Hello,



I am trying to resolve a serious problem with sendmail and some
domains.

In fact, when this kind of (problematic) domain are trying to write a
message to our sendmail server, we have this error message in
/var/mail/maillog :


_____________________________________
Jan 23 08:30:55 srvmsg sendmail[26280]: l0N7UjnV026280:
ruleset=check_mail,
arg1=<example@legifrance.gouv.fr>, relay=[195.101.212.235]
, reject=553 5.1.8 <example@legifrance.gouv.fr>... Domain of sender
address example@legifrance.gouv.fr does not exist
_____________________________________


This domain have a "ns" record, "A" record, "soa" and "mx" record... :


[root@srvmsg]# host -t a legifrance.gouv.fr
legifrance.gouv.fr has address 195.101.212.234
[root@srvmsg]# host -t soa legifrance.gouv.fr
legifrance.gouv.fr SOA passerelle7.ort.fr. gblenet.adminfw.ort.fr.
2006010601 21600 3600 1209600 600
[root@srvmsg]# host -t ns legifrance.gouv.fr
legifrance.gouv.fr name server web4.ort.fr.
legifrance.gouv.fr name server passerelle7.ort.fr.
legifrance.gouv.fr name server ns2.legifrance.gouv.fr.
legifrance.gouv.fr name server ns3.legifrance.gouv.fr.
[root@srvmsg]# host -t mx legifrance.gouv.fr
legifrance.gouv.fr mail is handled by 5 gate.legifrance.gouv.fr.


_________________________________
I have checked my DNS and my sendmail server, but that seems to work
fine.

- I have only notice that if I do :

host -t any legifrance.gouv.fr
before the command (for example)
host -t soa legifrance.gouv.fr

The answer of "any" type isn't complete. (update of the DNS cache
memory information, I think...)


********************************************
When i am using sendmail in debug mode, I have these answers :

[root@srvmsg]# echo '/mx legifrance.gouv.fr' |sendmail -bt -d8.8
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> getmxrr(legifrance.gouv.fr, droplocalhost=0)
getmxrr: res_search(legifrance.gouv.fr) failed (errno=0, h_errno=4)
dns_getcanonname(legifrance.gouv.fr, trymx=0)
dns_getcanonname: trying legifrance.gouv.fr. (A)
NO: errno=0, h_errno=4
dns_getcanonname: trying legifrance.gouv.fr. (MX)
YES
dns_getcanonname: legifrance.gouv.fr
getmxrr(legifrance.gouv.fr) returns 1 value(s):
legifrance.gouv.fr.
[root@servmsg]# echo '/map host legifrance.gouv.fr' |sendmail -bt -d8.8
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> map_lookup: host (legifrance.gouv.fr) dns_getcanonname(legifrance.gouv.fr, trymx=1)
dns_getcanonname: trying legifrance.gouv.fr. (A)
YES
dns_getcanonname: legifrance.gouv.fr
returns legifrance.gouv.fr. (0)
*******************************************

We can observe this error in the debug mode :
dns_getcanonname: trying legifrance.gouv.fr. (A)
NO: errno=0, h_errno=4


Is there a system to tell sendmail, in the config file, to not verify
the A record when it's trying to do its request :
dns_getcanonname: trying legifrance.gouv.fr. (A)

[ Whithout putting "accept_unresolvable_domain" ON ... ]

In this case, what are the consequences on the security of my domain ?


Or, can I tell to my DNS to verify all before answering.


Thanks,

Regards.

In article <1169544340.255600.308110@q2g2000cwa.googlegroups. com> "rem"
<littlebouda@gmail.com> writes:
>
>_____________________________________
>Jan 23 08:30:55 srvmsg sendmail[26280]: l0N7UjnV026280:
>ruleset=check_mail,
>arg1=<example@legifrance.gouv.fr>, relay=[195.101.212.235]
>, reject=553 5.1.8 <example@legifrance.gouv.fr>... Domain of sender
>address example@legifrance.gouv.fr does not exist
>_____________________________________

This means that sendmail received a definite "that name does not exist"
(NXDOMAIN error) from DNS.

>This domain have a "ns" record, "A" record, "soa" and "mx" record... :

I can comfirm that now, but when I tried it earlier I got no responses
from any name server. I suspect that your troubles are with broken/
misconfigured (but possibly fixed now) name servers.

>- I have only notice that if I do :
>
>host -t any legifrance.gouv.fr
>before the command (for example)
>host -t soa legifrance.gouv.fr
>
>The answer of "any" type isn't complete. (update of the DNS cache
>memory information, I think...)

Yes, that is per the spec - "any" dosn't mean "all", but "give me what
you have". If some records are in the local cache, you just get those,
if none are there your local name server forwards the "any" to an
authoritative server, where "what you have" is of course everything,
i.e. it effect turns into "all". Sendmail doesn't use "any" queries
since quite a few versions back.

>[root@srvmsg]# echo '/mx legifrance.gouv.fr' |sendmail -bt -d8.8
>ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
>Enter <ruleset> <address>
>> getmxrr(legifrance.gouv.fr, droplocalhost=0)
>getmxrr: res_search(legifrance.gouv.fr) failed (errno=0, h_errno=4)
>dns_getcanonname(legifrance.gouv.fr, trymx=0)
>dns_getcanonname: trying legifrance.gouv.fr. (A)
> NO: errno=0, h_errno=4

This is quite OK per se (though disagrees with the assertion that there
is an A record) - it means "I don't have any A records, but there is
other data", and sendmail continues the search:

>dns_getcanonname: trying legifrance.gouv.fr. (MX)
> YES
>dns_getcanonname: legifrance.gouv.fr
>getmxrr(legifrance.gouv.fr) returns 1 value(s):
> legifrance.gouv.fr.

And such a result would *not* lead to the rejection above. I.e. either
the DNS data has changed in between, or the daemon is using other name
servers than the ones you end up using in your interactive test
(e.g. because /etc/resolv.conf has changed w/o the daemon getting
restarted).

>Is there a system to tell sendmail, in the config file, to not verify
>the A record when it's trying to do its request :
>dns_getcanonname: trying legifrance.gouv.fr. (A)

There is no need for that, and it wouldn't solve your problem. IIRC
sendmail tries A before MX to avoid some issues with wildcard MX records
giving a "false match".

--Per Hedeland
per@hedeland.org