Marco Moock
2024-10-03 09:02:09 UTC
Hello!
I am currently experimenting with a test system.
I am running 8.18.1-6 amd64 on Debian sid.
I've used
https://www.email-security-scans.org
to let me send an email directly to the test system. This mail has been
received and now needs to be sent to another machine via an alias.
This works for other mails I generated. It only fails for that
specific mail.
It fails with
[...]
354 Enter mail, end with "." on a line by itself
v4-mail.dnssec-...urity-scans.org: Name server timeout
timeout writing message to pi-keller.dorfdsl.de.
***@dorfdsl.de... Deferred: Name server: pi-keller.dorfdsl.de.: host
name lookup failure Closing connection to pi-keller.dorfdsl.de.
***@test:~#
***@test:~# grep v4 /var/spool/mqueue/qf4938SHcZ025471
Mhost map: lookup
(v4-mail.dnssec-broken.measurement.email-security-scans.org): deferred
"***@v4-mail.measurement.email-security-scans.org"
<***@v4-mail.measurement.email-security-scans.org>,
"***@v4-mail.v6only.measurement.email-security-scans.org"
<***@v4-mail.v6only.measurement.email-security-scans.org>,
"***@v4-mail.dnssec-broken.measurement.email-security-scans.org"
<***@v4-mail.dnssec-broken.measurement.email-security-scans.org>
***@test:~#
v4-mail.dnssec-broken.measurement.email-security-scans.org
This lookup should intentionally fail when the resolver is verifying
DNSSEC.
OT: The concept of this service is that you reply to the test mail and
they analyze the received mail. E.g. is an answer to the domain with
broken DNSSEC arrives, they know that DNSSEC won't be checked.
The question is just why sendmail resolves that name, as it isn't an
SMTP recipient of the current mail nor a sender or hostname etc.
It is only part of the Reply-To header of the mail (to test if the
used DNS server checks DNSSEC).
Why are domain parts of Reply-To looked up?
Or is there another thing I missed that cause this lookup?
This is the entire qf:
V8
T1727944097
K1727945909
N18
P1570325
I8/1/655570
MDeferred
Fbs
$_mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88]
$rESMTP
$smail.email-security-scans.org
${daemon_flags}
${if_addr}IPv6:2a01:170:118f:2:0:0:0:24
S<***@email-security-scans.org>
Ctest:8:0:<***@test.dorfdsl.de>
rRFC822; ***@test.dorfdsl.de
RPFDA:***@dorfdsl.de
H?P?Return-Path: <<81>g>
H??Authentication-Results: test.dorfdsl.de; dmarc=pass (p=reject dis=none) header.from=email-security-scans.org
H??Authentication-Results: test; spf=pass (sender SPF authorized)
smtp.mailfrom=email-security-scans.org (client-ip=2a06:d1c0:dead:3::88;
helo=mail.email-security-scans.org;
envelope-from=***@email-security-scans.org; receiver=<UNKNOWN>)
H??Authentication-Results: test.dorfdsl.de;
dkim=pass (1024-bit key; secure) header.d=email-security-scans.org header.i=@email-security-scans.org header.a=rsa-sha256 header.s=key01 header.b=NnieD4po;
dkim-atps=neutral
H??Received: from mail.email-security-scans.org (mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88])
by test.dorfdsl.de (8.18.1/8.18.1/Debian-6) with ESMTP id 4938SHcZ025471
for <***@test.dorfdsl.de>; Thu, 3 Oct 2024 10:28:17 +0200
H??DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email-security-scans.org;
s=key01; t=1727944092; h=from:from:reply-to:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:list-help:
list-owner:list-unsubscribe; bh=DJeYYMbaf+xiARgr9NWbvpGneJ0J1bj3uGoeqX8XziY=;
b=NnieD4poOfqaoFSdtBs9di0al9+cElESiaL9W3znrGbKyxuE6ms2HzooeasZIwBP7U/jIP
oSpogBRGh7512ebuJZkAa/me7FH+0Gg9BMTVGnnddsP/0G6rTMpJ6398Q7arffObDoONST
1yyij1xjKMK069wcfAGZPzD5nWuU8Hs=
H??Received:
by mail.email-security-scans.org (OpenSMTPD) with ESMTPSA id f6cc5500 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=relay
