Discussion:
reject=553 5.3.0 127.0.0.2 due to unreachable DNS resolver
Add Reply
Marco Moock
2025-02-01 14:54:26 UTC
Reply
Permalink
Hello!

I had a situation where my DNS resolver was unreachable for my machine.

***@pi-dach:~# grep FEATU /etc/mail/sendmail.mc
FEATURE(`no_default_msa')dnl
FEATURE(`require_rdns')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db', , `skip')dnl
FEATURE(dnsbl,`dnsbl-1.uceprotect.net')dnl
FEATURE(enhdnsbl,`zen.spamhaus.org', `"554 Connecting client IP address listed in Spamhaus. See https://check.spamhaus.org"', `127.0.0.2', `127.0.0.3', `127.0.0.4', `127.0.0.9', `127.0.0.10', `127.0.0.11')dnl
FEATURE(dnsbl,`all.bl.blocklist.de')dnl
FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(enhdnsbl,`dnsbl-2.uceprotect.net', `"454 4.7.1 Listed in uceprotect Level 2')dnl
FEATURE(enhdnsbl,`dnsbl-0.uceprotect.net', `"454 4.7.1 Listed in uceprotect Level 0')dnl
FEATURE(enhdnsbl,`dnsbl-3.uceprotect.net', `"454 4.7.1 Listed in
uceprotect Level 3')dnl

Jan 31 23:37:37 pi-dach sm-mta[1034127]: ruleset=check_relay,
arg1=[157.230.63.40], arg2=157.230.63.40, relay=[157.230.63.40],
reject=553 5.3.0 127.0.0.2

The remote machine gave

<uk-legal-***@moderators.isc.org>: host pi-dach.dorfdsl.de[82.139.252.17]
said: 553 5.3.0 127.0.0.2 (in reply to MAIL FROM command)

If that is related to a non-resolvable domain (DNS timeout), what is the
reason for this strange error message?

The dnsbl features give back different messages.
--
kind regards
Marco

Send spam to ***@stinkedores.dorfdsl.de
Grant Taylor
2025-02-01 17:41:48 UTC
Reply
Permalink
Post by Marco Moock
Hello!
Hi
Post by Marco Moock
I had a situation where my DNS resolver was unreachable for my machine.
I would expect your logs to indicate /temporary/ failures in the case
when a normally reachable / usable DNS server was unreachable / unusable.
Post by Marco Moock
Jan 31 23:37:37 pi-dach sm-mta[1034127]: ruleset=check_relay,
arg1=[157.230.63.40], arg2=157.230.63.40, relay=[157.230.63.40],
reject=553 5.3.0 127.0.0.2
The "553 5.3.0" indicates a permanent error, not a temporary error that
I'd expect.
Post by Marco Moock
The remote machine gave
said: 553 5.3.0 127.0.0.2 (in reply to MAIL FROM command)
That sounds like your system was trying to send an email and the remote
system refused to accept it.
Post by Marco Moock
If that is related to a non-resolvable domain (DNS timeout), what is the
reason for this strange error message?
The dnsbl features give back different messages.
Please clarify:

- which system the logs are from
- which system was the sending server
- which system was the receiving server / generated the "553 5.3.0"
rejection
--
Grant. . . .
Marco Moock
2025-02-01 18:40:31 UTC
Reply
Permalink
Post by Grant Taylor
Post by Marco Moock
I had a situation where my DNS resolver was unreachable for my machine.
I would expect your logs to indicate /temporary/ failures in the case
when a normally reachable / usable DNS server was unreachable / unusable.
There are no such messages.
Post by Grant Taylor
Post by Marco Moock
Jan 31 23:37:37 pi-dach sm-mta[1034127]: ruleset=check_relay,
arg1=[157.230.63.40], arg2=157.230.63.40, relay=[157.230.63.40],
reject=553 5.3.0 127.0.0.2
This is from my system.
Post by Grant Taylor
The "553 5.3.0" indicates a permanent error, not a temporary error
that I'd expect.
Post by Marco Moock
The remote machine gave
pi-dach.dorfdsl.de[82.139.252.17] said: 553 5.3.0 127.0.0.2 (in
reply to MAIL FROM command)
This is from the logs of the remote.
Post by Grant Taylor
That sounds like your system was trying to send an email and the
remote system refused to accept it.
No, my system rejected the mail from the remote. The postmaster of the
remote contacted me and gave me the bounce.
--
kind regards
Marco

Send spam to ***@stinkedores.dorfdsl.de
Grant Taylor
2025-02-02 00:45:45 UTC
Reply
Permalink
Post by Marco Moock
There are no such messages.
Okay.
Post by Marco Moock
This is from my system.
ACK
Post by Marco Moock
This is from the logs of the remote.
ACK
Post by Marco Moock
No, my system rejected the mail from the remote. The postmaster of
the remote contacted me and gave me the bounce.
With the clarifying details in mind, I re-read your original message and
it looks as if 157.230.63.40 is listed in dnsbl-3.uceprotect.net. Maybe
that's part of the problem.

