HPE Community
Operating System - HP-UX
1831061 Members
2375 Online
110019 Solutions
New Discussion

Re: sendmail: why doesn't it resolve?

 
Fred Martin_1
Valued Contributor

‎03-27-2003 01:15 PM

‎03-27-2003 01:15 PM

sendmail: why doesn't it resolve?

Running sendmail version 11.1 on HP-UX 11.0...DNS also running on the same box.

I can resolve a particular domain name thus:

# nslookup windflite.com
....
Name: windflite.com
Address: 216.166.249.146

But an email sent to me from windflite.com is rejected:

sendmail[6397]: h2RL1Ul06397: ruleset=check_mail, arg1=, relay=[216.166.249.146], reject=451 4.1.8 Domain of sender address andy@windflite.com does not resolve

And to complicate it, if he sends the email a few more times, eventually it will resolve and gets delivered. nslookup -always- returns the address so I'm having a hard time believing that's simply DNS.

This began happening with 11.1, never happened when I was on 8.9.3 ...

Help! I'm rejected needed mail....
fmartin@applicatorssales.com
0 Kudos
Reply
24 REPLIES 24
Jeff Schussele
Honored Contributor

‎03-27-2003 01:22 PM

‎03-27-2003 01:22 PM

Re: sendmail: why doesn't it resolve?

Hi Fred,

Sendmail deals with special DNS entries known as MX (Mail eXchanger) records.

So lookup as follows
nslookup
> set type=mx
> windflite.com

Then you should get responses indicating the mail exchanger as well as preferences for each. If you don't get response, well then there's your trouble....
If you get responses then reverse lookup (by IP) the IPs for these MX entries - they MUST resolve as well.
Sendmail is very, very picky about lookups - they MUST resolve & resolve corectly in both directions.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
John Dvorchak
Honored Contributor

‎03-27-2003 01:25 PM

‎03-27-2003 01:25 PM

Re: sendmail: why doesn't it resolve?

I don't know if this helps or not, but when I do an nslookup on windflite.com I get 216.166.249.146 but when I do an nslookup on the address I get:

nslookup 216.166.249.146
Name Server: sldns.sbc.com
Address: 132.201.90.250

Trying DNS
Name: 216-166-249-146.clec.peknil.madisonriver.net
Address: 216.166.249.146

Evidently that address resolves to two different domains. Is that person using a 3rd part domain service like gotdns.com where he has a DSL/Cable attached server but has the domain name resolving to an address owned by peknil.madisonriver.net?

I think what is happening is that to your email server it looks like a spoofed name or spammer name and is rejecting them. You could try putting an /etc/hosts entry for this person if that is the only one that you are having
trouble with:
216.166.249.146 windflite.com

Good luck


If it has wheels or a skirt, you can't afford it.
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-27-2003 01:30 PM

‎03-27-2003 01:30 PM

Re: sendmail: why doesn't it resolve?

OK, did this:

> set type=mx
> windflite.com

And got:

Trying DNS
Authoritative answers can be found from:
windflite.com
origin = ns1.dnswiz.com
mail addr = hostmaster.dnswiz.com
serial = 12050
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
minimum ttl = 900 (15 mins)

Not sure what it means but why would it go through OK with sendmail, every third or fourth attempt, though?

If I just set sendmail to allow non-resolving names am I opening myself up to all kinds of trash?
fmartin@applicatorssales.com
0 Kudos
Reply
Wilfred Chau_1
Respected Contributor

‎03-27-2003 01:41 PM

‎03-27-2003 01:41 PM

Re: sendmail: why doesn't it resolve?

Do you have an account on windflite.com?

Try connect to the mail server directly.
mail addr = hostmaster.dnswiz.com

telnet hostmaster.dnswiz.com 25
helo
mail from: <>
rcpt to:
data

.


See if you could get past rcpt to. If you get "571 we do not relay", which means the mail server does not relay mail for you sender host.
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-27-2003 01:44 PM

‎03-27-2003 01:44 PM

Re: sendmail: why doesn't it resolve?