for <***@test.dorfdsl.de>;
Thu, 3 Oct 2024 08:28:12 +0000 (UTC)
H??Date: Thu, 3 Oct 2024 08:28:11 +0000
H??To: "***@test.dorfdsl.de" <***@test.dorfdsl.de>
H??From: Email Delivery Evaluation <***@email-security-scans.org>
H??Reply-To: "***@mail-plaintext.measurement.email-security-scans.org" <***@mail-plaintext.measurement.email-security-scans.org>,
"***@v4-mail.measurement.email-security-scans.org" <***@v4-mail.measurement.email-security-scans.org>,
"***@v6-mail.measurement.email-security-scans.org" <***@v6-mail.measurement.email-security-scans.org>,
"***@v4-mail.v6only.measurement.email-security-scans.org" <***@v4-mail.v6only.measurement.email-security-scans.org>,
"***@v6-mail.v6only.measurement.email-security-scans.org" <***@v6-mail.v6only.measurement.email-security-scans.org>,
"***@v4-mail.dnssec-broken.measurement.email-security-scans.org" <***@v4-mail.dnssec-broken.measurement.email-security-scans.org>
H??Subject: Test ID:8has3gphg0vzxgrdcehqzzfwhnggs7: Your email deliverability test from email-security-scans.org
H??Message-ID: <***@www.email-security-scans.org>
H??X-Mailer: EmailConfTester (https://email-security-scans.org/)
H??Auto-Submitted: auto-generated
H??List-Help: <https://email-security-scans.org/description/>
H??List-Unsubscribe: <https://email-security-scans.org/optout/nwjroydmx9lp2s6cchhimh4njstd2g/test%40test.dorfdsl.de>, <mailto:***@email-security-scans.org?subject=test%40test.dorfdsl.de%20unsubscribe%20email-security-scans.org>
H??List-Owner: <mailto:***@email-security-scans.org> (Contact service operator abuse team for further inquiries.)
H??MIME-Version: 1.0
H??Content-Type: multipart/alternative;
boundary="b1_iJN1dAfHIr9hajw0oznbXsp5R7SKUl7PtLRmZP8mcwY"
H??Content-Transfer-Encoding: 8bit
.
I am currently experimenting with a test system.
I am running 8.18.1-6 amd64 on Debian sid.
I've used
https://www.email-security-scans.org
to let me send an email directly to the test system. This mail has been
received and now needs to be sent to another machine via an alias.
This works for other mails I generated. It only fails for that
specific mail.
It fails with
[...]
DATA
250 2.1.5 <***@dorfdsl.de>... Recipient ok354 Enter mail, end with "." on a line by itself
v4-mail.dnssec-...urity-scans.org: Name server timeout
timeout writing message to pi-keller.dorfdsl.de.
***@dorfdsl.de... Deferred: Name server: pi-keller.dorfdsl.de.: host
name lookup failure Closing connection to pi-keller.dorfdsl.de.
***@test:~#
***@test:~# grep v4 /var/spool/mqueue/qf4938SHcZ025471
Mhost map: lookup
(v4-mail.dnssec-broken.measurement.email-security-scans.org): deferred
"***@v4-mail.measurement.email-security-scans.org"
<***@v4-mail.measurement.email-security-scans.org>,
"***@v4-mail.v6only.measurement.email-security-scans.org"
<***@v4-mail.v6only.measurement.email-security-scans.org>,
"***@v4-mail.dnssec-broken.measurement.email-security-scans.org"
<***@v4-mail.dnssec-broken.measurement.email-security-scans.org>
***@test:~#
v4-mail.dnssec-broken.measurement.email-security-scans.org
This lookup should intentionally fail when the resolver is verifying
DNSSEC.
OT: The concept of this service is that you reply to the test mail and
they analyze the received mail. E.g. is an answer to the domain with
broken DNSSEC arrives, they know that DNSSEC won't be checked.
The question is just why sendmail resolves that name, as it isn't an
SMTP recipient of the current mail nor a sender or hostname etc.
It is only part of the Reply-To header of the mail (to test if the
used DNS server checks DNSSEC).
Why are domain parts of Reply-To looked up?
Or is there another thing I missed that cause this lookup?
