Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

450 4.7.1 Client host rejected: cannot find your reverse hostname, [XXX.XXX.XXX.XXX] #85

Closed
sgoudelis opened this issue Mar 3, 2017 · 33 comments
Closed

450 4.7.1 Client host rejected: cannot find your reverse hostname, [XXX.XXX.XXX.XXX] #85

sgoudelis opened this issue Mar 3, 2017 · 33 comments

Comments

@sgoudelis
Copy link

sgoudelis commented Mar 3, 2017
edited

Hello,

I recently installed mail cow on my VPS box and I getting this error message all the time after when I try to send an email to an address under the mailcow system. I have also found perhaps the source of the problem here:

Attaching to mailcowdockerized_pdns-mailcow_1
pdns-mailcow_1 | Mar 03 16:24:00 PowerDNS Recursor 4.0.4 (C) 2001-2016 PowerDNS.COM BV
pdns-mailcow_1 | Mar 03 16:24:00 Using 64-bits mode. Built using gcc 5.4.0 20160609 on Jan 13 2017 09:37:53 by root@2e330ddb85a7.
pdns-mailcow_1 | Mar 03 16:24:00 PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
pdns-mailcow_1 | Mar 03 16:24:00 Reading random entropy from '/dev/urandom'
pdns-mailcow_1 | Mar 03 16:24:00 If using IPv6, please raise sysctl net.ipv6.route.max_size, currently set to 4096 which is < 16384
pdns-mailcow_1 | Mar 03 16:24:00 NOT using IPv6 for outgoing queries - set 'query-local-address6=::' to enable
pdns-mailcow_1 | Mar 03 16:24:00 Only allowing queries from: 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
pdns-mailcow_1 | Mar 03 16:24:00 Will not send queries to: 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32, 0.0.0.0, ::
pdns-mailcow_1 | Mar 03 16:24:00 PowerDNS Recursor itself will distribute queries over threads
pdns-mailcow_1 | Mar 03 16:24:00 Redirecting queries for zone 'mailcow-network.' with recursion to: 127.0.0.11:53
pdns-mailcow_1 | Mar 03 16:24:00 Inserting rfc 1918 private space zones
pdns-mailcow_1 | Mar 03 16:24:00 Listening for UDP queries on 0.0.0.0:53
pdns-mailcow_1 | Mar 03 16:24:00 Enabled TCP data-ready filter for (slight) DoS protection
pdns-mailcow_1 | Mar 03 16:24:00 Listening for TCP queries on 0.0.0.0:53
pdns-mailcow_1 | Mar 03 16:24:00 Set effective group id to 106
pdns-mailcow_1 | Mar 03 16:24:00 Set effective user id to 105
pdns-mailcow_1 | Mar 03 16:24:00 Launching 3 threads
pdns-mailcow_1 | Mar 03 16:24:00 Done priming cache with root hints
pdns-mailcow_1 | Mar 03 16:24:00 Done priming cache with root hints
pdns-mailcow_1 | Mar 03 16:24:00 Done priming cache with root hints
pdns-mailcow_1 | Mar 03 16:24:00 Enabled 'epoll' multiplexer
pdns-mailcow_1 | Mar 03 16:24:08 Failed to update . records, got an exception
pdns-mailcow_1 | Mar 03 16:24:08 Failed to update . records, RCODE=-1
pdns-mailcow_1 | Mar 03 16:24:09 Failed to update . records, got an exception

For some reason the pdns-recursor cannot fetch the root DNS zones ?

Any ideas ?
@broedli
Copy link
Contributor

broedli commented Mar 3, 2017

This issue is known.
We are switching to bind9 because of it. This should be pushed to master pretty soon.

@ghost
Copy link

ghost commented Mar 3, 2017

look at this #52

@andryyy andryyy closed this as completed Mar 4, 2017
@andryyy
Copy link
Contributor

andryyy commented Mar 4, 2017

Closed with new master.

