Docker 24.0.0 breaks DNSSEC for mailu 2.x

[Aaron-Ritter]

Environment & Version

Environment

• docker compose
• kubernetes
• docker swarm

Version

• Mailu Version: 2.0
• Docker Engine 24.0.0

Description

I upgraded today our mail server system to docker engine 24.0.0 and it broke DNSSEC with ubound resolver container

mailu-admin-1      | [2023-05-17 16:30:51,391] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,392] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,393] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,393] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,398] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,400] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,400] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,402] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,410] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,412] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,413] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:51,414] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:52,079] WARNING in utils: Unable to lookup the TLSA record for hotmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/hotmail.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:52,081] WARNING in utils: Unable to lookup the TLSA record for yahoo.com. Is the DNSSEC zone okay on https://dnsviz.net/d/yahoo.com/dnssec/?
mailu-admin-1      | [2023-05-17 16:30:52,085] WARNING in utils: Unable to lookup the TLSA record for yahoo.com. Is the DNSSEC zone okay on https://dnsviz.net/d/yahoo.com/dnssec/?

i checked if i can ping the resolver container from the other services e.g. admin and smtp which worked and resolved
i checked if i can ping anything outside e.g. google from these containers which worked too
i checked if i can do all of this from the resolver container it self too .. working fine also
i checked if the dns for all the different containers is set, and admin as well as smtp had the resolver IP entered
I tried to add DNS servers to the resolver container which did not make a difference
i also stopped the resolver process to see if it is even used, and i got a host lookup issue in the smtp with that, so i knew it is used.

Temporary solution

I ultimately downgraded docker engine to the latest 23 release where everything started to work again.

apt install docker-ce=5:23.0.6-1~debian.11~bullseye
apt install docker-ce-cli=5:23.0.6-1~debian.11~bullseye
apt install docker-ce-rootless-extras=5:23.0.6-1~debian.11~bullseye

Replication Steps

upgrade docker engine to 24.0.0 on Debian via https://docs.docker.com/engine/install/debian/

Observed behaviour

DNSSEC lookup stops working.

Logs

syslog:May 17 15:39:11 mx01 mailu-admin[2315519]: [2023-05-17 15:39:11,884] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
syslog:May 17 15:39:11 mx01 mailu-smtp[2315519]: May 17 15:39:11 mx01 postfix/smtp[1693]: warning: TLS policy lookup for gmail.com/gmail-smtp-in.l.google.com: non DNSSEC destination
syslog:May 17 15:39:11 mx01 mailu-smtp[2315519]: May 17 15:39:11 mx01 postfix/smtp[1693]: warning: TLS policy lookup for gmail.com/gmail-smtp-in.l.google.com: non DNSSEC destination
syslog:May 17 15:39:11 mx01 mailu-admin[2315519]: [2023-05-17 15:39:11,888] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
syslog:May 17 15:39:11 mx01 mailu-smtp[2315519]: May 17 15:39:11 mx01 postfix/smtp[1693]: warning: TLS policy lookup for gmail.com/alt1.gmail-smtp-in.l.google.com: non DNSSEC destination
syslog:May 17 15:39:11 mx01 mailu-smtp[2315519]: May 17 15:39:11 mx01 postfix/smtp[1693]: warning: TLS policy lookup for gmail.com/alt1.gmail-smtp-in.l.google.com: non DNSSEC destination
syslog:May 17 15:39:11 mx01 mailu-admin[2315519]: [2023-05-17 15:39:11,892] WARNING in utils: Unable to lookup the TLSA record for gmail.com. Is the DNSSEC zone okay on https://dnsviz.net/d/gmail.com/dnssec/?
syslog:May 17 15:39:11 mx01 mailu-smtp[2315519]: May 17 15:39:11 mx01 postfix/smtp[1693]: warning: TLS policy lookup for gmail.com/alt2.gmail-smtp-in.l.google.com: non DNSSEC destination
syslog:May 17 15:39:11 mx01 mailu-smtp[2315519]: May 17 15:39:11 mx01 postfix/smtp[1693]: D45F460087: to=<hidden-address@gmail.com>, relay=none, delay=506, delays=506/0.02/0.24/0, dsn=4.7.5, status=deferred (non DNSSEC destination)

