org.  I made all in /etc/mail and restarted sendmail.  Saw an error about group write permission on directory /var/spool/MIMEDefang.  Revoked it.  Appears to be back in business.

Follow on question:
I've got a single dnsbl check in my host sendmail mc file.  Also the default setting

```
tail /usr/local/etc/mimedefang/sa-mimedefang.cf
# does this, set this to 1.

skip_rbl_checks 1
```

Is rbl functionally equivalent to dnsbl?  Theoretically if spamassassin can do this, and keep an up-to-date list of hosts, then I'd rather not mess around with my sendmail mc file.  Obviously I can't keep up with changing hosts well enough.  I didn't find what i was looking for on the spamassassin website.  Any insights?

Thanks


----------

