Postfix: Helo command rejected: Host not found
i have a Postfix 2.9.6 running on Ubuntu with the following configuration https://gist.github.com/anonymous/400fb4afa05e18c6da2b and i’m suffering the following issue where a valid client tries to send an email to itself. Most of my clients does not have a valid FQDN as hostname but as i understand that’s not a problem because of permit_sasl_authenticated but i don’t know why the following process ends up like this:
Out: 220 mail.isp.es ESMTP Postfix In: EHLO NoFQDN-Host Out: 250-mail.isp.es Out: 250-PIPELINING Out: 250-SIZE 10240000 Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM: Out: 250 2.1.0 Ok In: RCPT TO: Out: 450 4.7.1 : Helo command rejected: Host not found Session aborted, reason: lost connection For other details, see the local mail logfile
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_data_restrictions = reject_unauth_pipelining smtpd_end_of_data_restrictions = smtpd_etrn_restrictions = smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_pipelining, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, warn_if_reject reject_unknown_helo_hostname, permit smtpd_restriction_classes = smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
host command resolves IP address but gives host not found error
I am having issues with one of the EC2 instance where I have application dying because it is not able to resolve other systems in the same VPC. When I run host ip-10.123.22.100 command on a server, I get this response back.
ip-10.123.22.100.corp.domain.com has address 10.123.22.100 Host ip-10.123.22.100.corp.domain.com not found: 3(NXDOMAIN) Host ip-10.123.22.100.corp.domain.com not found: 3(NXDOMAIN)
When I do ping 10.123.22.100 , I get the response back. I am suspecting there is something screwy going on with DNS system but I am struggling to figure out what could cause this. Can you please point me in the right direction?
@fpmurphy: I do not have dig output but ping works fine. Also noticed that there is an entry as nameserver 127.0.0.1 in /etc/resolv.conf file. Could that potentially be causing this?
1 Answer 1
Apparently this might be due to host also looking up MX records in addition to an A and AAAA records.
The -t option is used to select the query type. type can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, host automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the -C option was given, queries will be made for SOA records, and if name is a dotted-decimal IPv4 address or colon-delimited IPv6 address, host will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. -t IXFR=12345678).
So it looks like your host doesn’t have associated MX or AAAA dns records?
This is why @fpmurphy is asking what the output of the dig command is, since dig by default only looks for the A record:
type indicates what type of query is required — ANY, A, MX, SIG, etc. type can be any valid query type. If no type argument is supplied, dig will perform a lookup for an A record.
Linux host -a (all) command returns Host not found: 4(NOTIMP)
For some reason, the Linux host command with the -a («all») option, returns a «not found: 4(NOTIMP)» on two local machines. One is Ubuntu on WSL and another an Ubuntu server on a virtual machine. The host is a Windows 10 machine. This is what I read on man host :
-a The -a («all») option is normally equivalent to -v -t ANY. It also affects the behavior of the -l list zone option.
$ host example.com example.com has address 93.184.216.34 example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946 example.com mail is handled by 0 .
$ host -a example.com Trying "example.com" Host example.com not found: 4(NOTIMP) Received 29 bytes from 127.0.0.53#53 in 135 ms
The above result is similar on WSL, and for any other domain I’ve tried. I ran the exact same command on a cloud server, and it produces an ANSWER SECTION with many lines, so this is clearly something in my setup. Not a big deal, but I’d appreciate pointers on how to troubleshoot and potentially fix it.
Don’t use -a / ANY , it is useless. It never meant «all» and is explicitly deprecated now. See RFC 8482.
It still appears on the man page, it’s still supported by some DNS servers, including Google’s 8.8.8.8, and I still find it useful :). Thanks for the RFC reference, they make good security points that might help explain why some DNS servers don’t implement it.
The problem you seem to forget is that «ANY» does NOT mean «ALL» contrrary to what everyone thinks. So it is useless. It never guarantees you to get all records, you get only the subset of records cached in the nameserver you query. Hence you shouldn’t use it because it will be misleading. It will always appear everywhere because it is in the core DNS specifications written 40 years ago and noone will write an addendum to remove it. Yet, as the RFC says, it is deprecated.
I searched for the words «obsolete» and «deprecated» in the RFC8482 but couldn’t find any matches. anyway, I see what you mean now. Yes, it doesn’t return all the results. Excellent point!
