PHWinfo - Afficher un message

27/05/2007, 21h18

In article <1180289755.690728.183350@o11g2000prd.googlegroups .com> Dave
<david.greenhall@praybourne.co.uk> writes:
>> date | sendmail -Am -v -d8.8 david.greenhall@praybourne.co.uk.procmail
>dns_getcanonname(praybourne.local, trymx=1)
>dns_getcanonname: trying praybourne.local. (AAAA)
> NO: errno=0, h_errno=1
>dns_getcanonname: trying praybourne.local.praybourne.co.uk (AAAA)
> YES

Ouch - your provider has set up a wildcard CNAME record:

$ dig aaaa '*.praybourne.co.uk' @ns0.clara.net
....
;; ANSWER SECTION:
*.praybourne.co.uk. 18000 IN CNAME bed-11.uk.clara.net.

Very evil thing to do, tell them to remove it. The result is that your
user@praybourne.local gets "canonicalized" to user@bed-11.uk.clara.net,
and the rest is, as they say, history...

>So looking at this, its searching DNS for praybourne.local, but what i
>dont understand is why this worked a couple of weeks ago, but not now.
>why is not using hosts first?!!

Well, it's a bit of a mess, due to the variety of "service switch"
implementations on different OSes. For host -> IP address lookup,
sendmail will effectively use the OS gethostbyname() function, which
uses the OS-specific service switch file. For canonicalization, this
doesn't work well, and so sendmail will do DNS, files, etc lookups
"directly". For the order of these, it understands the OS-specific files
on Solaris and Ultrix / OSF/1 / Digital Unix / whatever it's called now
if it still exists. For others it will use the ServiceSwitchFile defined
in the config (default /etc/mail/service.switch) if it exists, and if
not, it falls back to a hardwired order where "dns" comes before "files"
- which is generally the right thing to do, but not in your case.

To fix this - and you really should, even if your provider removes that
wildcard record, you shouldn't be looking up names like praybourne.local
in DNS - you can either create an /etc/mail/service.switch file that has
the right order (see doc/op/op.* for the contents), or declare that
names that end in .local are already canonical, and shouldn't be looked
up anywhere (for canonicalization), by putting this in your .mc file:

LOCAL_CONFIG
CP local

Or, better still I guess, don't use those .local addresses at all -
it's hard to make sure that they never "leak" out into the real 'net,
where they're obviously invalid.

>If in mailertable its specified not to look up MX records, why does it
>still use DNS (im really confused)

Canonicalization happens before that, sendmail tries to make sure that
e.g. abbreviated names like user@host without a .domain part are
properly turned into a "canonical" name before it actually tries to
determine how the message should be routed. This is generally necessary
to find the correct routing info (e.g. a mailertable entry) - only in
this case it breaks totally due to the CNAME record above.

>Is it possible that between moving premises our sendmail configuration
>has got messed up?

No, it's the CNAME record that messes up what was a fragile
configuration to start with.

--Per Hedeland
per@hedeland.org

27/05/2007, 21h18	#9
Per Hedeland Messages: n/a Hébergeur:	Re: sendmail and DNS problem. In article <1180289755.690728.183350@o11g2000prd.googlegroups .com> Dave <david.greenhall@praybourne.co.uk> writes: >> date \| sendmail -Am -v -d8.8 david.greenhall@praybourne.co.uk.procmail >dns_getcanonname(praybourne.local, trymx=1) >dns_getcanonname: trying praybourne.local. (AAAA) > NO: errno=0, h_errno=1 >dns_getcanonname: trying praybourne.local.praybourne.co.uk (AAAA) > YES Ouch - your provider has set up a wildcard CNAME record: $ dig aaaa '.praybourne.co.uk' @ns0.clara.net .... ;; ANSWER SECTION: .praybourne.co.uk. 18000 IN CNAME bed-11.uk.clara.net. Very evil thing to do, tell them to remove it. The result is that your user@praybourne.local gets "canonicalized" to user@bed-11.uk.clara.net, and the rest is, as they say, history... >So looking at this, its searching DNS for praybourne.local, but what i >dont understand is why this worked a couple of weeks ago, but not now. >why is not using hosts first?!! Well, it's a bit of a mess, due to the variety of "service switch" implementations on different OSes. For host -> IP address lookup, sendmail will effectively use the OS gethostbyname() function, which uses the OS-specific service switch file. For canonicalization, this doesn't work well, and so sendmail will do DNS, files, etc lookups "directly". For the order of these, it understands the OS-specific files on Solaris and Ultrix / OSF/1 / Digital Unix / whatever it's called now if it still exists. For others it will use the ServiceSwitchFile defined in the config (default /etc/mail/service.switch) if it exists, and if not, it falls back to a hardwired order where "dns" comes before "files" - which is generally the right thing to do, but not in your case. To fix this - and you really should, even if your provider removes that wildcard record, you shouldn't be looking up names like praybourne.local in DNS - you can either create an /etc/mail/service.switch file that has the right order (see doc/op/op.* for the contents), or declare that names that end in .local are already canonical, and shouldn't be looked up anywhere (for canonicalization), by putting this in your .mc file: LOCAL_CONFIG CP local Or, better still I guess, don't use those .local addresses at all - it's hard to make sure that they never "leak" out into the real 'net, where they're obviously invalid. >If in mailertable its specified not to look up MX records, why does it >still use DNS (im really confused) Canonicalization happens before that, sendmail tries to make sure that e.g. abbreviated names like user@host without a .domain part are properly turned into a "canonical" name before it actually tries to determine how the message should be routed. This is generally necessary to find the correct routing info (e.g. a mailertable entry) - only in this case it breaks totally due to the CNAME record above. >Is it possible that between moving premises our sendmail configuration >has got messed up? No, it's the CNAME record that messes up what was a fragile configuration to start with. --Per Hedeland per@hedeland.org