I get this when I try to resolve the address:

# nslookup 216.166.249.146
Name: 216-166-249-146.clec.peknil.madisonriver.net
Address: 216.166.249.146
#

So the name resolves but not the address.

I'm looking through the logs and I see several very big venders of ours that are getting rejected and so it seems that this is not a unique case.

I'm thinking I'll need to allow unresolvable addresses?
fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2003 01:46 PM

‎03-27-2003 01:46 PM

Re: sendmail: why doesn't it resolve?

Results from my web/mail server on the public Internet.

Sounds to me like you aren't getting reliable answers from your DNS server. You aren't using mail relay it seems.

[invest@jerusalem invest]$ dig windflite.com

; <<>> DiG 9.2.1 <<>> windflite.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6311
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;windflite.com. IN A

;; ANSWER SECTION:
windflite.com. 900 IN A 216.166.249.146

;; Query time: 305 msec
;; SERVER: 216.231.41.2#53(216.231.41.2)

[invest@jerusalem invest]$ nslookup
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> set type=mx
> windflite.com
Server: 216.231.41.2
Address: 216.231.41.2#53

Non-authoritative answer:
*** Can't find windflite.com: No answer

Authoritative answers can be found from:


Based on these results it looks like THEIR DNS server isn't working right. I don't think its your setup.

SEP
;; WHEN: Thu Mar 27 15:44:47 2003
;; MSG SIZE rcvd: 47


Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-27-2003 01:52 PM

‎03-27-2003 01:52 PM

Re: sendmail: why doesn't it resolve?

Accck! Forgot to mention, and this seems a pretty big part of the puzzle to me, my domain is applicatorssales.com, but I also accept mail for another domain name of ours - paradigmwindows.com .... both companies use the same server...but all the same users on the same machine.

When you send an email to fmartin@paradigmwindows.com, 3 out of 4 get rejected as described above.... but an email to fmartin@applicatorssales.com will always work.

???
fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2003 01:53 PM

‎03-27-2003 01:53 PM

Re: sendmail: why doesn't it resolve?

Cute tag line.

I thought of another test, though I'm now convinced its their DNS server.

Ran this test on my mail server which is running its own firewall but not behind one.

[root@jerusalem root]# sendmail -v -d38 -d8 andy@windflite.com
Steve was here
.
getmxrr: res_search(windflite.com.) failed (errno=0, h_errno=4)
andy@windflite.com... Connecting to windflite.com. via esmtp...
220 mail.windflite.com ESMTP Merak 4.00.80; Thu, 27 Mar 2003 16:54:01 -0600
>>> EHLO investmenttool.com
250-mail.windflite.com Hello investmenttool.com [66.92.143.194], pleased to meet
you.
250-SEND
250-SOML
250-SAML
250-SIZE
250-EXPN
250-ETRN
250-DSN
250-CHUNKING
250-CHECKPOINT
250-STARTTLS
250 HELP
>>> MAIL From: SIZE=15
250 OK ... Sender ok
>>> RCPT To:
250 OK ... Recipient ok
>>> DATA
354 Enter mail, end with "." on a line by itself
>>> .
250 OK 327 bytes received in 00:00:00; Message accepted for delivery
andy@windflite.com... Sent (OK 327 bytes received in 00:00:00; Message accepted
for delivery)
Closing connection to windflite.com.
>>> QUIT
221 mail.windflite.com closing connection


I'm not going to send multiple mail's but this did not work every time I ran it. I hope Andy isn't pissed with me.

In HP-UX the syntax should be:
/usr/sbin/sendmail -v -d8.99 -d38.99 andy@windflite.com

type in a tag line
hit enter
type a dot(period)
.
hit enter

It is not working reliably, its his DNS server.

SEP

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-27-2003 01:54 PM

‎03-27-2003 01:54 PM

Re: sendmail: why doesn't it resolve?

Sorry "when you send an email" should read "when andy@windflite.com" sends an email" ...

fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2003 01:56 PM

‎03-27-2003 01:56 PM

Re: sendmail: why doesn't it resolve?

sounds like I'm clueless.

Sorry.

If you are the DNS admin for that server, please upload the configuration of the zone record for both domains.