@sgoudelis
Copy link
Author

Actually my issue hasn't being fixed. Here is the log from bind9

Attaching to mailcowdockerized_bind9-mailcow_1
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 starting BIND 9.10.4-P1 id:adfc588 -c /etc/bind/named.conf -g -u named -4
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 running on Linux x86_64 4.4.0-64-generic #85-Ubuntu SMP Mon Feb 20 11:50:30 UTC 2017
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 built with '--build=x86_64-alpine-linux-musl' '--host=x86_64-alpine-linux-musl' '--prefix=/usr' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-openssl=/usr' '--enable-linux-caps' '--without-libxml2' '--enable-threads' '--enable-filter-aaaa' '--enable-ipv6' '--enable-shared' '--enable-static' '--with-libtool' '--with-randomdev=/dev/random' '--mandir=/usr/share/man' '--infodir=/usr/share/info' 'build_alias=x86_64-alpine-linux-musl' 'host_alias=x86_64-alpine-linux-musl' 'CC=gcc' 'CFLAGS=-Os -fomit-frame-pointer -D_GNU_SOURCE' 'LDFLAGS=-Wl,--as-needed' 'CPPFLAGS=-Os -fomit-frame-pointer'
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 ----------------------------------------------------
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 BIND 9 is maintained by Internet Systems Consortium,
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 Inc. (ISC), a non-profit 501(c)(3) public-benefit
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 corporation. Support and training for BIND 9 are
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 available at https://www.isc.org/support
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 ----------------------------------------------------
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 found 2 CPUs, using 2 worker threads
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 using 1 UDP listener per interface
bind9-mailcow_1 | 04-Mar-2017 17:14:10.112 using up to 4096 sockets
bind9-mailcow_1 | 04-Mar-2017 17:14:10.116 loading configuration from '/etc/bind/named.conf'
bind9-mailcow_1 | 04-Mar-2017 17:14:10.117 reading built-in trusted keys from file '/etc/bind/bind.keys'
bind9-mailcow_1 | 04-Mar-2017 17:14:10.118 using default UDP/IPv4 port range: [32768, 60999]
bind9-mailcow_1 | 04-Mar-2017 17:14:10.119 listening on IPv4 interface lo, 127.0.0.1#53
bind9-mailcow_1 | 04-Mar-2017 17:14:10.125 listening on IPv4 interface eth0, 172.22.1.254#53
bind9-mailcow_1 | 04-Mar-2017 17:14:10.125 generating session key for dynamic DNS
bind9-mailcow_1 | 04-Mar-2017 17:14:10.125 sizing zone task pool based on 0 zones
bind9-mailcow_1 | 04-Mar-2017 17:14:10.127 using built-in DLV key for view _default
bind9-mailcow_1 | 04-Mar-2017 17:14:10.127 set up managed keys zone for view _default, file 'managed-keys.bind'
bind9-mailcow_1 | 04-Mar-2017 17:14:10.127 automatic empty zone: 10.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.127 automatic empty zone: 16.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.127 automatic empty zone: 17.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 18.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 19.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 20.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 21.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 22.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 23.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 24.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 25.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 26.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 27.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 28.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 29.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 30.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 31.172.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 168.192.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 64.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 65.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 66.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 67.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 68.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 69.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 70.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 71.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 72.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 73.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 74.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 75.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 76.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 77.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 78.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 79.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.128 automatic empty zone: 80.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 81.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 82.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 83.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 84.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 85.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 86.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 87.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 88.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 89.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 90.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 91.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 92.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 93.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 94.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 95.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 96.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 97.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 98.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 99.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 100.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.129 automatic empty zone: 101.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 102.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 103.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 104.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 105.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 106.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 107.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.130 automatic empty zone: 108.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 109.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 110.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 111.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 112.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 113.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 114.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 115.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 116.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 117.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 118.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 119.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 120.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 121.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 122.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 123.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 124.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 125.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 126.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 127.100.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 0.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 127.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 254.169.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 2.0.192.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 100.51.198.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 113.0.203.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: D.F.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 8.E.F.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 9.E.F.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: A.E.F.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: B.E.F.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.131 automatic empty zone: EMPTY.AS112.ARPA
bind9-mailcow_1 | 04-Mar-2017 17:14:10.132 configuring command channel from '/etc/bind/rndc.key'
bind9-mailcow_1 | 04-Mar-2017 17:14:10.132 couldn't add command channel 127.0.0.1#953: file not found
bind9-mailcow_1 | 04-Mar-2017 17:14:10.132 not using config file logging statement for logging due to -g option
bind9-mailcow_1 | 04-Mar-2017 17:14:10.162 managed-keys-zone: loaded serial 0
bind9-mailcow_1 | 04-Mar-2017 17:14:10.167 all zones loaded
bind9-mailcow_1 | 04-Mar-2017 17:14:10.167 running
bind9-mailcow_1 | 04-Mar-2017 17:14:20.168 managed-keys-zone: Unable to fetch DNSKEY set '.': timed out
bind9-mailcow_1 | 04-Mar-2017 17:14:20.173 managed-keys-zone: Unable to fetch DNSKEY set 'dlv.isc.org': timed out

