Timeout setting

Mark Andrews marka at isc.org
Thu Mar 25 21:15:32 UTC 2021 

This is a bug in postfix. Temporary failures in the DNS are not supposed to result in permanent failure at the SMTP level.  SERVFAIL  is not NXDOMAIN.

-- 
Mark Andrews

> On 26 Mar 2021, at 04:12, Julien Salort <listes at salort.eu> wrote:
> 
> Hello,
> 
> 
> I have a VPS running postfix and bind9. Bind is used as a recursive resolver, in particular to be able to query anti-spam database.
> 
> Postfix is also configured to reject incoming connections from servers with no reverse dns.
> 
> It works great overall, but sometimes legitimate messages get rejected because the reverse dns query fails.
> 
> Here is an example (anonymized email and host address):
> 
> In mail.log:
> 
> 450 4.7.1 Client host rejected: cannot find your reverse hostname, [17.179.250.111]; from=<developer_bounces at insideapple.apple.com> to=<XXX at example.com> proto=ESMTP helo=<rn2-msbadger07105.apple.com> (total: 1)
> 
> In named journal:
> 
> mars 02 01:14:20 example.com named[2756114]: client @0x7f3a0808c750 127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query: 111.250.179.17.in-addr.arpa IN PTR +E(0) (127.0.0.1)
> 
> mars 02 01:14:25 example.com named[2756114]: client @0x7f3a08079d00 127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query: 111.250.179.17.in-addr.arpa IN PTR +E(0) (127.0.0.1)
> 
> mars 02 01:14:32 example.com named[2756114]: client @0x7f3a0808c750 127.0.0.1#43646 (111.250.179.17.in-addr.arpa): query failed (timed out) for 111.250.179.17.in-addr.arpa/IN/PTR at query.c:6883
> 
> mars 02 01:14:32 example.com named[2756114]: client @0x7f3a000d5110 127.0.0.1#49520 (insideapple.apple.com): query: insideapple.apple.com IN MX + (127.0.0.1)
> 
> 
> So there is a timeout.
> 
> Now if I try again:
> 
> $ dig -x 17.179.250.111 @localhost +short
> rn2-msbadger07105.apple.com.
> 
> 
> So it seems that it is just that sometimes the query takes a bit longer...
> 
> 
> Is there a general advice regarding timeout for bind?
> 
> Should I just choose a longer timeout? Or is there a reason for the default value?
> 
> 
> I did not have such problems when I was using the ISP dns server instead of a local recursive resolver. So I was wondering if the configuration is sub-optimal somehow...
> 
> 
> Thank you,
> 
> 
> Cheers,
> 
> 
> Julien
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list