[afnog] SMTP server rejecting domain

Brian Candler B.Candler at pobox.com
Fri Jun 2 16:25:00 EAT 2006 

On Fri, Jun 02, 2006 at 02:06:10PM +0200, Mangaliso Jere wrote:
> Jun  1 13:24:46 nyandeni sendmail[12526]: k51BOegj012526:
> ruleset=check_mail, arg1=<asmwale at cedrisa.org>, relay=[196.45.190.62],
> reject=451 4.1.8 Domain of sender address asmwale at cedrisa.org does not
> resolve

Your sendmail has a built-in policy which says:

* look at the MAIL FROM domain
* check it resolves
* if it doesn't, don't allow the mail through

The reason for this is:

(a) if the MAIL FROM domain doesn't resolve, it would be impossible to send
any bounce back to the sender later on, if the destination turned out to be
undeliverable

(b) many, many systems on the Internet reject mail with invalid MAIL FROM
domains, as an anti-spam measure, and therefore there's a good chance that
the mail will be rejected. But because of (a), the sender would never know
that the rejection had taken place.

Put it another way: the E-mail address "asmwale at cedrisa.org" doesn't work,
so you should not be sending any outgoing mail with this as the return
address.

The solution is to fix the nameservice for the cedrisa.org domain. This will
mean that incoming mail for asmwale at cedrisa.org will work, which in turn
will allow your sendmail to forward mail with this as the return address.

> When I do the following
> dig cedrisa.org any
> 
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62335
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;cedrisa.org.                   IN      ANY
> 
> ;; Query time: 560 msec
> ;; SERVER: 196.45.190.25#53(196.45.190.25)
> ;; WHEN: Fri Jun  2 15:50:15 2006
> ;; MSG SIZE  rcvd:

The magic word to notice there is SERVFAIL. This means "I tried to contact
the nameservers for this domain, but none of them responded"

$ dig +norec @a.root-servers.net. cedrisa.org. mx
;; AUTHORITY SECTION:
org.                    172800  IN      NS      TLD1.ULTRADNS.NET.
org.                    172800  IN      NS      TLD2.ULTRADNS.NET.
org.                    172800  IN      NS      TLD3.ULTRADNS.org.
org.                    172800  IN      NS      TLD4.ULTRADNS.org.
org.                    172800  IN      NS      TLD5.ULTRADNS.INFO.
org.                    172800  IN      NS      TLD6.ULTRADNS.CO.UK.

$ dig +norec @tld1.ultradns.net. cedrisa.org. mx
;; AUTHORITY SECTION:
cedrisa.org.            86400   IN      NS      domwe.leland-mw.org.
cedrisa.org.            86400   IN      NS      chambo.sdnp.org.mw.


$ dig +norec @domwe.leland-mw.org. cedrisa.org. mx
[times out, no response]

$ dig +norec @chambo.sdnp.org.mw. cedrisa.org. mx
;; AUTHORITY SECTION:
org.                    164881  IN      NS      tld6.ultradns.co.uk.
org.                    164881  IN      NS      tld1.ultradns.net.
org.                    164881  IN      NS      tld2.ultradns.net.
org.                    164881  IN      NS      tld3.ultradns.org.
org.                    164881  IN      NS      tld4.ultradns.org.
org.                    164881  IN      NS      tld5.ultradns.info.

[this is a lame delegation, this server knows nothing about the domain
cedrisa.org and refers you back to the .org servers]

So this domain is completely broken.

Regards,

Brian.

More information about the afnog mailing list