Perhaps something else is going on..

@ghost
Copy link

ghost commented Mar 4, 2017
edited by ghost

I don't see any errors in the log.
try this: nslookup -q=ptr 192.30.252.194 172.22.1.254

@sgoudelis
Copy link
Author

I get this back:

nslookup -q=ptr 192.30.252.194 172.22.1.254
Server: 172.22.1.254
Address: 172.22.1.254#53

** server can't find 194.252.30.192.in-addr.arpa: SERVFAIL

@ghost
Copy link

ghost commented Mar 4, 2017
edited by ghost

and
nslookup -q=ptr 192.30.252.194 8.8.8.8
nslookup -q=ptr 192.30.252.194

@sgoudelis
Copy link
Author

This is very odd

$ nslookup -q=ptr 192.30.252.194 8.8.8.8
;; connection timed out; no servers could be reached

$ nslookup -q=ptr 192.30.252.194
Server: 46.28.201.21
Address: 46.28.201.21#53

Non-authoritative answer:
194.252.30.192.in-addr.arpa name = github-smtp2-ext3.iad.github.net.

@andryyy
Copy link
Contributor

andryyy commented Mar 5, 2017 via email

@sgoudelis
Copy link
Author

I fixed my issue by adding forwarders in the bind configuration.

   forwarders {
                x.x.x.x;
                x.x.x.x;
        };

@marrco
Copy link
Contributor

marrco commented Mar 6, 2017

@sgoudelis i could be wrong, but i'd give a huge NO on forwarders. Especially if you set those to some large known resolvers, like google dns.

Most DNSBL limit or block queries from large public dns. I guess mailcow has tests in place that you don't use 4x8 but i don't know if that's done at setup time and can spot later modifications.

@ferdisn
Copy link

ferdisn commented May 27, 2017

Hi, Today I just deployed mailcow to a new fresh Centos 7,2 installation.

The same thing happened to me. It prevented the server to receive mail from google.

The docker already uses bind9.

@andryyy
Copy link
Contributor

andryyy commented May 27, 2017

You should check the bind9 container logs. And please try to ping google.com from one of the containers.