Glad you finally hit the important point (ANY != ALL) but you maybe still miss other things, like ANY being abused for malicious traffic and amplification attacks. You may want to read around what happened to produce this RFC (and how it is the result of some compromise among different parties), and those resources may help: blog.cloudflare.com/deprecating-dns-any-meta-query-type and blog.cloudflare.com/what-happened-next-the-deprecation-of-any and finally blog.cloudflare.com/rfc8482-saying-goodbye-to-any/;as explained in latest, some resolver reply now with NOTIMPL
1 Answer 1
There’s an answer on superuser that pointed me to the issue: it’s the DNS server that does not implement this option.
See examples below, where the server is specified.
$ host -a example.com 208.67.222.222 Trying "example.com" Using domain server: Name: 208.67.222.222 Address: 208.67.222.222#53 Aliases: Host example.com not found: 4(NOTIMP) Received 29 bytes from 208.67.222.222#53 in 0 ms
$ host -a example.com 9.9.9.9 Trying "example.com" Trying "example.com" Using domain server: Name: 9.9.9.9 Address: 9.9.9.9#53 Aliases: ;; ->>HEADER
The network in question is configured to use a DNS server that does not support this option. The NOTIMP (Not Implemented) is the clue. Specifying an alternative DNS server with the host (or dig ) command, or configuring a different default DNS resolver (which I haven't tried yet) are ways to get around it. Any other troubleshooting tips are still welcome.
Update: Based on comments on the question, it's worth noting that using -a (ANY) is not recommended since it does not actually fetch all results. See RFC 8482 and a related blog post from Cloudflare (who owns 1.1.1.1 that doesn't support it): Saying goodbye to ANY.
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host not found (NXDOMAIN) with host command #198
Host not found (NXDOMAIN) with host command #198
Comments
I've setup mesos-dns and when I use the host command I'm able to resolve a host. If I run the same command right after it. I get a Host not found. I have to wait 60sec (TTL time in config.json) before I can run it again successfully.
Running the dig command works all the time.
Any thoughts about this problem ?
# host leader.mesos leader.mesos has address 10.20.6.123 Host leader.mesos not found: 3(NXDOMAIN)
# host leader.mesos Host leader.mesos not found: 3(NXDOMAIN)
The text was updated successfully, but these errors were encountered:
I'm running the host command from the Master DNS and it has only localhost in /etc/resolv.conf
It's not blocking but I would be more comfortable not seeing any errors.
Thanks!
@maximedevalland: Would you be able to provide the output of your host and dig commands? Thanks!
I have the same problem. I have mesos-dns listed first and then 8.8.8.8 second in resolv.conf
dig +noall +answer +additional _node-test-galera._tcp.marathon.mesos any _node-test-galera._tcp.marathon.mesos. 60 IN SRV 0 0 31533 node-test-galera-34324-s0.marathon.mesos. _node-test-galera._tcp.marathon.mesos. 60 IN SRV 0 0 31534 node-test-galera-34324-s0.marathon.mesos. node-test-galera-34324-s0.marathon.mesos. 60 IN A 192.168.33.12 node-test-galera-34324-s0.marathon.mesos. 60 IN A 192.168.33.12
host -t any "_node-test-galera._tcp.marathon.mesos" Host _node-test-galera._tcp.marathon.mesos not found: 3(NXDOMAIN)
Potentially seems like a bug with how mesos-dns answers the queries?
nimi@dev1:~$ host web-prod.marathon.mesos web-prod.marathon.mesos has address 10.129.196.13 web-prod.marathon.mesos has address 10.129.196.44 Host web-prod.marathon.mesos not found: 3(NXDOMAIN) nimi@dev1:~$ host web-prod.marathon.mesos Host web-prod.marathon.mesos not found: 3(NXDOMAIN)
Even though address were found, it returns NXDOMAIN anyways. Then the next host lookup just returns NXDOMAIN without the addresses. Compare this to bind's reponse
nimi@dev1:~$ host cass7.channelmeter.com cass7.channelmeter.com has address 10.129.196.5 nimi@dev1:~$ host cass7.channelmeter.com cass7.channelmeter.com has address 10.129.196.5
nimi@dev1:~$ dig web-prod.marathon.mesos ; > DiG 9.8.1-P1 > web-prod.marathon.mesos ;; global options: +cmd ;; Got answer: ;; ->>HEADER
nimi@dev1:~$ dig cass7.channelmeter.com ; > DiG 9.8.1-P1 > cass7.channelmeter.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER
Also, note that I do have my mesos-dns instance behind bind9
Might have something to do with the answer to being picked up as authoritative?