This is the entire qf:
V8
T1727944097
K1727945909
N18
P1570325
I8/1/655570
MDeferred
Fbs
$_mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88]
$rESMTP
$smail.email-security-scans.org
${daemon_flags}
${if_addr}IPv6:2a01:170:118f:2:0:0:0:24
S<***@email-security-scans.org>
Ctest:8:0:<***@test.dorfdsl.de>
rRFC822; ***@test.dorfdsl.de
RPFDA:***@dorfdsl.de
H?P?Return-Path: <<81>g>
H??Authentication-Results: test.dorfdsl.de; dmarc=pass (p=reject dis=none) header.from=email-security-scans.org
H??Authentication-Results: test; spf=pass (sender SPF authorized)
smtp.mailfrom=email-security-scans.org (client-ip=2a06:d1c0:dead:3::88;
helo=mail.email-security-scans.org;
envelope-from=***@email-security-scans.org; receiver=<UNKNOWN>)
H??Authentication-Results: test.dorfdsl.de;
dkim=pass (1024-bit key; secure) header.d=email-security-scans.org header.i=@email-security-scans.org header.a=rsa-sha256 header.s=key01 header.b=NnieD4po;
dkim-atps=neutral
H??Received: from mail.email-security-scans.org (mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88])
by test.dorfdsl.de (8.18.1/8.18.1/Debian-6) with ESMTP id 4938SHcZ025471
for <***@test.dorfdsl.de>; Thu, 3 Oct 2024 10:28:17 +0200
H??DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email-security-scans.org;
s=key01; t=1727944092; h=from:from:reply-to:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:list-help:
list-owner:list-unsubscribe; bh=DJeYYMbaf+xiARgr9NWbvpGneJ0J1bj3uGoeqX8XziY=;
b=NnieD4poOfqaoFSdtBs9di0al9+cElESiaL9W3znrGbKyxuE6ms2HzooeasZIwBP7U/jIP
oSpogBRGh7512ebuJZkAa/me7FH+0Gg9BMTVGnnddsP/0G6rTMpJ6398Q7arffObDoONST
1yyij1xjKMK069wcfAGZPzD5nWuU8Hs=
H??Received:
by mail.email-security-scans.org (OpenSMTPD) with ESMTPSA id f6cc5500 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=relay
for <***@test.dorfdsl.de>;
Thu, 3 Oct 2024 08:28:12 +0000 (UTC)
H??Date: Thu, 3 Oct 2024 08:28:11 +0000
H??To: "***@test.dorfdsl.de" <***@test.dorfdsl.de>
H??From: Email Delivery Evaluation <***@email-security-scans.org>
H??Reply-To: "***@mail-plaintext.measurement.email-security-scans.org" <***@mail-plaintext.measurement.email-security-scans.org>,
"***@v4-mail.measurement.email-security-scans.org" <***@v4-mail.measurement.email-security-scans.org>,
"***@v6-mail.measurement.email-security-scans.org" <***@v6-mail.measurement.email-security-scans.org>,
"***@v4-mail.v6only.measurement.email-security-scans.org" <***@v4-mail.v6only.measurement.email-security-scans.org>,
"***@v6-mail.v6only.measurement.email-security-scans.org" <***@v6-mail.v6only.measurement.email-security-scans.org>,
"***@v4-mail.dnssec-broken.measurement.email-security-scans.org" <***@v4-mail.dnssec-broken.measurement.email-security-scans.org>
H??Subject: Test ID:8has3gphg0vzxgrdcehqzzfwhnggs7: Your email deliverability test from email-security-scans.org
H??Message-ID: <***@www.email-security-scans.org>
H??X-Mailer: EmailConfTester (https://email-security-scans.org/)
H??Auto-Submitted: auto-generated
H??List-Help: <https://email-security-scans.org/description/>
H??List-Unsubscribe: <https://email-security-scans.org/optout/nwjroydmx9lp2s6cchhimh4njstd2g/test%40test.dorfdsl.de>, <mailto:***@email-security-scans.org?subject=test%40test.dorfdsl.de%20unsubscribe%20email-security-scans.org>
H??List-Owner: <mailto:***@email-security-scans.org> (Contact service operator abuse team for further inquiries.)
H??MIME-Version: 1.0
H??Content-Type: multipart/alternative;
boundary="b1_iJN1dAfHIr9hajw0oznbXsp5R7SKUl7PtLRmZP8mcwY"
H??Content-Transfer-Encoding: 8bit
.
--
kind regards
Marco
kind regards
Marco