[Aaron-Ritter]

possible related to this: https://docs.docker.com/engine/release-notes/24.0/
Fix numerous bugs in the embedded DNS resolver implementation used by user-defined networks. moby/moby#44664

[joshzcold]

Lots of people on my team ran into the same issue today. Reverting back to 23.06 fixed our dns issue.
postgres/web@(bad-af):0 closing because: server DNS lookup failed (age=0s) from pgbouncer

We default our docker compose network like so

networks:
  default:
    driver: bridge
    driver_opts:
      # Having this above 1380 makes the stack unusable under the VPN (wireguard)
      com.docker.network.driver.mtu: 1380

Probably need to create a ticket on docker's github issues.

[Aaron-Ritter]

docker-compose.yml

for resolver i had no dns configruation at first, then tried one IP, multiple IPs and in different order.

# This file is auto-generated by the Mailu configuration wizard.
# Please read the documentation before attempting any change.
# Generated for compose flavor

version: '3.8'

services:

  # External dependencies
  redis:
    image: redis:alpine
    restart: unless-stopped
    volumes:
      - "mailuredis:/data"
    depends_on:
      - resolver
    dns:
      - 10.10.10.254

  # Core services
  front:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}nginx:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    logging:
      driver: journald
      options:
        tag: mailu-front
    ports:
      - "80:80"
      - "443:443"
      - "25:25"
      - "465:465"
      - "587:587"
      - "110:110"
      - "995:995"
      - "143:143"
      - "993:993"
    networks:
      - default
      - webmail
      - radicale
    volumes:
      - "mailucerts:/certs"
      - "mailuoverridesnginx:/overrides"
    depends_on:
      - resolver
    dns:
      - 10.10.10.254

  resolver:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}unbound:${MAILU_VERSION:-2.0}
    env_file: mailu.env
    restart: unless-stopped
    dns:
      - 213.133.98.98
      - 8.8.8.8
      - 1.1.1.1
      - 10.14.214.1
      - 213.133.99.99
      - 213.133.100.100
    networks:
      default:
        ipv4_address: 10.10.10.254

  admin:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}admin:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    logging:
      driver: journald
      options:
        tag: mailu-admin
    volumes:
      - "mailudataadmin:/data"
      - "mailudkim:/dkim"
    depends_on:
      - redis
      - resolver
    dns:
      - 10.10.10.254

  imap:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}dovecot:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    logging:
      driver: journald
      options:
        tag: mailu-imap
    volumes:
      - "mailumail:/mail"
      - "mailuoverridesimap:/overrides"
    depends_on:
      - front
      - resolver
    dns:
      - 10.10.10.254

  smtp:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}postfix:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    logging:
      driver: journald
      options:
        tag: mailu-smtp
    volumes:
      - "mailuqueue:/queue"
      - "mailuoverridespostfix:/overrides"
    depends_on:
      - front
      - resolver
    dns:
      - 10.10.10.254

  oletools:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}oletools:${MAILU_VERSION:-2.0}
    hostname: oletools
    restart: always
    networks:
      - noinet
    depends_on:
      - resolver
    dns:
      - 10.10.10.254

  antispam:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}rspamd:${MAILU_VERSION:-2.0}
    hostname: antispam
    restart: unless-stopped
    env_file: mailu.env
    logging:
      driver: journald
      options:
        tag: mailu-antispam
    networks:
      - default
      - noinet
    volumes:
      - "mailufilter:/var/lib/rspamd"
      - "mailuoverridesrspamd:/etc/rspamd/override.d"
    depends_on:
      - front
      - redis
      - oletools
      - antivirus
      - resolver
    dns:
      - 10.10.10.254

