1748131 Members
3582 Online
108758 Solutions
New Discussion юеВ

Re: Sendmail DNS issues

 
James Stenglein
Occasional Advisor

Sendmail DNS issues

Hello all,

I know this has been brought up before, but I can't seem to find the exact solution so I???ll give it a post also....

We have 2 servers running hpux 11 and sendmail 8.12. One is inbound traffic and one is outbound traffic. The outbound server is getting the error Deferred: Name server: xxxx.xxxx.com.: host name lookup failure message at a high rate (maybe 1 in 20 emails to legitimate sites). It is failing on such sites as Yahoo, Hp, and Excite for example. If I do nslookups from the server outbound itself, it finds the correct ip.

On some occasions, it will fail 2 of 3 times before it finally finds the ip and sends the email out or it might even fail completely. We are using out isp's resolver and there have been no changes made to our firewall. It just seems to be getting slowly worse as we went from 15-20 a year ago to 400-600 failures now.

I understand that network congestion plays a part in these messages, but I don't understand why sendmail fails to lookup records but I can from the same server?

Is there anything that I can do about these dns issues? Are there any timeouts that you would suggest we change? Anything at all?

Thanks in advance!!
7 REPLIES 7
Christopher Caldwell
Honored Contributor

Re: Sendmail DNS issues

You may be seeing transient look up failures due to timeouts.

Consider running a caching only name server.

Folks used to split name servers and sendmail servers. With the power and memory capabilities of today's servers, splitting doesn't make much sense.

Berlene Herren
Honored Contributor

Re: Sendmail DNS issues

You might want to try to increase the resolver timeout options in the sendmail.cf file.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
James Stenglein
Occasional Advisor

Re: Sendmail DNS issues

Thanks for the quick responses.

We have tried to talk people into allowing dns on the sendmail servers, but the security teams firmly says no but we are running out of options before that is our last resort. What are the security impacts of hosting dns on sendmail servers?

As far as the resolver.timeouts in the sendmail.cf, are there any suggested times other then the defaults? What would you recommend?
Christopher Caldwell
Honored Contributor

Re: Sendmail DNS issues

1) Modern bind has security measures that would prevent response to queries from other hosts.

2) You've got to run a resolver somewhere - the closer to the mail server, the better.

Any options available in resolver(3) are available as an option to ResolverOptions in sendmail.cf (omit the RES_ prefix from resolver(3)).
Berlene Herren
Honored Contributor

Re: Sendmail DNS issues

Try this one:

Timeout.resolver.retrans=30s

and recycle sendmail

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Vincent Fleming
Honored Contributor

Re: Sendmail DNS issues

You can set up a "named" on your mail server with forward-only... ie: in the named.conf, use:

forward only;
forwarders {
10.1.1.1;
10.1.2.1;
};

Then in your resolv.conf, use:

domain mydomain.com
nameserver 127.0.0.1


Your firewall should prevent anyone on the internet from getting to that server, so you should be OK security-wise - particularly since your incoming mail server is another machine. As far as anyone is concerned, your server would look (on teh network) no different than it does today.

-Vince
No matter where you go, there you are.
Steven E. Protter
Exalted Contributor

Re: Sendmail DNS issues

yahoo and aol require the sending server resolve by dns before they accept and deliver mail.

If the failure is absolute on all messages, this could explain it.

AOL is configured to reject mail from servers who's hostname or sendmail name can not resolved by DNS.

Yahoo accepts the mail but doesn't deliver it.

You can manually modify the Dj parameter in your sendmail file.

/etc/mail/sendmail.cf

Change

#Dj$w.Foo.COM

to

Djvaliddomain.com

Save the file

/sbin/init.d/sendmail stop
/sbin/init.d/sendmail start

If validdomain.com will resolve on the public Internet they will accept your mail.

If however you use a mail relay server with the DS directive in sendmail.cf the above instructions do not apply.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com