I recently ran into a rather strange problem in Exim (4.20), which
I think is a bug. Mail from firstcolony.org (real domain name)
was failing sender verify. I had callout active, but it wasn't
getting to the callout part. DNS had a reasonable MX record,
corresponding A record, and the server was answering on the SMTP
port. It did have reverse DNS with no matching forward, but I
don't attempt to insist on that. The dnslookup router is "fully
qualifying" a fully qualified name and things go downhill from
there.
What was happening was that the dnslookup router was looking up
"firstcolony.org", (firstcolony.org is NOT a domain we host or
consider local) going through some process I don't fully understand
to come up with a "fully qualified domain name", changing the
destination from "user@???" to "user@???",
and returning REROUTE. It then passed through all the routers
again, EXCEPT when it comes to the dnslookup router, it skips it
since it's been there before, and falls off the end. Therefore,
the sender verify fails.
I will mention that I do not understand what the code is trying to
do with the "fully qualified domain name" stuff. If you put in
something that doesn't end in a recognized top-level domain, your
mail deserves to bounce. As I understand the term, firstcolony.org
*IS* fully qualified. I do not understand why "FIRSTCOLONY.ORG"
is more fully qualified (qualified FOR WHAT?) than "firstcolony.org".
And I certainly hope that nobody thinks that the mail server in
the MX record always has the same domain as the domain it's serving:
some of our mail servers have only a couple of names but serve
hundreds of unrelated (customer) domains.
This problem is difficult to reproduce in debug mode on one of our
gateway machines more than once per machine. I suspect it has
something to do with the MX record showing up as mail.FIRSTCOLONY.ORG
when the local nameserver gets it from the authoritative nameserver,
and mail.firstcolony.org when it gets it out of the local cache of
the local nameserver. Traffic for the real firstcolony.org machine
was low enough that by the time it hit the same MX machine again,
the DNS had expired from the local cache, so no mail got through.
Fragment of debug output from a run that wrongly failed sender
verify. The user name for firstcolony.org has been changed
to 'username' to reduce the possibility of its being spammed.
Lines containing ^^^^ have my comments.
...
End
internal_search_find: file="/usr/local/etc/exim/local_domains.db"
type=dbm key="firstcolony.org"
file lookup required for firstcolony.org
in /usr/local/etc/exim/local_domains.db
lookup failed
firstcolony.org in "@ : airnews.net : webstar.net :dbm;/usr/local/etc/exim/local_domains.db"? no (end of list)
firstcolony.org in "! +local_domains"? yes (end of list)
calling lookuphost router
lookuphost router called for username@???
domain = firstcolony.org
DNS lookup of firstcolony.org (MX) succeeded
DNS lookup of mail.FIRSTCOLONY.ORG (A) succeeded
207.235.119.75 in "127.0.0.0/8"? no (end of list)
mail.firstcolony.org in hosts_treat_as_local? no (end of list)
fully qualified name = FIRSTCOLONY.ORG
host_find_bydns yield = HOST_FOUND (2); returned hosts:
mail.FIRSTCOLONY.ORG 207.235.119.75 0
domain changed to FIRSTCOLONY.ORG
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Why? what was wrong with firstcolony.org?
rewriting header lines
re-routed to username@???
Cannot do callout: neither router nor transport provided a host list
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Considering username@???
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
routing username@???
--------> airmail_rtr router <--------
local_part=username domain=firstcolony.org
checking domains
...
Note: firstcolony.org may have changed the case in their DNS
as a workaround before I got this fix in production.
Proposed fix: If "fully qualifying" a name changes only its case,
don't bother. This may be an insufficient fix for a larger problem,
but it deals with the problem I observed.
Index: routers/dnslookup.c
===================================================================
RCS file: /cvs/ia/exim-utils/exim/src/routers/dnslookup.c,v
retrieving revision 1.1.1.2
diff -c -r1.1.1.2 dnslookup.c
*** routers/dnslookup.c 1 Jul 2003 21:07:23 -0000 1.1.1.2
--- routers/dnslookup.c 24 Jul 2003 19:08:08 -0000
***************
*** 294,300 ****
set up a child address for rerouting and request header rewrites if so
configured. Then yield REROUTED*/
! if (Ustrcmp(addr->domain, fully_qualified_name) != 0)
{
rf_change_domain(addr, fully_qualified_name, ob->rewrite_headers, addr_new);
return REROUTED;
--- 294,300 ----
set up a child address for rerouting and request header rewrites if so
configured. Then yield REROUTED*/
! if (strcmpic(addr->domain, fully_qualified_name) != 0)
{
rf_change_domain(addr, fully_qualified_name, ob->rewrite_headers, addr_new);
return REROUTED;
Gordon L. Burditt