  # Optional services
  antivirus:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}clamav:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    volumes:
      - "mailufilter:/data"
    depends_on:
      - resolver
    dns:
      - 10.10.10.254

  webdav:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}radicale:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    volumes:
      - "mailudav:/data"
    networks:
      - radicale

  fetchmail:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}fetchmail:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    volumes:
      - "mailufetchmail:/data"
    depends_on:
      - admin
      - smtp
      - imap
      - resolver
    dns:
      - 10.10.10.254

  # Webmail
  webmail:
    image: ${DOCKER_ORG:-ghcr.io/mailu}/${DOCKER_PREFIX:-}webmail:${MAILU_VERSION:-2.0}
    restart: unless-stopped
    env_file: mailu.env
    volumes:
      - "mailuwebmail:/data"
      - "mailuoverrideswebmail:/etc/rspamd/override.d"
    networks:
      - webmail
    depends_on:
      - front

  database:
    image: postgres:14
    restart: unless-stopped
    environment:
      - POSTGRES_USER=mailu
      - PGDATA=/var/lib/postgresql/data/pgdata
    env_file: mailu.env
    volumes:
      - "mailudatapgdata:/var/lib/postgresql/data/pgdata"

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.10.10.0/24
  radicale:
    driver: bridge
  webmail:
    driver: bridge
  noinet:
    driver: bridge
    internal: true

volumes:
  mailucerts:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/certs"
  mailudataadmin:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/data/admin"
  mailudatapgdata:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/data/pgdata"
  mailudav:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/dav"
  mailudkim:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/dkim"
  mailufilter:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/filter"
  mailumail:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/maildata"
  mailuoverridesimap:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/overrides/imap"
  mailuoverridespostfix:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/overrides/postfix"
  mailuoverridesnginx:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/overrides/nginx"
  mailuoverridesrspamd:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/overrides/rspamd"
  mailuoverrideswebmail:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/overrides/webmail"
  mailuredis:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/redis"
  mailuwebmail:
    driver_opts:
      type: "nfs"
      o: "addr=IP.IP.IP.IP,nolock,soft,nfsvers=4.2,rw"
      device: ":/mailu/mx01/webmail"
  mailuqueue:
  mailufetchmail:

mailu.env

# Mailu main configuration file
#
# This file is autogenerated by the configuration management wizard for compose flavor.
# For a detailed list of configuration variables, see the documentation at
# https://mailu.io

###################################
# Common configuration variables
###################################

# Set to a randomly generated 16 bytes string
SECRET_KEY=somerandomsecret

# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET=10.10.10.0/24

# Main mail domain
DOMAIN=mx01.somedomain.name

# Hostnames for this server, separated with comas
HOSTNAMES=mx01.somedomain.name,mx01.nbg.de.somedomain.name,mail.somedomain.name2,mail.somedomain.name3,imap.somedomain.name2,smtp.somedomain.name2,mail.somedomain.name4,somedomain.name5,imap.somedomain.name5,smtp.somedomain.name5

# Postmaster local part (will append the main mail domain)
POSTMASTER=admin

# Choose how secure connections will behave (value: letsencrypt, cert, notls, mail, mail-letsencrypt)
TLS_FLAVOR=letsencrypt

# Authentication rate limit (per source IP address)
AUTH_RATELIMIT=100/minute;10000/hour

# Authentication rate limit per user (regardless of the source-IP)
AUTH_RATELIMIT_USER=10/minute;1000/hour

# Opt-out of statistics, replace with "True" to opt out
DISABLE_STATISTICS=True

###################################
# Optional features
###################################

# Expose the admin interface (value: true, false)
ADMIN=true

# Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=roundcube

# Expose the API interface (value: true, false)
API=true

# Dav server implementation (value: radicale, none)
WEBDAV=radicale

# Antivirus solution (value: clamav, none)
ANTIVIRUS=clamav

# Scan Macros solution (value: true, false)
SCAN_MACROS=true

###################################
# Mail settings
###################################

# Message size limit in bytes
# Default: accept messages up to 50MB
# Max attachment size will be 33% smaller
MESSAGE_SIZE_LIMIT=50000000

