Re: Sender domain must resolve error for some sites...
Hi there, Here comes the final installment on my problems with sending mail to certain domains. The problem, as mentioned, was that our domain name records were set up as non-authoritative. I don't know how our ISP managed that, but they have changed the records so that the DNS records are authoritative. Sending mail to the domains mentioned earlier now works. Thanks to all here for their patience. Best regards Anthony PS. Qmail is a great program, I don't think I will go back to sendmail again.
Re: Sender domain must resolve error for some sites...
Hi there, As promised, the explanation to my domain issues. The ISP holding our domain name records has set the DNS up as non-authoritative by mistake. No one can tel me how that happened but we believe that it happened in conjunction with a migration of DNS to an other server (Machine). Now a lookup on our domain name will return the IP address '203.44.8.249' which is our www server. This seems to be a common setup. I assume that a domain name lookup from sendmail or qmail will be OK since there will be a reply rather than 'SERVFAIL' as before. I will confirm if things work once the DNS entries have propagated through the Net. Anthony
Re: Sender domain must resolve error for some sites...
Thanks to all who have replied to my "Sender domain must resolve" problem. I am not an expert on DNS and our DNS records are held by a company that has been sold twice over the last 6 months with resulting staff changes. Me "barking up the wrong tree" and them going through lots of changes makes it hard. Anyway I am now going to try to get things resolved according to advice given from you guys. I will post a message when things are fixed so you know what came out of it. Anthony
Re: Sender domain must resolve error for some sites...
Quoting Anthony White ([EMAIL PROTECTED]): > Duncan Watson wrote: > > >From my point of view the bouncing programs are broken. Having no address > > record for a domain but having MX records as you do is 100% valid. I have > > > > That is what I thaught... You're not getting it, dude. Your DNS setup is broken. Your nameservers return server failure when looking up an A record for movielink.net.au. It's OK to not have an A record for a domain you want to receive mail. It's not OK to return SERVFAIL when looking up an A record. > 'guestmail.net' and 'is.com.fj' > > I have got my ISP to change the reverse lookup to 'movielink.net.au'. Your problem has nothing to do with reverse lookups. Those machines should not be rejecting your email outright, however you do need to fix something in the dns for the movielink.net.au zone. > I dont know if this is valid but at least it the IP '139.130.11.172' > should reverse lookup to 'movielink.net.au' (Qmail still says HELO > 'mail.movielink.net.au' which results in a message that it may > be forged but at least it should not stop things) Put the domain name it resolves to into control/helohost. Aaron
Re: Sender domain must resolve error for some sites...
SNIP Oops. Finger trouble. The NS in my original post is mistyped. My apologies. However, the correctly typed server name still returns SERVFAIL. GW
Re: Sender domain must resolve error for some sites...
Anthony White wrote: > > Duncan Watson wrote: > > > On Fri, Apr 14, 2000 at 11:14:55AM -0700, Aaron L. Meehan wrote: > > > Quoting Duncan Watson ([EMAIL PROTECTED]): > > Why is is so difficoult, why am I getting conflicting messages > as to where the problem is? Well, it seems pretty straightforward to me, a humble end user... here is a query: gandalf:~$ dig @ns0.me1.aone.net.au movielink.net.au ; <<>> DiG 8.2 <<>> @ns0.me1.aone.net.au movielink.net.au ; Bad server: ns0.me1.aone.net.au -- using default server and timer opts ; (2 servers found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; movielink.net.au, type = A, class = IN ;; Total query time: 38 msec ;; FROM: gandalf to SERVER: default -- 127.0.0.1 ;; WHEN: Fri Apr 14 21:44:05 2000 ;; MSG SIZE sent: 34 rcvd: 34 IMHO, returning SERVFAIL is a Bad Thing(TM). I do not by any means consider myself either a DNS or SMTP wizard, but I would think that when the SMTP server tries to resolve movielink.net.au, it should get some sort of answer, not either of SERVFAIL or NXDOMAIN*. For example, Mr. Bernstein's domain: gandalf:~$ dig cr.yp.to ; <<>> DiG 8.2 <<>> cr.yp.to ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; cr.yp.to, type = A, class = IN ;; ANSWER SECTION: cr.yp.to. 0S IN A 131.193.178.181 ;; Total query time: 922 msec ;; FROM: gandalf to SERVER: default -- 127.0.0.1 ;; WHEN: Fri Apr 14 21:49:56 2000 ;; MSG SIZE sent: 26 rcvd: 42 So, it looks to me as if the domain name must resolve to an A record. * I believe it was mentioned earlier in the list that perhaps if the DNS answered authoritatively that there was no such animal as movielink.net.au, the lookup would then fall back to the MX record's name, mail.movielink.net.au. I cannot be sure if that is the case, having always made sure that the domain name resolved to an A record. GW
Re: Sender domain must resolve error for some sites...
