Message-ID:

BOFH excuse #302: microelectronic Riemannian curved-space fault in write-only file system

comp / comp.mail.sendmail / strange host lookups

Hello!

I am currently experimenting with a test system.
I am running 8.18.1-6 amd64 on Debian sid.

I've used
https://www.email-security-scans.org

to let me send an email directly to the test system. This mail has been
received and now needs to be sent to another machine via an alias.
This works for other mails I generated. It only fails for that
specific mail.

It fails with

[...]

>>> MAIL From:<reply@email-security-scans.org> SIZE=6644
250 2.1.0 <reply@email-security-scans.org>... Sender ok
>>> RCPT To:<mm@dorfdsl.de>
>>> DATA
250 2.1.5 <mm@dorfdsl.de>... Recipient ok
354 Enter mail, end with "." on a line by itself
v4-mail.dnssec-...urity-scans.org: Name server timeout
timeout writing message to pi-keller.dorfdsl.de.
mm@dorfdsl.de... Deferred: Name server: pi-keller.dorfdsl.de.: host
name lookup failure Closing connection to pi-keller.dorfdsl.de.
root@test:~#

root@test:~# grep v4 /var/spool/mqueue/qf4938SHcZ025471
Mhost map: lookup
(v4-mail.dnssec-broken.measurement.email-security-scans.org): deferred
"measurement@v4-mail.measurement.email-security-scans.org"
<measurement@v4-mail.measurement.email-security-scans.org>,
"measurement@v4-mail.v6only.measurement.email-security-scans.org"
<measurement@v4-mail.v6only.measurement.email-security-scans.org>,
"measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org"
<measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org>
root@test:~#

v4-mail.dnssec-broken.measurement.email-security-scans.org
This lookup should intentionally fail when the resolver is verifying
DNSSEC.

OT: The concept of this service is that you reply to the test mail and
they analyze the received mail. E.g. is an answer to the domain with
broken DNSSEC arrives, they know that DNSSEC won't be checked.

The question is just why sendmail resolves that name, as it isn't an
SMTP recipient of the current mail nor a sender or hostname etc.

It is only part of the Reply-To header of the mail (to test if the
used DNS server checks DNSSEC).

Why are domain parts of Reply-To looked up?
Or is there another thing I missed that cause this lookup?

