Re: [exim] reverse_host_lookup and SERVFAIL

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Philip Hazel at <-
MMPhilip Hazel at ->
Delete this message
Reply to this message
Author: Ryan Tracey
Date:  
To: exim-users
Subject: Re: [exim] reverse_host_lookup and SERVFAIL
Hi Philip

Philip Hazel wrote:
> On Tue, 18 Jan 2005, Ryan Tracey wrote:
>
>
>>Hi
>>I have a somewhat strange problem with an ACL check. Exim issues 451/defers
>>to servers whose IPs fail a reverse lookup with "SERVFAIL".
>
>
> That's right. A temporary (one hopes) DNS error causes a defer.
>
>
>>I have done a
>>"host <ip>" on a number of different servers to exclude a local dns problem.
>>An exim4 -bh <ip> shows that reverse dns lookup is the problem.
>>The strangeness is that in different ACLs Exim seems to treat the SERVFAIL
>>differently.
>>In acl_check_mail the following does not result in a 451 with a SERVFAIL IP.
>>
>>warn message     = X-Broken-Reverse-DNS: $sender_host_address
>>    !verify     = reverse_host_lookup
>>    log_message = acl_mail: (warn-only) Cannot reverse DNS $sender_host_address
>>    delay       = 5s

>
>
> Deferring conditions are treated differently on "warn" verbs. The
> condition is always treated as "false" (the incident is supposed to be
> logged). The idea is that, as they are just "warnings", it is better to
> try to get on with receiving the message.
>

Thanks for clearing that one up. So it is better to warn initially and later use the X-Broken-Reverse-DNS header -- if you don't want someone elses broken DNS to cause their emails to be indefinitely temporarily rejected (considering that they are probably going to take a long time to fix their DNS.)

>>In acl_check_rcpt a check of a different sort (also warn only) that includes
>>"!verify = reverse_host_lookup" results in a 451 for the same IP.
>
>
> Hmm. That doesn't agree with what is supposed to happen. Have you got
> debugging output that shows this?


My apologies, the ACL that employed the reverse_host_lookup verification was a defer type: if there is no reverse dns entry, greylistd kicks in. Sorry for the misleading initial post. 

Is there any way to detect broken DNS (someone elses) and generate a defer with wording specific to that problem.  In the case I am currently dealing with the mail admin with the broken DNS seems hesitant to consider their DNS as the problem because "Dude! your mail server is saying that their is a temporary *local* problem."    I guess, though, that it might be difficult to differentiate between their DNS being broken and the local DNS being broken. Perhaps, if it's not there already, having some options for reverse_host_lookup can be added to the wishlist: e.g.  reverse_host_lookup/ignore_servfail


Thanks again for the help.

Cheers,
Ryan



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] not your average lowest numbered MX record points to local host...Re: [exim] Incoming SMTP Problems (Revised)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)