The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,119 other followers

Archive for the ‘DNS’ Category

Some postfix notes

Posted by jpluimers on 2020/10/15

Postfix has documentation on primary MX and secondary MX, but not on tertiary MX.

If the primary MX is down, you have a series of secondary MX and tertiary MX that configured the same way, MX DNS priority for primary, the series of secondary MX and tertiary MX have increasing numbers, and the primary MX goes down, then senders can get “too many hops” as secondary and tertiary MX are looping.

I had a hard time finding a good and easy solution as these queries do not return many meaningful results:

Here are some links that helped getting this solved:

  • [WayBack] Postfix Frequently Asked Questions: What does “Error: too many hops” mean?

    Short answer: this message means that mail is probably looping. If you see this after you turned on Postfix content filtering, then you have made a mistake that causes mail to be filtered repeatedly. This is cured by appropriate use of content_filter=header_checks=, and body_checks=.

    Long answer: the message has too many Received: message headers. A received header is added whenever Postfix (or any MTA) receives a message. A large number of Received: message headers is an indication that mail is looping around.

    Side comment: email uses the opposite of the technique that is used to avoid IP forwarding loops. With IP, the sender sets a TTL (time to live) field in the IP header. The field is decremented by each router. When the TTL reaches zero the packet is discarded and an ICMP error message is returned to the sender.

  • [WayBack] Error: too many hops (in reply to end of DATA command) · Issue #713 · mail-in-a-box/mailinabox · GitHub

    In case you or anyone else was/is wondering about the mydestination = localhost thing, the reason it has to be set to just localhost is because MIAB uses Postfix’s “virtual domain hosting” (http://www.postfix.org/VIRTUAL_README.html) support. Per the documentation for mydestination at http://www.postfix.org/postconf.5.html#mydestination:

    Do not specify the names of virtual domains – those domains are specified elsewhere. See VIRTUAL_README for more information.

    (in the context of MIAB every domain is a virtual domain).

In my case a series of these:

Received: from mwgp.xs4all.nl (mwgp.xs4all.nl [80.101.239.92])
    by fiber24315337242.heldenvannu.net (Postfix) with ESMTP id 26395200FE
    for <jeroen@pluimers.com>; Fri, 29 Jun 2018 11:01:02 +0200 (CEST)
Received: from fiber24315337242.heldenvannu.net (unknown [37.153.243.246])
    by mwgp.xs4all.nl (Postfix) with ESMTP id 077A5E937
    for <jeroen@pluimers.com>; Fri, 29 Jun 2018 11:01:02 +0200 (CEST)

Specifying the transport will likely help me solve this problem:

This all came down to editing /etc/postfix/transport adding lines for each relayed domain like this one:

example.org    smtp:[mx-a-record.example.org]

Lines like it direct to use the smtp transport and use a specific host (normally, the relay transport is being used).

After this:

# postmap /etc/postfix/transport
# rcpostfix reload

I choose not to configure [WayBack] Postfix Configuration Parameters: relay_recipient_maps, but might if I had an automated way of replicating lists of valid (and invalid) users.

Another option was confirmed at [WayBack] Software-update: Postfix 3.4.0 / 3.3.3 / 3.2.8 / 3.1.11 / 3.0.15 – Computer – Downloads – Tweakers by [WayBack] menocchio. Thanks!

Dat is volgens mij eenvoudig op te lossen met relay_transport of transport_maps. Zie ook: Postfix transport table format.

Daarmee dwing je de secondary servers de mail altijd af te willen leveren bij de primary server (en dus niet bij een andere secondary). En als de primary niet online is, dan wacht ie netjes tot dat wel het geval is :-)

Bijvoorbeeld:
relay_transport = smtp:[primarymx.domain.tld]

Likely relevant: [WayBack] The Book of Postfix

Maybe relevant in the future:

Found on my hunt for the above:

Try not to make typo’s: [WayBack] postfix appears not finding MX records or host names from DNS

Interesting thought, but not sure how smart SPAM bots are now: [Archive.is] Spam relaying through secondary MX… – Google Groups

To archive this:

  1. Rename from
  2. To
  3. Then save in Archive.is

–jeroen

Posted in Communications Development, Development, DevOps, DNS, Infrastructure, Internet, Internet protocol suite, Power User, SMTP | Leave a Comment »

Duh moment: when 69.162.119.78 is querying your DNS infrastructure and it appears to be uptimerobot

Posted by jpluimers on 2020/07/28

From the hindsight department [WayBack] Nice when someone in Dallas using 69.162.119.78 is querying your DNS infrastructure for many permutations of domains… https://gist.github.com/jpluimer… – Jeroen Wiert Pluimers – Google+.

Wolfgang Rupprecht gave me some hints on the cause, as the IP address 69.162.119.78 Google Search used to be of a gaming server: [WayBack] TwotailsTikat’s Profile – Member List – Minecraft Forum

After a good night sleep,

# nslookup 69.162.119.78
78.119.162.69.in-addr.arpa name = mail.uptimerobot.com

In retrospect: perfectly normal behaviour for monitoring machine “snip”.