This is the entire qf:
V8
T1727944097
K1727945909
N18
P1570325
I8/1/655570
MDeferred
Fbs
$_mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88]
$rESMTP
$smail.email-security-scans.org
${daemon_flags}
${if_addr}IPv6:2a01:170:118f:2:0:0:0:24
S<reply@email-security-scans.org>
Ctest:8:0:<test@test.dorfdsl.de>
rRFC822; test@test.dorfdsl.de
RPFDA:mm@dorfdsl.de
H?P?Return-Path: <<81>g>
H??Authentication-Results: test.dorfdsl.de; dmarc=pass (p=reject dis=none) header.from=email-security-scans.org
H??Authentication-Results: test; spf=pass (sender SPF authorized)
smtp.mailfrom=email-security-scans.org (client-ip=2a06:d1c0:dead:3::88;
helo=mail.email-security-scans.org;
envelope-from=reply@email-security-scans.org; receiver=<UNKNOWN>)
H??Authentication-Results: test.dorfdsl.de;
dkim=pass (1024-bit key; secure) header.d=email-security-scans.org header.i=@email-security-scans.org header.a=rsa-sha256 header.s=key01 header.b=NnieD4po;
dkim-atps=neutral
H??Received: from mail.email-security-scans.org (mail.email-security-scans.org [IPv6:2a06:d1c0:dead:3:0:0:0:88])
by test.dorfdsl.de (8.18.1/8.18.1/Debian-6) with ESMTP id 4938SHcZ025471
for <test@test.dorfdsl.de>; Thu, 3 Oct 2024 10:28:17 +0200
H??DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email-security-scans.org;
s=key01; t=1727944092; h=from:from:reply-to:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:list-help:
list-owner:list-unsubscribe; bh=DJeYYMbaf+xiARgr9NWbvpGneJ0J1bj3uGoeqX8XziY=;
b=NnieD4poOfqaoFSdtBs9di0al9+cElESiaL9W3znrGbKyxuE6ms2HzooeasZIwBP7U/jIP
oSpogBRGh7512ebuJZkAa/me7FH+0Gg9BMTVGnnddsP/0G6rTMpJ6398Q7arffObDoONST
1yyij1xjKMK069wcfAGZPzD5nWuU8Hs=
H??Received:
by mail.email-security-scans.org (OpenSMTPD) with ESMTPSA id f6cc5500 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) auth=yes user=relay
for <test@test.dorfdsl.de>;
Thu, 3 Oct 2024 08:28:12 +0000 (UTC)
H??Date: Thu, 3 Oct 2024 08:28:11 +0000
H??To: "test@test.dorfdsl.de" <test@test.dorfdsl.de>
H??From: Email Delivery Evaluation <reply@email-security-scans.org>
H??Reply-To: "measurement@mail-plaintext.measurement.email-security-scans.org" <measurement@mail-plaintext.measurement.email-security-scans.org>,
"measurement@v4-mail.measurement.email-security-scans.org" <measurement@v4-mail.measurement.email-security-scans.org>,
"measurement@v6-mail.measurement.email-security-scans.org" <measurement@v6-mail.measurement.email-security-scans.org>,
"measurement@v4-mail.v6only.measurement.email-security-scans.org" <measurement@v4-mail.v6only.measurement.email-security-scans.org>,
"measurement@v6-mail.v6only.measurement.email-security-scans.org" <measurement@v6-mail.v6only.measurement.email-security-scans.org>,
"measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org" <measurement@v4-mail.dnssec-broken.measurement.email-security-scans.org>
H??Subject: Test ID:8has3gphg0vzxgrdcehqzzfwhnggs7: Your email deliverability test from email-security-scans.org
H??Message-ID: <iJN1dAfHIr9hajw0oznbXsp5R7SKUl7PtLRmZP8mcwY@www.email-security-scans.org>
H??X-Mailer: EmailConfTester (https://email-security-scans.org/)
H??Auto-Submitted: auto-generated
H??List-Help: <https://email-security-scans.org/description/>
H??List-Unsubscribe: <https://email-security-scans.org/optout/nwjroydmx9lp2s6cchhimh4njstd2g/test%40test.dorfdsl.de>, <mailto:unsubscribe@email-security-scans.org?subject=test%40test.dorfdsl.de%20unsubscribe%20email-security-scans.org>
H??List-Owner: <mailto:abuse@email-security-scans.org> (Contact service operator abuse team for further inquiries.)
H??MIME-Version: 1.0
H??Content-Type: multipart/alternative;
boundary="b1_iJN1dAfHIr9hajw0oznbXsp5R7SKUl7PtLRmZP8mcwY"
H??Content-Transfer-Encoding: 8bit
..

--
kind regards
Marco

Marco Moock wrote:

> The question is just why sendmail resolves that name, as it isn't an
> SMTP recipient of the current mail nor a sender or hostname etc.

> It is only part of the Reply-To header of the mail (to test if the

Addresses in headers might be rewritten (or need to be "fixed").

See for example sendmail/TUNING (and cf/README)

* DNS Lookups
-----------------------------------------------

sendmail performs by default host name canonifications by using
host name lookups. This process is meant to replace unqualified
host name with qualified host names, and CNAMEs with the non-aliased
name. However, these lookups can take a while for large address
lists, e.g., mailing lists. If you can assure by other means that
host names are canonical, you should use

FEATURE(`nocanonify', `canonify_hosts')

in your .mc file. For further information on this feature and
additional options see cf/README.
[[... read on ... ]]

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Subject	Author
strange host lookups	Marco Moock
Re: strange host lookups	Claus Aßmann