Duncan Watson wrote: > On Fri, Apr 14, 2000 at 11:14:55AM -0700, Aaron L. Meehan wrote: > > Quoting Duncan Watson ([EMAIL PROTECTED]): Why is is so difficoult, why am I getting conflicting messages as to where the problem is? > > > > Even our qmail server (with UCE patches) would reject his mail. > > It's arguable... > > > > Aaron > > There we go. I only looked for valid MX'ng. I also get the error you report > albiet via nslookup and debug=1. I will repeat how my mail works: 1. All mail sent to the domain 'movielink.net.au' gets pointed to the machine 'mail.movielink.net.au' via an MX record with priority 20. 2. The IP address of 'mail.movielink.net.au' is listed in an A record in the DNS. The IP address is '203.44.8.251'. 3. The 'movielink.net.au' domain is hosted at the DNS '203.2.193.124'. 4. Using nalookup in default mode fails if looking up 'movielink.net.au'. 5. All mail is received just fine at our site. 6. All outgoing mail is sent via qmail-smtpd to our firewall and "masqueraded" onto the internet IP address '139.130.11.172'. 7. Qmail sais "HELO mail.movielink.net.au" and the receiver replies xxx(may be forged). Reverse lookup on IP '139.130.11.172' set to 'movielink.net.au'. 'telnet guestmail.net 25' and used the 'HELO movielink.net.au' then 'MAIL From:<[EMAIL PROTECTED]> This fails with error "451 Sender domain must resolve..." 'telnet guestmail.net 25' and used the 'HELO mail.movielink.net.au' then 'MAIL From:<[EMAIL PROTECTED]> This fails with error "451 Sender domain must resolve..." 'telnet guestmail.net 25' and used the 'HELO mail.movielink.net.au' then 'MAIL From:<[EMAIL PROTECTED]> This fails with error "451 Sender domain must resolve..." Reverse lookup on IP '139.130.11.172' set to 'mail.movielink.net.au'. = 'telnet guestmail.net 25' and used the 'HELO movielink.net.au' then 'MAIL From:<[EMAIL PROTECTED]> This fails with error "451 Sender domain must resolve..." 'telnet guestmail.net 25' and used the 'HELO mail.movielink.net.au' then 'MAIL From:<[EMAIL PROTECTED]> This fails with error "451 Sender domain must resolve..." 'telnet guestmail.net 25' and used the 'HELO mail.movielink.net.au' then 'MAIL From:<[EMAIL PROTECTED]> This is "OK". I am lost > > > Anthony if you are still reading, this should be your solution. Fix you DNS > not to die when providing this address record. > DNS records. --- Server: oznet.ozemail.com.au Address: 203.2.193.124 Non-authoritative answer: movielink.net.aupreference = 20, mail exchanger = mail.movielink.net.au movielink.net.aupreference = 50, mail exchanger = mail.mel.aone.net.au movielink.net.aupreference = 100, mail exchanger = mx1.mel.aone.net.au movielink.net.aupreference = 200, mail exchanger = mx2.syd.aone.net.au movielink.net.aunameserver = ns0.mel.aone.net.au movielink.net.aunameserver = ns1.mel.aone.net.au movielink.net.aunameserver = ns2.syd.aone.net.au movielink.net.au origin = ns0.mel.aone.net.au mail addr = hostmaster.aone.net.au serial = 232800 refresh = 28800 (8H) retry = 7200 (2H) expire = 2592000 (4w2d) minimum ttl = 86400 (1D) Authoritative answers can be found from: mail.movielink.net.au internet address = 203.44.8.251 mail.mel.aone.net.auinternet address = 203.2.192.66 mx1.mel.aone.net.au internet address = 203.108.7.46 mx2.syd.aone.net.au internet address = 203.108.7.41 ns0.mel.aone.net.au internet address = 203.2.192.95 ns1.mel.aone.net.au internet address = 203.2.192.94 ns2.syd.aone.net.au internet address = 203.2.193.123 > If someone could tel me where the problem is I would be happy. Anthony
Re: Sender domain must resolve error for some sites...
