Loading ...
Sorry, an error occurred while loading the content.

291217Re: Connection timed out due to dns timeouts

Expand Messages
  • Angel L. Mateo
    Feb 8, 2013
    • 0 Attachment
      El 08/02/13 11:27, Robert Schetterer escribió:
      > Am 08.02.2013 10:42, schrieb Angel L. Mateo:
      >> El 08/02/13 10:02, Robert Schetterer escribió:
      >>> Am 08.02.2013 09:29, schrieb Angel L. Mateo:
      >>>> Hello,
      >>>>
      >>>> I have list servers that send mails through another relay servers.
      >>>> With this configuration all mail sent from our mail servers are
      >>>> delivered through our relay servers. All servers use postfix (list
      >>>> servers use 2.7.0 and relay 2.5.5)
      >>>>
      >>>> We are having problems with dns lookups to one domain. I know is
      >>>> not
      >>>> a postfix problem, but a dns configuration error in that domain. But it
      >>>> is affecting our servers.
      >>>>
      >>>> The problem is that whenever the relay server receives a mail
      >>>> directed to that domain, I get the error "conversation with <mail
      >>>> server> timed out while sending MAIL FROM". And as list server group
      >>>> messages, all recipients in that group as rejected.
      >>>
      >>> as workaround you can use a a deditacted transport for that domain
      >>>
      >>>
      >>>>
      >>>> I've been looking for the problem on that domain and is a timeout
      >>>> problem. Due to some problem in its configuration, I've never have an
      >>>> answer (the domain exists, but it doesn't answer).
      >>>
      >>> what does not answer ,their mailserver , your dns ?
      >>>
      >> Their DNS doesn't respond. If I query it manually with dig, I get a
      >> timeout with no answer.
      >>
      >> The problem I'm having is that my relay server has
      >>
      >> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
      >> reject_unknown_recipient_domain, check_recipient_access
      >> pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access
      >> hash:/etc/postfix/verified_recipient_checks, check_policy_service
      >> inet:127.0.0.1:10031,
      >> permit_mynetworks,permit_sasl_authenticated,
      >> reject_unauth_destination, check_recipient_maps, permit
      >>
      >> and is timing out in the reject_unknown_recipient_domain. As the
      >> server doesn't have any answer, the smtp connection from my list servers
      >> are completely timing out.
      >>
      >> I guess it could be a better behaviour if in this situation my relay
      >> server could return a 450 for this domain (at least, with this behaviour
      >> my list server could try with other recipients of the message)
      >
      > this should be default, unless you didnt changed or override it
      >
      > reject_unknown_recipient_domain
      > Reject the request when Postfix is not final destination for the
      > recipient domain, and the RCPT TO domain has 1) no DNS A or MX record or
      > 2) a malformed MX record such as a record with a zero-length MX hostname
      > (Postfix version 2.3 and later).
      > The unknown_address_reject_code parameter specifies the numerical
      > response code for rejected requests (default: 450). The response is
      > always 450 in case of a temporary DNS error.
      >
      I know this. It is normally working fine. My problem with this domain
      is that it is not being rejected. postfix just times out.
      >
      >>
      >>> you should invest more time in analyse the real problem
      >>> i.e some routing problems may cause it
      >>
      >> Solving the problem with this particular domain (which is not mine),
      >> solves my problem now, but not future similar problems. So I think it
      >> would be better to avoid the situation.
      >>
      >
      > as far i remember all dns checks have tmp failure code
      > at default, sometimes it makes sense to change some of them global, this
      > is kind of design question, however you may construct bypasses with
      > smtpd_restriction_classes too depending to i.e some ipaddress etc
      >
      > http://www.postfix.org/RESTRICTION_CLASS_README.html
      >
      > i your case , the question seems , at what server and what point you
      > want to react with what error by dns rejects
      >
      I want my relay server to reject the mail (at
      reject_unknown_recipient_domain option with the corresponding reject
      code) not to time out.

      --
      Angel L. Mateo Martínez
      Sección de Telemática
      Área de Tecnologías de la Información
      y las Comunicaciones Aplicadas (ATICA)
      http://www.um.es/atica
      Tfo: 868889150
      Fax: 868888337
    • Show all 8 messages in this topic