On Wed, Jan 08, 2014 at 09:02:17PM +0000, Aaron Bennett wrote: > For reasons beyond my control, one of the hosts we need to relay > to is occasionally dropping out of dns. We relay to it based on > an ldap map which returns: > > relay:[office365relay.clarku.edu] > > That host is a CNAME for an external vendor. It's not hard to > guess which one.
office365relay.clarku.edu. IN CNAME clarku-edu.mail.protection.outlook.com. clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.170 clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.215 clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.247 clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.138 Ah yes, the same "carefully implemented" nameservers that mishandle TLSA queries with DANE (TLSA is DNS record type 52): $ dig +noall +comment +ans +norecur -t TYPE52 \ _25._tcp.clarku-edu.mail.protection.outlook.com. \ @ns1-proddns.glbdns.o365filtering.com. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 38293 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 while the same query with type "any": $ dig +norecurse +noall +comment +ans -t any \ _25._tcp.clarku-edu.mail.protection.outlook.com. \ @ns1-proddns.glbdns.o365filtering.com. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58105 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 correctly returns NXDOMAIN. Have you found out whose DNS erroneously returns NXDOMAIN from time to time? Does the CNAME occasionally disappear (clarku.edu's fault) or the A record go away now and then, (problem at hosting provider?) > When it drops out, the message bounces: > Jan 8 13:50:28 mothra.clarku.edu postfix/smtp[27291]: E1614684CCD: > to=<u...@clarku.edu>, relay=none, delay=0.18, delays=0.06/0.03/0.1/0, > dsn=5.4.4, status=bounced (Host or domain name not found. Name > service error for name=office365relay.clarku.edu type=A: Host not found) Re-configure you transport tables to bypass the CNAME: transport: clarku.edu smtp:[clarku-edu.mail.protection.outlook.com] That'll reveal whether the problem is with the CNAME or the backend A record. > I'd prefer it to defer. I'm not sure why it's not deferring - > is it the relay: line, or the [] enclosure, or something else? To defer after NXDOMAIN, you need soft_bounce. Use a dedicated transport for that. -- Viktor.