Duncan Watson wrote: > > All mail sent is shown to come from 'mail.movielink.net.au' with > > the IP of the firewall. That IP currently resolves to 'mail.movielink.net.au' > > which does not match with <[EMAIL PROTECTED]> and the error 451 is > > sent back to us. > > > > Should I have that IP reverse lookup to resolve to 'movielink.net.au' > > instead? > > >From my point of view the bouncing programs are broken. Having no address > record for a domain but having MX records as you do is 100% valid. I have > That is what I thaught... 2 domains that do consistently not work are 'guestmail.net' and 'is.com.fj' when I have reverse lookup set to 'mail.movielink.net.au'. > used that setup many times. You want mail.movielink.net.au to reverse resolve > to the domain it claims to be (mail.movielink.net.au) for other reasons and > for filters that do checking correctly. There is nothing wrong with > mascarading either ethically or technically. Some zeolots are preaching that > all should resolve in their ideologically correct way but unfortunately many > of their ideologies are flawed in that they do not handle: > 1. dialup users needs > 2. certain types of firewall needs (yours) > 3. basically anything past a certain level of complexity. 'guestmail.net' and 'is.com.fj' I have got my ISP to change the reverse lookup to 'movielink.net.au'. I dont know if this is valid but at least it the IP '139.130.11.172' should reverse lookup to 'movielink.net.au' (Qmail still says HELO 'mail.movielink.net.au' which results in a message that it may be forged but at least it should not stop things) Now the "MAIL From:<[EMAIL PROTECTED]>" should result in an OK response if the receiving SMTP server looks up the IP address. Anthony
Re: Sender domain must resolve error for some sites...
On Fri, Apr 14, 2000 at 11:14:55AM -0700, Aaron L. Meehan wrote: > Quoting Duncan Watson ([EMAIL PROTECTED]): > > On Fri, Apr 14, 2000 at 11:50:52AM -0700, Anthony White wrote: > > > There is no record pointing to the domain itself. It points > > > to 'mail.movielink.net.au' > > > >From my point of view the bouncing programs are broken. Having no address > > record for a domain but having MX records as you do is 100% valid. I have > > Yes this is true, however his DNS setup is indeed broken. Trying to > get an A record for movielink.net.au returns SERVFAIL, not merely > NXDOMAIN (no such domain). > > ; <<>> DiG 8.2 <<>> movielink.net.au a > ;; res options: init recurs defnam dnsrch > ;; got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUERY SECTION: > ;; movielink.net.au, type = A, class = IN > > Even our qmail server (with UCE patches) would reject his mail. > It's arguable... > > Aaron There we go. I only looked for valid MX'ng. I also get the error you report albiet via nslookup and debug=1. Anthony if you are still reading, this should be your solution. Fix you DNS not to die when providing this address record. /Duncan -- Duncan Watson nCube
Re: Sender domain must resolve error for some sites...