# Message rate limit (per user)
MESSAGE_RATELIMIT=2000/day

# Networks granted relay permissions
# Use this with care, all hosts in this networks will be able to send mail without authentication!
#zendesk example:
#RELAYNETS=10.10.20.0/24 103.151.192.0/23 185.12.80.0/22 188.172.128.0/20 192.161.144.0/20 216.198.0.0/18
RELAYNETS=10.10.20.0/24

# Will relay all outgoing mails if configured
RELAYHOST=

# Enable fetchmail
FETCHMAIL_ENABLED=true

# Fetchmail delay
FETCHMAIL_DELAY=600

# Recipient delimiter, character used to delimiter localpart from custom address part
RECIPIENT_DELIMITER=+

# DMARC rua and ruf email
DMARC_RUA=admin
DMARC_RUF=admin

# Welcome email, enable and set a topic and body if you wish to send welcome
# emails to all users.
WELCOME=false
WELCOME_SUBJECT=Welcome to your new email account
WELCOME_BODY=Welcome to your new email account, if you can read this, then it is configured properly!

# Maildir Compression
# choose compression-method, default: none (value: bz2, gz)
COMPRESSION=
# change compression-level, default: 6 (value: 1-9)
COMPRESSION_LEVEL=

###################################
# Web settings
###################################

# Path to redirect / to
WEBROOT_REDIRECT=/webmail

# Path to the admin interface if enabled
WEB_ADMIN=/admin

# Path to the webmail if enabled
WEB_WEBMAIL=/webmail

# Path to the API interface if enabled
WEB_API=/api

# Website name
SITENAME=SOME Mail

# Linked Website URL
WEBSITE=https://somedomain.name5



###################################
# Advanced settings
###################################

# Log driver for front service. Possible values:
# json-file (default)
# journald (On systemd platforms, useful for Fail2Ban integration)
# syslog (Non systemd platforms, Fail2Ban integration. Disables `docker-compose log` for front!)
# LOG_DRIVER=json-file

# Docker-compose project name, this will prepended to containers names.
COMPOSE_PROJECT_NAME=mailu

# Number of rounds used by the password hashing scheme
CREDENTIAL_ROUNDS=14

# Header to take the real ip from
REAL_IP_HEADER=

# IPs for nginx set_real_ip_from (CIDR list separated by commas)
REAL_IP_FROM=

# choose wether mailu bounces (no) or rejects (yes) mail when recipient is unknown (value: yes, no)
REJECT_UNLISTED_RECIPIENT=

# Log level threshold in start.py (value: CRITICAL, ERROR, WARNING, INFO, DEBUG, NOTSET)
LOG_LEVEL=WARNING

# Timezone for the Mailu containers. See this link for all possible values https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TZ=Europe/Zurich

# Default spam threshold used for new users
DEFAULT_SPAM_THRESHOLD=80

# API token required for authenticating to the RESTful API.
# This is a mandatory setting for using the RESTful API.
API_TOKEN=sometoken

###################################
# Database settings
###################################
DB_HOST=database
DB_PORT=5432
DB_USER=mailu
DB_NAME=mailu
DB_FLAVOR=postgresql
DB_PW=somepassword
POSTGRES_PASSWORD=someotherpassword
ROUNDCUBE_DB_FLAVOR=sqlite

[nextgens]

Please try and post the result of the following:

 dig @${IP_DOCKER_RESOLVER} +adflag example.org
 dig @${IP_DOCKER_RESOLVER} +dnssec example.org

[Aaron-Ritter]

@nextgens thx, will try once I've setup a test environment latest on the weekend.

[BierDav]

Please try and post the result of the following:

 dig @${IP_DOCKER_RESOLVER} +adflag example.org
 dig @${IP_DOCKER_RESOLVER} +dnssec example.org

Same error here. @nextgens would you be so kind and tell me where to execute these commands?

[corhere]

Hi, I broke DNS resolution in Docker v24.0.0. Sorry about that. Docker v24.0.0's stub resolver returns SERVFAIL when it receives NXDOMAIN from all upstream DNS servers, which is likely the root cause of this breakage. See moby/moby#45565 for more info.