% dig 40.63.230.157.dnsbl-3.uceprotect.net
40.63.230.157.dnsbl-3.uceprotect.net. 1999 IN A 127.0.0.2
--
Grant. . . .
Marco Moock
2025-02-02 08:48:03 UTC
Reply
Permalink
Post by Grant Taylor
With the clarifying details in mind, I re-read your original message
and it looks as if 157.230.63.40 is listed in dnsbl-3.uceprotect.net.
Maybe that's part of the problem.
% dig 40.63.230.157.dnsbl-3.uceprotect.net
40.63.230.157.dnsbl-3.uceprotect.net. 1999 IN A 127.0.0.2
True, but that should be rejected with another error message according
to my config and that is the case when DNS works normally. If it
doesn't, it gave me this strange error.
--
kind regards
Marco

Send spam to ***@stinkedores.dorfdsl.de
Grant Taylor
2025-02-02 16:39:23 UTC
Reply
Permalink
Post by Marco Moock
True, but that should be rejected with another error message according
to my config and that is the case when DNS works normally. If it
doesn't, it gave me this strange error.
I'm don't use `dnsbl' nor `enhdnsbl' so I'm not up on the particulars.
But my read of the FEATUREs in the cf/README file made me think that the
`454 4.7.1 Listed in ...' messages you have are for when the DNS lookup
fails (including all retries).

But, I may be mis-interpreting the cf/README documentation.
--
Grant. . . .
Marco Moock
2025-02-02 20:11:53 UTC
Reply
Permalink
Post by Grant Taylor
I'm don't use `dnsbl' nor `enhdnsbl' so I'm not up on the
particulars. But my read of the FEATUREs in the cf/README file made
me think that the `454 4.7.1 Listed in ...' messages you have are for
when the DNS lookup fails (including all retries).
That error is fine, but in my case it was 553 and I would like to
understand what caused that.
--
kind regards
Marco

Send spam to ***@stinkedores.dorfdsl.de
Grant Taylor
2025-02-02 22:42:16 UTC
Reply
Permalink
Post by Marco Moock
That error is fine, but in my case it was 553 and I would like to
understand what caused that.
I'll try saying it another way, my -- limited -- understanding is that
the `454 4.7.1 Listed in ...' error is only sent when there DNS timeout
/ failures (multiple times).

I think that Sendmail will return a different (error) message when it
successfully looks up the IP address and finds it listed in the
(ENH)DNSBL. I think it's entirely possible that the 553 was because the
client's IP was listed in the (EHN)DNSBL. The 553 even included the IP
address from the listing.

But, as said before, I don't use (ENH)DNSBL and don't have any first
hand experience with it.
--
Grant. . . .
Marco Moock
2025-02-03 19:28:58 UTC
Reply
Permalink
Post by Grant Taylor
I'll try saying it another way, my -- limited -- understanding is
that the `454 4.7.1 Listed in ...' error is only sent when there DNS
timeout / failures (multiple times).
No, that was send when the lookup was successful. I used it wrong as I
had too many arguments (it can filter for the lookup results and there
were too many according to the doc).
--
kind regards
Marco

Send spam to ***@stinkedores.dorfdsl.de
Claus Aßmann
2025-02-03 07:07:06 UTC
Reply
Permalink
Post by Marco Moock
FEATURE(enhdnsbl,`zen.spamhaus.org', `"554 Connecting client IP address
listed in Spamhaus. See https://check.spamhaus.org"', `127.0.0.2',
`127.0.0.3', `127.0.0.4', `127.0.0.9', `127.0.0.10', `127.0.0.11')dnl
reject=553 5.3.0 127.0.0.2
^^^^^^^^^

This should tell you that your use of enhdnsbl is probably wrong.
Please see cf/README for the arguments.
Loading...