Loading ...
Sorry, an error occurred while loading the content.

Re: Connection timed out due to dns timeouts

Expand Messages
  • Angel L. Mateo
    ... I know this. It is normally working fine. My problem with this domain is that it is not being rejected. postfix just times out. ... I want my relay server
    Message 1 of 8 , Feb 8, 2013
    • 0 Attachment
      El 08/02/13 11:27, Robert Schetterer escribió:
      > Am 08.02.2013 10:42, schrieb Angel L. Mateo:
      >> El 08/02/13 10:02, Robert Schetterer escribió:
      >>> Am 08.02.2013 09:29, schrieb Angel L. Mateo:
      >>>> Hello,
      >>>>
      >>>> I have list servers that send mails through another relay servers.
      >>>> With this configuration all mail sent from our mail servers are
      >>>> delivered through our relay servers. All servers use postfix (list
      >>>> servers use 2.7.0 and relay 2.5.5)
      >>>>
      >>>> We are having problems with dns lookups to one domain. I know is
      >>>> not
      >>>> a postfix problem, but a dns configuration error in that domain. But it
      >>>> is affecting our servers.
      >>>>
      >>>> The problem is that whenever the relay server receives a mail
      >>>> directed to that domain, I get the error "conversation with <mail
      >>>> server> timed out while sending MAIL FROM". And as list server group
      >>>> messages, all recipients in that group as rejected.
      >>>
      >>> as workaround you can use a a deditacted transport for that domain
      >>>
      >>>
      >>>>
      >>>> I've been looking for the problem on that domain and is a timeout
      >>>> problem. Due to some problem in its configuration, I've never have an
      >>>> answer (the domain exists, but it doesn't answer).
      >>>
      >>> what does not answer ,their mailserver , your dns ?
      >>>
      >> Their DNS doesn't respond. If I query it manually with dig, I get a
      >> timeout with no answer.
      >>
      >> The problem I'm having is that my relay server has
      >>
      >> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
      >> reject_unknown_recipient_domain, check_recipient_access
      >> pcre:/etc/postfix/recipient_checks.pcre, check_recipient_access
      >> hash:/etc/postfix/verified_recipient_checks, check_policy_service
      >> inet:127.0.0.1:10031,
      >> permit_mynetworks,permit_sasl_authenticated,
      >> reject_unauth_destination, check_recipient_maps, permit
      >>
      >> and is timing out in the reject_unknown_recipient_domain. As the
      >> server doesn't have any answer, the smtp connection from my list servers
      >> are completely timing out.
      >>
      >> I guess it could be a better behaviour if in this situation my relay
      >> server could return a 450 for this domain (at least, with this behaviour
      >> my list server could try with other recipients of the message)
      >
      > this should be default, unless you didnt changed or override it
      >
      > reject_unknown_recipient_domain
      > Reject the request when Postfix is not final destination for the
      > recipient domain, and the RCPT TO domain has 1) no DNS A or MX record or
      > 2) a malformed MX record such as a record with a zero-length MX hostname
      > (Postfix version 2.3 and later).
      > The unknown_address_reject_code parameter specifies the numerical
      > response code for rejected requests (default: 450). The response is
      > always 450 in case of a temporary DNS error.
      >
      I know this. It is normally working fine. My problem with this domain
      is that it is not being rejected. postfix just times out.
      >
      >>
      >>> you should invest more time in analyse the real problem
      >>> i.e some routing problems may cause it
      >>
      >> Solving the problem with this particular domain (which is not mine),
      >> solves my problem now, but not future similar problems. So I think it
      >> would be better to avoid the situation.
      >>
      >
      > as far i remember all dns checks have tmp failure code
      > at default, sometimes it makes sense to change some of them global, this
      > is kind of design question, however you may construct bypasses with
      > smtpd_restriction_classes too depending to i.e some ipaddress etc
      >
      > http://www.postfix.org/RESTRICTION_CLASS_README.html
      >
      > i your case , the question seems , at what server and what point you
      > want to react with what error by dns rejects
      >
      I want my relay server to reject the mail (at
      reject_unknown_recipient_domain option with the corresponding reject
      code) not to time out.

      --
      Angel L. Mateo Martínez
      Sección de Telemática
      Área de Tecnologías de la Información
      y las Comunicaciones Aplicadas (ATICA)
      http://www.um.es/atica
      Tfo: 868889150
      Fax: 868888337
    • Viktor Dukhovni
      ... The easiest work-around is to stop sending mail to the unreachable domain. ... Your DNS timeouts are too long (perhaps tunable via /etc/resolv.conf on the
      Message 2 of 8 , Feb 8, 2013
      • 0 Attachment
        On Fri, Feb 08, 2013 at 09:29:22AM +0100, Angel L. Mateo wrote:

        > We are having problems with dns lookups to one domain. I know is
        > not a postfix problem, but a dns configuration error in that domain.
        > But it is affecting our servers.

        The easiest work-around is to stop sending mail to the unreachable
        domain.

        >
        > The problem is that whenever the relay server receives a mail
        > directed to that domain, I get the error "conversation with <mail
        > server> timed out while sending MAIL FROM". And as list server group
        > messages, all recipients in that group as rejected.

        Your DNS timeouts are too long (perhaps tunable via /etc/resolv.conf
        on the relay), or SMTP timeouts too short (tunable via main.cf on
        the list server). You posted no log entries, or "postconf -n" so
        further help is not possible.

        > So I would like to configure some kind of dns lookup timeout in my
        > relay servers, so if the query is not answered I could reject the
        > message with a dns error instead of timing out the connection.
        >
        > Is this possible? How?

        Use VERP to send list messages to one recipient at a time with a
        variable sender address that allows you to track down the original
        recipient when processing bounces. With VERP only the problem domain
        will have delivery issues and you'll be able to purge persistently
        undeliverable recipients from your list.

        --
        Viktor.
      • Angel L. Mateo
        ... Yes, I did it yet, but it could happen with other domains. I would like a solution, not a workround. ... I m sorry, I have attached it now, My timeouts are
        Message 3 of 8 , Feb 10, 2013
        • 0 Attachment
          El 08/02/13 15:29, Viktor Dukhovni escribió:
          > On Fri, Feb 08, 2013 at 09:29:22AM +0100, Angel L. Mateo wrote:
          >
          >> We are having problems with dns lookups to one domain. I know is
          >> not a postfix problem, but a dns configuration error in that domain.
          >> But it is affecting our servers.
          >
          > The easiest work-around is to stop sending mail to the unreachable
          > domain.
          >
          Yes, I did it yet, but it could happen with other domains. I would like
          a solution, not a workround.
          >>
          >> The problem is that whenever the relay server receives a mail
          >> directed to that domain, I get the error "conversation with <mail
          >> server> timed out while sending MAIL FROM". And as list server group
          >> messages, all recipients in that group as rejected.
          >
          > Your DNS timeouts are too long (perhaps tunable via /etc/resolv.conf
          > on the relay), or SMTP timeouts too short (tunable via main.cf on
          > the list server). You posted no log entries, or "postconf -n" so
          > further help is not possible.
          >
          I'm sorry, I have attached it now, My timeouts are both defaults.


          --
          Angel L. Mateo Martínez
          Sección de Telemática
          Área de Tecnologías de la Información
          y las Comunicaciones Aplicadas (ATICA)
          http://www.um.es/atica
          Tfo: 868889150
          Fax: 868888337
        Your message has been successfully submitted and would be delivered to recipients shortly.