@andryyy
Copy link
Contributor

andryyy commented May 27, 2017

I really cannot do anything as this does not happen on any of my test boxes. Without any logs or information about the firewall, there is nothing I can change to fix it. :/

@ferdisn
Copy link

ferdisn commented May 27, 2017

Pinging works from bind9 container. And for the logs, there are lots happening here.
Here's an exceprt:

7-May-2017 10:10:02.706 FORMERR resolving './NS/IN': 192.228.79.201#53
27-May-2017 10:10:02.709 no valid RRSIG resolving 'ch/DS/IN': 192.228.79.201#53
27-May-2017 10:10:02.711 DNS format error from 192.5.5.241#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.711 FORMERR resolving './NS/IN': 192.5.5.241#53
27-May-2017 10:10:02.713 no valid RRSIG resolving 'ch/DS/IN': 192.5.5.241#53
27-May-2017 10:10:02.714 DNS format error from 192.203.230.10#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.714 FORMERR resolving './NS/IN': 192.203.230.10#53
27-May-2017 10:10:02.717 no valid RRSIG resolving 'ch/DS/IN': 192.203.230.10#53
27-May-2017 10:10:02.718 DNS format error from 192.36.148.17#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.718 FORMERR resolving './NS/IN': 192.36.148.17#53
27-May-2017 10:10:02.721 no valid RRSIG resolving 'ch/DS/IN': 192.36.148.17#53
27-May-2017 10:10:02.723 DNS format error from 192.112.36.4#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.723 FORMERR resolving './NS/IN': 192.112.36.4#53
27-May-2017 10:10:02.726 no valid RRSIG resolving 'ch/DS/IN': 192.33.4.12#53
27-May-2017 10:10:02.727 DNS format error from 199.7.83.42#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.727 FORMERR resolving './NS/IN': 199.7.83.42#53
27-May-2017 10:10:02.730 no valid RRSIG resolving 'ch/DS/IN': 202.12.27.33#53
27-May-2017 10:10:02.730 no valid DS resolving 'ch/DNSKEY/IN': 85.119.5.230#53
27-May-2017 10:10:02.731 DNS format error from 192.58.128.30#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.731 FORMERR resolving './NS/IN': 192.58.128.30#53
27-May-2017 10:10:02.736 DNS format error from 193.0.14.129#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.736 FORMERR resolving './NS/IN': 193.0.14.129#53
27-May-2017 10:10:02.739 validating ch/DNSKEY: bad cache hit (ch/DS)
27-May-2017 10:10:02.739 broken trust chain resolving 'ch/DNSKEY/IN': 147.28.0.39#53
27-May-2017 10:10:02.742 validating abuse.ch/DS: bad cache hit (ch/DNSKEY)
27-May-2017 10:10:02.745 validating abuse.ch/DS: bad cache hit (ch/DNSKEY)
27-May-2017 10:10:02.745 broken trust chain resolving '1.0.0.127.spam.abuse.ch/A/IN': 204.13.250.4#53
27-May-2017 10:10:02.745 DNS format error from 198.41.0.4#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.745 FORMERR resolving './NS/IN': 198.41.0.4#53
27-May-2017 10:10:02.749 DNS format error from 199.7.91.13#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.749 FORMERR resolving './NS/IN': 199.7.91.13#53
27-May-2017 10:10:02.754 DNS format error from 198.97.190.53#53 resolving ./NS: non-improving referral
27-May-2017 10:10:02.754 FORMERR resolving './NS/IN': 198.97.190.53#53
27-May-2017 10:10:05.582 lame server resolving '1.0.0.127.bl.spameatingmonkey.net' (in 'spameatingmonkey.net'?): 139.162.250.75#53
27-May-2017 10:10:05.587 lame server resolving '1.0.0.127.bl.spameatingmonkey.net' (in 'spameatingmonkey.net'?): 69.164.195.45#53
27-May-2017 10:10:05.591 lame server resolving '1.0.0.127.bl.spameatingmonkey.net' (in 'spameatingmonkey.net'?): 103.3.60.222#53
27-May-2017 10:10:05.596 lame server resolving '1.0.0.127.bl.spameatingmonkey.net' (in 'spameatingmonkey.net'?): 74.207.232.228#53
27-May-2017 10:10:10.979 lame server resolving 'facebook.com.dbl.spamhaus.org' (in 'dbl.spamhaus.org'?): 85.25.14.252#53
27-May-2017 10:10:10.984 lame server resolving 'facebook.com.dbl.spamhaus.org' (in 'dbl.spamhaus.org'?): 50.22.152.254#53
27-May-2017 10:10:10.989 lame server resolving 'facebook.com.dbl.spamhaus.org' (in 'dbl.spamhaus.org'?): 148.81.197.185#53
27-May-2017 10:10:10.994 lame server resolving 'facebook.com.dbl.spamhaus.org' (in 'dbl.spamhaus.org'?): 147.102.226.131#53
27-May-2017 10:10:10.999 lame server resolving 'facebook.com.dbl.spamhaus.org' (in 'dbl.spamhaus.org'?): 85.217.170.32#53
27-May-2017 10:10:11.005 lame server resolving 'facebook.com.dbl.spamhaus.org' (in 'dbl.spamhaus.org'?): 139.59.48.139#53
27-May-2017 10:10:13.484 validating gmail.com/MX: bad cache hit (com/DS)
27-May-2017 10:10:13.484 broken trust chain resolving 'gmail.com/MX/IN': 192.48.79.30#53
27-May-2017 10:10:13.491 validating gmail.com/MX: bad cache hit (com/DS)
27-May-2017 10:10:13.491 broken trust chain resolving 'gmail.com/MX/IN': 192.12.94.30#53
27-May-2017 10:10:13.497 validating gmail.com/A: bad cache hit (com/DS)
27-May-2017 10:10:13.497 broken trust chain resolving 'gmail.com/A/IN': 192.26.92.30#53
27-May-2017 10:10:13.503 validating gmail.com/A: bad cache hit (com/DS)
27-May-2017 10:10:13.503 broken trust chain resolving 'gmail.com/A/IN': 192.33.14.30#53
27-May-2017 10:10:13.510 validating gmail.com/AAAA: bad cache hit (com/DS)
27-May-2017 10:10:13.510 broken trust chain resolving 'gmail.com/AAAA/IN': 192.42.93.30#53
27-May-2017 10:10:13.516 validating gmail.com/AAAA: bad cache hit (com/DS)
27-May-2017 10:10:13.516 broken trust chain resolving 'gmail.com/AAAA/IN': 192.52.178.30#53

