1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • strange host lookups

    From Marco Moock@21:1/5 to All on Thu Oct 3 11:02:09 2024
    Hello!

    I am currently experimenting with a test system.
    I am running 8.18.1-6 amd64 on Debian sid.

    I've used
    https://www.email-security-scans.org

    to let me send an email directly to the test system. This mail has been received and now needs to be sent to another machine via an alias.
    This works for other mails I generated. It only fails for that
    specific mail.

    It fails with

    [...]

    MAIL From:<[email protected]> SIZE=6644
    250 2.1.0 <[email protected]>... Sender ok
    RCPT To:<[email protected]>
    DATA
    250 2.1.5 <[email protected]>... Recipient ok
    354 Enter mail, end with "." on a line by itself v4-mail.dnssec-...urity-scans.org: Name server timeout
    timeout writing message to pi-keller.dorfdsl.de.
    [email protected]... Deferred: Name server: pi-keller.dorfdsl.de.: host
    name lookup failure Closing connection to pi-keller.dorfdsl.de.
    root@test:~#


    root@test:~# grep v4 /var/spool/mqueue/qf4938SHcZ025471
    Mhost map: lookup
    (v4-mail.dnssec-broken.measurement.email-security-scans.org): deferred "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org" <measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org> root@test:~#

    v4-mail.dnssec-broken.measurement.email-security-scans.org
    This lookup should intentionally fail when the resolver is verifying
    DNSSEC.

    OT: The concept of this service is that you reply to the test mail and
    they analyze the received mail. E.g. is an answer to the domain with
    broken DNSSEC arrives, they know that DNSSEC won't be checked.

    The question is just why sendmail resolves that name, as it isn't an
    SMTP recipient of the current mail nor a sender or hostname etc.

    It is only part of the Reply-To header of the mail (to test if the
    used DNS server checks DNSSEC).

    Why are domain parts of Reply-To looked up?
    Or is there another thing I missed that cause this lookup?


    This is the entire qf:
    V8
    T1727944097
    K1727945909
    N18
    P1570325
    I8/1/655570
    MDeferred
    Fbs
    $_mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88]
    $rESMTP
    $smail.email-security-scans.org
    ${daemon_flags}
    ${if_addr}IPv6:2a01:170:118f:2:0:0:0:24
    S<[email protected]>
    Ctest:8:0:<[email protected]>
    rRFC822; [email protected]
    RPFDA:[email protected]
    H?P?Return-Path: <<81>g>
    H??Authentication-Results: test.dorfdsl.de; dmarc=pass (p=reject dis=none) header.from=email-security-scans.org
    H??Authentication-Results: test; spf=pass (sender SPF authorized)
    smtp.mailfrom=email-security-scans.org (client-ip=2a06:d1c0:dead:3::88;
    helo=mail.email-security-scans.org;
    envelope-from=[email protected]; receiver=<UNKNOWN>) H??Authentication-Results: test.dorfdsl.de;
    dkim=pass (1024-bit key; secure) header.d=email-security-scans.org [email protected] header.a=rsa-sha256 header.s=key01 header.b=NnieD4po;
    dkim-atps=neutral
    H??Received: from mail.email-security-scans.org (mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88])
    by test.dorfdsl.de (8.18.1/8.18.1/Debian-6) with ESMTP id 4938SHcZ025471
    for <[email protected]>; Thu, 3 Oct 2024 10:28:17 +0200 H??DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email-security-scans.org;
    s=key01; t=1727944092; h=from:from:reply-to:reply-to:subject:subject:date:date:
    message-id:message-id:to:to:cc:mime-version:mime-version:
    content-type:content-type:
    content-transfer-encoding:content-transfer-encoding:list-help:
    list-owner:list-unsubscribe; bh=DJeYYMbaf+xiARgr9NWbvpGneJ0J1bj3uGoeqX8XziY=;
    b=NnieD4poOfqaoFSdtBs9di0al9+cElESiaL9W3znrGbKyxuE6ms2HzooeasZIwBP7U/jIP
    oSpogBRGh7512ebuJZkAa/me7FH+0Gg9BMTVGnnddsP/0G6rTMpJ6398Q7arffObDoONST
    1yyij1xjKMK069wcfAGZPzD5nWuU8Hs=
    H??Received:
    by mail.email-security-scans.org (OpenSMTPD) with ESMTPSA id f6cc5500 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=relay
    for <[email protected]>;
    Thu, 3 Oct 2024 08:28:12 +0000 (UTC)
    H??Date: Thu, 3 Oct 2024 08:28:11 +0000
    H??To: "[email protected]" <[email protected]>
    H??From: Email Delivery Evaluation <[email protected]> H??Reply-To: "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>,
    "[email protected]" <[email protected]>,
    "measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org" <measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org>
    H??Subject: Test ID:8has3gphg0vzxgrdcehqzzfwhnggs7: Your email deliverability test from email-security-scans.org
    H??Message-ID: <iJN1dAfHIr9hajw0oznbXsp5R7SKUl7PtLRmZP8mcwY@www.email-security-scans.org>
    H??X-Mailer: EmailConfTester (https://email-security-scans.org/) H??Auto-Submitted: auto-generated
    H??List-Help: <https://email-security-scans.org/description/> H??List-Unsubscribe: <https://email-security-scans.org/optout/nwjroydmx9lp2s6cchhimh4njstd2g/test%40test.dorfdsl.de>, <mailto:[email protected]?subject=test%40test.dorfdsl.de%20unsubscribe%20email-security-scans.org>
    H??List-Owner: <mailto:[email protected]> (Contact service operator abuse team for further inquiries.)
    H??MIME-Version: 1.0
    H??Content-Type: multipart/alternative;
    boundary="b1_iJN1dAfHIr9hajw0oznbXsp5R7SKUl7PtLRmZP8mcwY" H??Content-Transfer-Encoding: 8bit
    .





    --
    kind regards
    Marco

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Marco Moock on Thu Oct 3 07:10:31 2024
    Marco Moock wrote:

    The question is just why sendmail resolves that name, as it isn't an
    SMTP recipient of the current mail nor a sender or hostname etc.

    It is only part of the Reply-To header of the mail (to test if the

    Addresses in headers might be rewritten (or need to be "fixed").

    See for example sendmail/TUNING (and cf/README)

    * DNS Lookups
    -----------------------------------------------

    sendmail performs by default host name canonifications by using
    host name lookups. This process is meant to replace unqualified
    host name with qualified host names, and CNAMEs with the non-aliased
    name. However, these lookups can take a while for large address
    lists, e.g., mailing lists. If you can assure by other means that
    host names are canonical, you should use

    FEATURE(`nocanonify', `canonify_hosts')

    in your .mc file. For further information on this feature and
    additional options see cf/README.
    [[... read on ... ]]

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)