Also the /etc/aliases file would be useful.

Name server for windflite.com is not giving consistent answers for mx requests lookup requests. That much I am certain of.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-27-2003 01:57 PM

‎03-27-2003 01:57 PM

Re: sendmail: why doesn't it resolve?

Please let's not actually use windflite.com as a test thanks, they're a business partner of ours.
fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2003 02:03 PM

‎03-27-2003 02:03 PM

Re: sendmail: why doesn't it resolve?

Okay, I sent one mail, that was accepted. Please relay my deepest apologies.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-27-2003 02:22 PM

‎03-27-2003 02:22 PM

Re: sendmail: why doesn't it resolve?

I just sent an email to that address from my server; the mail was deferred and is in my mailq ... reason host map lookup deferred.

So sendmail doesn't send to that domain, I would assume for the same reason.

This makes me believe that turning off the feature that rejects unresolvable names for incoming mail won't fix my problem, but I will test it.

There's got to be some other difference between sendmail 8.9.3 and 11.1 ...

fred
fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-27-2003 02:38 PM

‎03-27-2003 02:38 PM

Re: sendmail: why doesn't it resolve?

Nope, I'm convinced its the DNS server configuration on the target of your email. I've had similar problems with my mx server when I had a syntax record in the zone record.

If you have control, I'm uploading a valid zone record that includes an mx record from one of the domains I host.

Hope it helps.

[invest@jerusalem named]$ more ilcba.org.zone

$TTL 86400
@ IN SOA @ ilcba.org (
4 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; ttl
)


@ IN NS dns1.investmenttool.com.
@ IN NS dns2.investmenttool.com.
@ IN MX 10 ilcba.org. ; primary mail exchanger

@ A 66.92.143.199
www A 66.92.143.199
news A 66.92.143.199
shell A 66.92.143.199
smtp A 66.92.143.199
dns1 A 66.92.143.194
dns2 A 66.92.143.195
localhost CNAME ilcba.org.
ftp CNAME investmenttool.com.
mail CNAME ilcba.org.


If I'm still not getting it, I apologize, but that DNS server isn't giving me good answers.


SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-28-2003 03:31 AM

‎03-28-2003 03:31 AM

Re: sendmail: why doesn't it resolve?

I don't agree that it's their problem, and am pretty convinced it's mine. Here's another log entry, form just yesterday:

Mar 27 16:56:36 corp sendmail[8847]: h2RLual08847: ruleset=check_mail, arg1=,
relay=atlrel7.hp.com [156.153.255.213], reject=451 4.1.8 Domain of sender address itrc_forums1@hp.com does not resolve

Sorry, I gotta believe HP's domain is good to go. This has to be a configuration issue in my sendmail, or my DNS server.
fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-28-2003 05:54 AM

‎03-28-2003 05:54 AM

Re: sendmail: why doesn't it resolve?

And, it's not consistent - sometimes, the same address will resolve, other times it won't (according to sendmail) ... using nslookup at a shell prompt, it always resolves.
fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-28-2003 06:07 AM

‎03-28-2003 06:07 AM

Re: sendmail: why doesn't it resolve?

Going back to something John said above, I'm wondering - if sendmail requires that it resolves in both directions, what happens when a domain name returns more than one address? i.e. hp.com will return several, but when you query each address you get individual hosts at hp.com. Still, the domain part is correct.

I really need more discussion on this as this must be resolved. I'd hate to have to go back to 8.9.3 ....
fmartin@applicatorssales.com
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎03-28-2003 08:45 AM

‎03-28-2003 08:45 AM

Re: sendmail: why doesn't it resolve?

I think you are just running a foul of the antispamming improvements in 11.1.

Have you tried putting an entry in /etc/mail/access for windflite.com (and any others which are a bit shaky)?

windflite.com OK

or

windflite.com RELAY

should let it work even if it doesn't resolve. Note you have to run

makemap hash /etc/mail/access < /etc/mail/access

after creating your access file or it own't work. And of course you have to have turned the feature on in the config file:

FEATURE(`access_db')


http://www.sendmail.org/m4/anti_spam.html#access_db for more details.