@ferdisn
Copy link

ferdisn commented May 27, 2017
edited

Hi, i just tried pinging from postfix box, it says unknown host. Any idea how to trace the reason for this?

The thing is, i issue a ping request to my local website and it reports an unknown, which is weird.

@andryyy
Copy link
Contributor

andryyy commented May 27, 2017 via email

@ferdisn
Copy link

ferdisn commented May 27, 2017

I put my log in the previous comment. I do assume that this is caused by DNSSEC.
Don't know why, but during other BIND9 deployment on CentOS 7.2, i also disable DNSSEC.

And the bind container logs?

@ferdisn
Copy link

ferdisn commented May 27, 2017
edited

Hi, just want to add up. After disabling DNSSEC

option { dnssec-enable no; dnssec-validation no; }

I manage to receive the email.

EDIT: only for a moment. Afterwards, email starts getting rejected again.

@andryyy
Copy link
Contributor

andryyy commented May 27, 2017

What's in the logs after disabling DNSSEC?

@chriscroome
Copy link
Contributor

I just had this issue and the suggestion above from @sgoudelis regarding "adding forwarders in the bind configuration" solved the issue for me, note that when editing the data/conf/bind9/named.conf file you need to add the forwarders section to the options block, for example:

options {
        directory "/var/bind";
        allow-recursion { internal_networks; };
        listen-on { any; };
        listen-on-v6 { any; };
        pid-file "/var/run/named/named.pid";
        allow-transfer { none; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        forwarders {
                XX.XX.XX.XX;
                XX.XX.XX.XX;
        };
};

And then restart the container:

docker-compose restart bind9-mailcow

Also note that the container doesn't contain /bin/bash so if you want to login to the container to test things you need to use:

docker-compose exec bind9-mailcow /bin/ash

@andryyy
Copy link
Contributor

andryyy commented Jun 3, 2017 via email

@chriscroome
Copy link
Contributor

@andryyy no not public DNS servers, two DNS servers that we are running for our own subnet and they don't rate limit for local requests.