On the other hand, the stub resolver for v24.0.0 does appear to forward NOERROR responses correctly, including all the DNSSEC records and flags. The dig output looks to match up with that of querying 8.8.8.8 directly.

/ # dig +adflag example.org
DEBU[2023-05-18T14:44:10.438097754Z] Name To resolve: example.org.
DEBU[2023-05-18T14:44:10.438613784Z] [resolver] forwarding query                   client-addr="udp:172.19.0.2:49390" dns-server="udp:8.8.8.8:53" question=";example.org.\tIN\t A"
DEBU[2023-05-18T14:44:10.442205494Z] [resolver] received A record "93.184.216.34" for "example.org." from udp:8.8.8.8

; <<>> DiG 9.18.14 <<>> +adflag example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20203
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.org.			IN	A

;; ANSWER SECTION:
example.org.		14472	IN	A	93.184.216.34

;; Query time: 5 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Thu May 18 14:44:10 UTC 2023
;; MSG SIZE  rcvd: 56

/ # dig +dnssec example.org
DEBU[2023-05-18T14:44:40.058760000Z] Name To resolve: example.org.
DEBU[2023-05-18T14:44:40.059066259Z] [resolver] forwarding query                   client-addr="udp:172.19.0.2:51447" dns-server="udp:8.8.8.8:53" question=";example.org.\tIN\t A"
DEBU[2023-05-18T14:44:40.062578772Z] [resolver] received A record "93.184.216.34" for "example.org." from udp:8.8.8.8

; <<>> DiG 9.18.14 <<>> +dnssec example.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61346
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;example.org.			IN	A

;; ANSWER SECTION:
example.org.		14442	IN	A	93.184.216.34
example.org.		14442	IN	RRSIG	A 8 2 86400 20230527062335 20230505231353 65359 example.org. DBDTBVLaHBXzMJHTa7N9nv6/9/1Qw0MzC5EGz1jEXdET7cs9AxBIclNB S069CbzNc6A/96WsmQxlpMf39eE4ielphjPKIC5Coon59Flo/WwINz8J d6t57+ui2xSOXUs+OvYsWLQHC8reJvdl/rBld2T5PE9v25Zrq/ygyvFW fls=
example.org.		14442	IN	RRSIG	A 13 2 86400 20230527062335 20230505231353 48686 example.org. oLoKjLIBcjMYIzkJtisfwoNUJTS0Cd9+NHD+Ctqwutc3yXYGNs6amlME AExS5yLeZZ48h2cdyQ3mj/Lo1ho5ng==

;; Query time: 5 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Thu May 18 14:44:40 UTC 2023
;; MSG SIZE  rcvd: 334

[nextgens]

Thank you for the explanation. Unfortunately there isn't much we can do on Mailu's side apart from documenting it: SERVFAIL is what we would expect from a validating resolver when there is a problem with DNSSEC.

[TerrapinSoftware]

I may be completely wrong. I had to disable DNSSEC in postfix.conf to make it work. To make a long story short, the file core/admin/mailu/utils.py contains a procedure has_dane_record(domain, timeout=10) that Postfix calls. I suspect that this procedure returns the wrong value - it returns the value of DEFER_ON_TLS_ERROR if there is no TLSA record at the destination. Unfortunately, neither True nor False elimiates the problem.

[Aaron-Ritter]

@TerrapinSoftware downgrade docker for now from 24.0.0 to the latest 23.x. you don't have to change anything in mailu.

[TerrapinSoftware]

Did not work for me unfortunately.

[Aaron-Ritter]

if my commands did not work at all you might have a different release / OS and therefore a different package name.

[TerrapinSoftware]

Uh-oh. I made a mistake - docker-ce was NOT downgraded (Ubuntu 22.04). Your suggested downgrade worked with docker 23.0.6. Thank you for the quick reply!

[neersighted]

We're planning to release Moby (Docker CE) 24.0.1 today, which will contain the fix for this issue.

[Aaron-Ritter]

I've tested with the 24.0.1 release and its working fine, thanks a lot!