Quoting Duncan Watson ([EMAIL PROTECTED]): > On Fri, Apr 14, 2000 at 11:50:52AM -0700, Anthony White wrote: > > There is no record pointing to the domain itself. It points > > to 'mail.movielink.net.au' > >From my point of view the bouncing programs are broken. Having no address > record for a domain but having MX records as you do is 100% valid. I have Yes this is true, however his DNS setup is indeed broken. Trying to get an A record for movielink.net.au returns SERVFAIL, not merely NXDOMAIN (no such domain). ; <<>> DiG 8.2 <<>> movielink.net.au a ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; movielink.net.au, type = A, class = IN Even our qmail server (with UCE patches) would reject his mail. It's arguable... Aaron > used that setup many times. You want mail.movielink.net.au to reverse resolve > to the domain it claims to be (mail.movielink.net.au) for other reasons and > for filters that do checking correctly. There is nothing wrong with > mascarading either ethically or technically. Some zeolots are preaching that > all should resolve in their ideologically correct way but unfortunately many > of their ideologies are flawed in that they do not handle: > 1. dialup users needs > 2. certain types of firewall needs (yours) > 3. basically anything past a certain level of complexity. > > Who is doing the bouncing? > > /Duncan > > -- > Duncan Watson > nCube -- Aaron L. Meehan [EMAIL PROTECTED] System AdministratorCentral Oregon Internet http://www.coinet.com/
Re: Sender domain must resolve error for some sites...
On Fri, Apr 14, 2000 at 11:50:52AM -0700, Anthony White wrote: > There is no record pointing to the domain itself. It points > to 'mail.movielink.net.au' > > All our incoming mail comes via one IP into a firewall, gets port > forwarded to the mailserver and is processed. > > We have no problems receiving mail. > > All mail sent is shown to come from 'mail.movielink.net.au' with > the IP of the firewall. That IP currently resolves to 'mail.movielink.net.au' > which does not match with <[EMAIL PROTECTED]> and the error 451 is > sent back to us. > > Should I have that IP reverse lookup to resolve to 'movielink.net.au' > instead? >From my point of view the bouncing programs are broken. Having no address record for a domain but having MX records as you do is 100% valid. I have used that setup many times. You want mail.movielink.net.au to reverse resolve to the domain it claims to be (mail.movielink.net.au) for other reasons and for filters that do checking correctly. There is nothing wrong with mascarading either ethically or technically. Some zeolots are preaching that all should resolve in their ideologically correct way but unfortunately many of their ideologies are flawed in that they do not handle: 1. dialup users needs 2. certain types of firewall needs (yours) 3. basically anything past a certain level of complexity. Who is doing the bouncing? /Duncan -- Duncan Watson nCube
Re: Sender domain must resolve error for some sites...
Chris Johnson wrote: > > Your name servers appear to be broken: There is no record pointing to the domain itself. It points to 'mail.movielink.net.au' All our incomming mail comes via one IP into a firewall, gets port forwarded to the mailserver and is processed. We have no problems receiving mail. All mail sent is shown to come from 'mail.movielink.net.au' with the IP of the firewall. That IP currently resolves to 'mail.movielink.net.au' which does not match with <[EMAIL PROTECTED]> and the error 451 is sent back to us. Should I have that IP reverse lookup to resolve to 'movielink.net.au' instead? > > $ dnsmx movielink.net.au > dnsmx: fatal: unable to find MX records for movielink.net.au: temporary failure > > Chris
Re: Sender domain must resolve error for some sites...
On Fri, Apr 14, 2000 at 10:26:17AM -0700, Anthony White wrote: > Hi there, > > I have a very specific problem sending mail to certain domains that > do reverse verification of mail. They come up with > > From: <[EMAIL PROTECTED]> Error, sender domain must resolve... > delivery deferred... Your name servers appear to be broken: $ dnsmx movielink.net.au dnsmx: fatal: unable to find MX records for movielink.net.au: temporary failure Chris
