2

I have postfix running on OpenBSD, and I'm having trouble with it appending a search domain when none is configured in either postfix or the local DNS server (dnsmasq).

My domain has a wildcard CNAME entry (*.example.com) pointing at myhost.example.com.

I know that normally, in order to make it behave like this I would have a 'search' entry in my resolv.conf, but I have no such entry. My /etc/resolv.conf contains:

nameserver 127.0.0.1
nameserver <my ISP's DNS 1>
nameserver <my ISP's DNS 2>

Dnsmasq knows to ignore the localhost entry (and says so in logs), but it means that other services look up in dnsmasq. dnsmasq is using only default config, with no changes at all.

If I enable logging in dnsmasq I get entries like this:

Dec 15 10:39:56 mail dnsmasq[640]: query[A] ncwfood.com from 127.0.0.1
Dec 15 10:39:56 mail dnsmasq[640]: forwarded ncwfood.com to <my ISP's DNS 1>
Dec 15 10:39:56 mail dnsmasq[640]: reply ncwfood.com is NXDOMAIN-IPv4
Dec 15 10:39:56 mail dnsmasq[640]: query[AAAA] ncwfood.com from 127.0.0.1
Dec 15 10:39:56 mail dnsmasq[640]: forwarded ncwfood.com to <my ISP's DNS 1>
Dec 15 10:39:56 mail dnsmasq[640]: reply ncwfood.com is NXDOMAIN-IPv6

That's all correct for a failing lookup, and dnsmasq is doing what it should. Then postfix does this:

Dec 15 10:39:56 mail dnsmasq[640]: query[A] ncwfood.com.example.com from 127.0.0.1
Dec 15 10:39:56 mail dnsmasq[640]: forwarded ncwfood.com.example.com to <my ISP's DNS 1>
Dec 15 10:39:56 mail dnsmasq[640]: reply myhost.example.com is <my IP>
Dec 15 10:39:56 mail dnsmasq[640]: query[AAAA] ncwfood.com.example.com from 127.0.0.1
Dec 15 10:39:56 mail dnsmasq[640]: cached ncwfood.com.example.com is <CNAME>
Dec 15 10:39:56 mail dnsmasq[640]: cached myhost.example.com is 2001:4b98:...

It appends my domain, does a lookup, matches the wildcard and ends up pointing where it shouldn't. If I issue name lookups directly to dnsmasq (e.g. with dig @localhost ...), it does not do these extra lookups, so it's definitely postfix that's doing it.

In my postfix config I have set it to defer to the system DNS service (dnsmasq), not to use its own dns resolver, and not to append a search domain, like this:

lmtp_host_lookup = native
smtp_host_lookup = native
smtp_dns_resolver_options =
disable_dns_lookups = yes
ignore_mx_lookup_error = no

The 'native' directive is clearly working as I am seeing the lookups in dnsmasq logs. According to the docs it seems as if smtp_dns_resolver_options is acting as if it's set to res_dnsrch, but it's not (it's blank).

Here's my postfix log from the same message transaction:

Dec 15 10:40:26 mail postfix/smtp[29517]: connect to ncwfood.com[46....]:25: Connection timed out
Dec 15 10:40:26 mail postfix/smtp[29517]: connect to ncwfood.com[2001:4b98:...]:25: No route to host
Dec 15 10:40:26 mail postfix/smtp[29517]: 22F8A3A4F0F: to=<xxx@ncwfood.com>, relay=none, delay=168442, delays=168412/0.33/30/0, dsn=4.4.1, status=deferred (connect to ncwfood.com[2001:4b98:...]:25: No route to host)

The address it's trying to connect to is my wildcard host which is not running a mail server, hence the connection failures.

I found a release note saying that postfix used to automatically append domains, but that was stopped in version 2.8; I'm running 2.10.

How can I stop postfix from doing these lookups?

Synchro
  • 3,148
  • 6
  • 27
  • 38
  • I've added the matching postfix log entries. It doesn't appear to log its DNS lookups, only the connection attempts. – Synchro Dec 15 '14 at 11:54
  • So is it appending a search domain to email without a domain? – NickW Dec 15 '14 at 11:57
  • No, it's appending a search domain to all hostnames that fail a DNS lookup. I don't want it to append a domain at all - bare user names (other than those handled in /etc/aliases) should fail. – Synchro Dec 15 '14 at 12:00
  • Sorry @NickW - I just tested that - it IS appending a domain to bare usernames, even non-existent ones: `mail -s test user` results in a message being sent to `user@example.com`. – Synchro Dec 15 '14 at 12:04
  • Then you need to disable `append_dot_mydomain` – NickW Dec 15 '14 at 12:35
  • append_dot_mydomain (default: Postfix ≥ 2.12: no, Postfix < 2.12: yes) With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. With remotely submitted mail, append the string ".$remote_header_rewrite_domain" instead. Note 1: this feature is enabled by default. If disabled, users will not be able to send mail to "user@partialdomainname" but will have to specify full domain names instead. Note 2: with Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true: – NickW Dec 15 '14 at 12:35
  • There are a lot of features in postfix designed to make mail internet routeable, it could be that option.. could be a few of the others.. – NickW Dec 15 '14 at 12:38
  • `append_dot_mydomain = no` didn't make any difference - it still appends domain to both local and remote addresses. `remote_header_rewrite_domain` is blank. – Synchro Dec 15 '14 at 12:53
  • how about `append_at_myorigin` ? That also defaults to yes. – NickW Dec 15 '14 at 13:33
  • I tried that - it broke pretty much everything! It does explicitly say not to turn it off! – Synchro Dec 15 '14 at 13:42
  • :) yeah, I was trying to imagine how it would work.. looks to be what the cleanup deamon does by default also.. http://www.hsc.fr/ressources/cours/postfix/doc/cleanup.8.html (see the third bullet point). – NickW Dec 15 '14 at 14:11
  • This is interesting question, but I can't replicate the odd behavior in my VM (postfix and dnsmasq was also installed) :( – masegaloeh Dec 15 '14 at 14:41
  • 1
    I had this same issue on an openbsd install. Postfix on obsd uses /var/spool/postfix/etc/resolv.conf for resolution. This solved my problem: http://serverfault.com/questions/513237/nslookup-fails-but-ping-succeeds-for-nonexistent-domains With the only difference being I added the md5 to the above resolv.conf file. Hope this helps someone as it took me a little bit to figure out. –  Jan 21 '15 at 20:48
  • @localyodel that sounds like a great idea, you should probably post that as an answer! – Synchro Jan 22 '15 at 10:26

1 Answers1

0

I don't think disable_dns_lookups does what you think it does. From http://www.postfix.org/postconf.5.html

disable_dns_lookups (default: no)
Disable DNS lookups in the Postfix SMTP and LMTP clients. When disabled, hosts are looked up with the getaddrinfo() system library routine which normally also looks in /etc/hosts. As of Postfix 2.11, this parameter is deprecated; use smtp_dns_support_level instead.

DNS lookups are enabled by default.

I would suggest looking at some of the other postfix parameters like: append_at_myorigin and append_dot_mydomain as well as local_header_rewrite_clients

The output from postconf -n would help as well.

Rick Buford
  • 166
  • 5