Re: transport rule question

Wed, 08 Jan 2014 14:20:13 -0800 

On Wed, Jan 08, 2014 at 09:02:17PM +0000, Aaron Bennett wrote:

> For reasons beyond my control, one of the hosts we need to relay
> to is occasionally dropping out of dns.  We relay to it based on
> an ldap map which returns:
> 
> relay:[office365relay.clarku.edu]
> 
> That host is a CNAME for an external vendor.  It's not hard to
> guess which one.

    office365relay.clarku.edu. IN CNAME clarku-edu.mail.protection.outlook.com.
    clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.170
    clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.215
    clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.247
    clarku-edu.mail.protection.outlook.com. 10 IN A 207.46.163.138

Ah yes, the same "carefully implemented" nameservers that mishandle
TLSA queries with DANE (TLSA is DNS record type 52):

    $ dig +noall +comment +ans +norecur -t TYPE52 \
        _25._tcp.clarku-edu.mail.protection.outlook.com. \
        @ns1-proddns.glbdns.o365filtering.com.
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 38293
    ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

while the same query with type "any":

    $ dig +norecurse +noall +comment +ans -t any \
        _25._tcp.clarku-edu.mail.protection.outlook.com. \
        @ns1-proddns.glbdns.o365filtering.com.
    ;; Got answer:                                                              
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58105                  
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

correctly returns NXDOMAIN.  Have you found out whose DNS erroneously
returns NXDOMAIN from time to time?  Does the CNAME occasionally
disappear (clarku.edu's fault) or the A record go away now and
then, (problem at hosting provider?)

> When it drops out,  the message bounces:
> Jan  8 13:50:28 mothra.clarku.edu postfix/smtp[27291]: E1614684CCD:
>       to=<u...@clarku.edu>, relay=none, delay=0.18, delays=0.06/0.03/0.1/0,
>       dsn=5.4.4, status=bounced (Host or domain name not found. Name
>       service error for name=office365relay.clarku.edu type=A: Host not found)

Re-configure you transport tables to bypass the CNAME:

    transport:
        clarku.edu      smtp:[clarku-edu.mail.protection.outlook.com]

That'll reveal whether the problem is with the CNAME or the backend A record.

> I'd prefer it to defer.  I'm not sure why it's not deferring -
> is it the relay: line, or the [] enclosure, or something else?

To defer after NXDOMAIN, you need soft_bounce.  Use a dedicated
transport for that.

-- 
        Viktor.

Reply via email to