Ron
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-28-2003 11:34 AM

‎03-28-2003 11:34 AM

Re: sendmail: why doesn't it resolve?

Ron,

This is the makemap I'm doing:

makemap dbm /etc/mail/access < /etc/mail/access

I had been using that for sendmail 8.9.3...Is that not correct? Your example is using hash.

Also, I didn't put any entries in for the sticky ones because I'm sure there's something else going on; for instance, that hp.com record shown above, and the fact that they do occasionally resolve and get through.

Fred
fmartin@applicatorssales.com
0 Kudos
Reply
Dave Unverhau_1
Honored Contributor

‎03-28-2003 09:01 PM

‎03-28-2003 09:01 PM

Re: sendmail: why doesn't it resolve?

Fred,

Along the line of Ron's post, have you tried to disable the MSA and revert to routing straight to the MTA? This might resolve the "something's different from 8.9.3" problem. I attached an excerpt from "Sendmail 8.11.1 Release Notes" on docs.hp.com - I hope it helps!

Regards,

Dave
Romans 8:28
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎03-28-2003 09:10 PM

‎03-28-2003 09:10 PM

Re: sendmail: why doesn't it resolve?

You should be using the latest version of sendmail, which is 8.12.8 due to a major security flaw just found a couple weeks ago.

Anyway, whether you use hash or dbm depends on what you built your sendmail to use, check what is says in sendmail.cf to see.

Is this mail server also the dns server, perhaps your having network issues that are causing the DNS lookups to fail. Is sendmail.cf serviceswitch entry commented out or used?
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎03-28-2003 11:10 PM

‎03-28-2003 11:10 PM

Re: sendmail: why doesn't it resolve?

Hi,

quote from you

"# nslookup windflite.com
....
Name: windflite.com
Address: 216.166.249.146"

Clearly indicates the DNS reply is a CNAME record ( alias ) windflite.com mapped to 216.166.249.146 the mail server IP address.

The CNAME record is encountered by sendmail in its recipient addresses latest versions of sendmail tries canonify the alias to orginal DNS record. Say mail.windflite.com in our case.

Some Sendmail wont accept this.

To make sendmail work with CNAMEs.

Edit sendmail.cf and define this Line

O DontExpandCnames=True

save the file . Restart the sendmail daemon.

Hope your problem is solved now.

regards,

U.SivaKumar





Innovations are made when conventions are broken
0 Kudos
Reply
Fred Martin_1
Valued Contributor

‎03-31-2003 06:30 AM

‎03-31-2003 06:30 AM

Re: sendmail: why doesn't it resolve?

Thanks very much for the last three posts. This will take a little time to digest but I will post again here after some tests.
fmartin@applicatorssales.com
0 Kudos
Reply
Kevin Wright
Honored Contributor

‎04-07-2003 09:40 AM

‎04-07-2003 09:40 AM

Re: sendmail: why doesn't it resolve?

mp#dig type=mx windflite.com

; <<>> DiG 9.2.1 <<>> type=mx windflite.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14371
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;type=mx. IN A

;; AUTHORITY SECTION:
. 10682 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2003040700 1800 900 604800 86400

;; Query time: 5 msec
;; SERVER: 65.241.69.202#53(65.241.69.202)
;; WHEN: Mon Apr 7 11:39:49 2003
;; MSG SIZE rcvd: 100

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40174
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;windflite.com. IN A

;; ANSWER SECTION:
windflite.com. 704 IN A 216.166.249.146

;; AUTHORITY SECTION:
windflite.com. 704 IN NS ns1.dnswiz.com.
windflite.com. 704 IN NS ns2.dnswiz.com.
windflite.com. 704 IN NS ns3.dnswiz.com.
windflite.com. 704 IN NS ns4.dnswiz.com.

;; Query time: 4 msec
;; SERVER: 65.241.69.202#53(65.241.69.202)
;; WHEN: Mon Apr 7 11:39:49 2003
;; MSG SIZE rcvd: 12


This clearly states that there is NO mx record configured for windflite.com domain.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.