Where are the bind logs?

The errors that the mail server that was trying to send email to the Mailcow server had in it's Postfix logs were like this:

status=deferred (host xxx.xxx[XX.XX.XX.XX] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname

Good to hear that "You should not need to enter the bind containers shell." as I was struggling to find many useful tools... no vim!

@ferdisn
Copy link

ferdisn commented Jun 3, 2017

Hi @chriscroome are the said dns servers using different gateway compared to your mailcow server?

@chriscroome
Copy link
Contributor

@ferdisn no, same subnet, same gateway.

@sgoudelis
Copy link
Author

Hello guys again,

Unfortunately, my VPS provider does not allow using any other DNS server than their own. Can someone give some instructions on what needs to be modified to make the whole system work even without blacklisted DNS lookups ?

@sgoudelis
Copy link
Author

Also I am getting this due to the same fact.

postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[409]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.dnsbl.inps.de: Host or domain name not found. Name service error for name=68.29.103.79.dnsbl.inps.de type=A: Host not found, try again postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[410]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.hostkarma.junkemailfilter.com: Host or domain name not found. Name service error for name=68.29.103.79.hostkarma.junkemailfilter.com type=A: Host not found, try again postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[407]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.zen.spamhaus.org: Host or domain name not found. Name service error for name=68.29.103.79.zen.spamhaus.org type=A: Host not found, try again postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[411]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.wl.mailspike.net: Host or domain name not found. Name service error for name=68.29.103.79.wl.mailspike.net type=A: Host not found, try again postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[405]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.b.barracudacentral.org: Host or domain name not found. Name service error for name=68.29.103.79.b.barracudacentral.org type=A: Host not found, try again postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[408]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.dnsbl.sorbs.net: Host or domain name not found. Name service error for name=68.29.103.79.dnsbl.sorbs.net type=A: Host not found, try again postfix-mailcow_1 | Feb 18 12:58:00 mail postfix/dnsblog[406]: warning: dnsblog_query: lookup error for DNS query 68.29.103.79.bl.mailspike.net: Host or domain name not found. Name service error for name=68.29.103.79.bl.mailspike.net type=A: Host not found, try again

@andryyy
Copy link
Contributor

andryyy commented Feb 18, 2018

I recommend to switch your provider, seriously. :-(

@sgoudelis
Copy link
Author

Understood and I agree with you. In the mean time can someone please tell what needs to change in order to make the whole stack use a custom set of dns servers ? Even with reduced capability.

@mkuron
Copy link
Member

mkuron commented Feb 19, 2018

You can try to remove all

      dns:
        - ${IPV4_NETWORK:-172.22.1}.254

sections from docker-compose.yml, then it falls back to Docker's built-in DNS proxy. Or you can replace ${IPV4_NETWORK:-172.22.1}.254 with your ISP's DNS recursor.

@sgoudelis
Copy link
Author

Yeap that worked. Thank you very much.

Can you tell what exactly or approximately I lost by doing this ?

@mkuron
Copy link
Member

mkuron commented Feb 19, 2018

  • If anyone else uses your ISP's recursor to do DNS blacklist lookups, you will be competing for the same rate limit (e.g. 200 queries per minute with Spamhaus).
  • Queries with long results (e.g. DKIM) may fail if ISP's recursor does not correctly retry queries over TCP
  • No DNSSEC validation

@sgoudelis
Copy link
Author

Thank you for the information

@mkuron mkuron mentioned this issue Mar 1, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@marrco @mkuron @chriscroome @andryyy @sgoudelis @broedli @ferdisn