Log by https://github.com/gamelinux/passivedns

–jeroen

Read the rest of this entry »

Posted in *nix, DNS, Internet, Monitoring, Power User, Uptimerobot | Leave a Comment »

CAA Mandated by CA/Browser Forum | Qualys Blog

Posted by jpluimers on 2019/07/22

[WayBack] CAA Mandated by CA/Browser Forum | Qualys Blog

Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates…

Related:

–jeroen

Posted in Conference Topics, Conferences, DNS, Encryption, Event, HTTPS/TLS security, Internet, Power User, Security | Leave a Comment »

Windows Server 2008 and Server 2008 R2 – OpenDNS

Posted by jpluimers on 2018/12/10

I did this a long time ago, but forgot to blog about it back then: [Archive.isWindows Server 2008 and Server 2008 R2 – OpenDNS.

Summary:

Start with the DNS manager:

%SystemRoot%\system32\dnsmgmt.msc /s

Then open your machine, and double-click Forwarders:

In the dialog, click the Edit button and add DNS servers (for instance Google DNS 8.8.8.8 and 8.8.4.4).

In my case it became this:

Google DNS servers added

Google DNS servers added

Click Done buttons until all dialogs are closed.

 

–jeroen

Read the rest of this entry »

Posted in Power User, Internet, Windows, Windows Server 2008, Windows Server 2008 R2, DNS | Leave a Comment »

dig: getting the list of root servers

Posted by jpluimers on 2018/11/15

For many dig queries, it helps to get the current list of root DNS servers.

Though the list is pretty static, occasionally it changes. While writing there were 13 of them and the most recent history report was in “RSSAC023: History of the Root Server System” at [WayBackwww.icann.org/en/system/files/files/rssac-023-04nov16-en.pdf.

So below are the steps to get an accurate list based on

First find out what the root servers are:

$  dig +noall +answer . ns | sort
.           106156  IN  NS  a.root-servers.net.
.           106156  IN  NS  b.root-servers.net.
.           106156  IN  NS  c.root-servers.net.
.           106156  IN  NS  d.root-servers.net.
.           106156  IN  NS  e.root-servers.net.
.           106156  IN  NS  f.root-servers.net.
.           106156  IN  NS  g.root-servers.net.
.           106156  IN  NS  h.root-servers.net.
.           106156  IN  NS  i.root-servers.net.
.           106156  IN  NS  j.root-servers.net.
.           106156  IN  NS  k.root-servers.net.
.           106156  IN  NS  l.root-servers.net.
.           106156  IN  NS  m.root-servers.net.

You should shorten this to $ dig +noall +answer . ns but that will not give you the TTL (how long the information will be cached before your DNS server refreshes it).

Now query at least 3 of these to get the actual list of root servers (I list only one statement, the rest is similar):

$ dig +noall +answer . ns @j.root-servers.net. | sort
.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
.           518400  IN  NS  c.root-servers.net.
.           518400  IN  NS  d.root-servers.net.
.           518400  IN  NS  e.root-servers.net.
.           518400  IN  NS  f.root-servers.net.
.           518400  IN  NS  g.root-servers.net.
.           518400  IN  NS  h.root-servers.net.
.           518400  IN  NS  i.root-servers.net.
.           518400  IN  NS  j.root-servers.net.
.           518400  IN  NS  k.root-servers.net.
.           518400  IN  NS  l.root-servers.net.
.           518400  IN  NS  m.root-servers.net.

Compare the lists. If they are equal, then you’re done.

If not, then the internet is in trouble (:

When you want the A and AAAA records with IP addresses in addition to the NS records with names, then add +additional to your query:

dig +noall +answer +additional @j.root-servers.net. | sort
.           518400  IN  NS  a.root-servers.net.
.           518400  IN  NS  b.root-servers.net.
.           518400  IN  NS  c.root-servers.net.
.           518400  IN  NS  d.root-servers.net.
.           518400  IN  NS  e.root-servers.net.
.           518400  IN  NS  f.root-servers.net.
.           518400  IN  NS  g.root-servers.net.
.           518400  IN  NS  h.root-servers.net.
.           518400  IN  NS  i.root-servers.net.
.           518400  IN  NS  j.root-servers.net.
.           518400  IN  NS  k.root-servers.net.
.           518400  IN  NS  l.root-servers.net.
.           518400  IN  NS  m.root-servers.net.
a.root-servers.net. 518400  IN  A   198.41.0.4
a.root-servers.net. 518400  IN  AAAA    2001:503:ba3e::2:30
b.root-servers.net. 518400  IN  A   192.228.79.201
b.root-servers.net. 518400  IN  AAAA    2001:500:200::b
c.root-servers.net. 518400  IN  A   192.33.4.12
d.root-servers.net. 518400  IN  A   199.7.91.13
e.root-servers.net. 518400  IN  A   192.203.230.10
f.root-servers.net. 518400  IN  A   192.5.5.241
g.root-servers.net. 518400  IN  A   192.112.36.4
h.root-servers.net. 518400  IN  A   198.97.190.53
i.root-servers.net. 518400  IN  A   192.36.148.17
j.root-servers.net. 518400  IN  A   192.58.128.30
k.root-servers.net. 518400  IN  A   193.0.14.129
l.root-servers.net. 518400  IN  A   199.7.83.42
m.root-servers.net. 518400  IN  A   202.12.27.33

–jeroen

Posted in DNS, Internet, Power User | 1 Comment »

 
%d bloggers like this: