我们正在运行邮件服务器,并且日志中总是出现相同的错误(针对特定收件人):
Aug 23 05:39:17 Mailer postfix/smtp[13561]: warning: DANE
TLSA lookup problem: Host or domain name not found. Name
service error for name=_25._tcp.dhmx02.web.de type=TLSA:
Host not found, try again
Aug 23 05:39:17 Mailer postfix/smtp[13561]: warning: TLS
policy lookup for xyz.com/dhmx02.web.de: TLSA lookup
error for dhmx02.web.de:25
Aug 23 05:39:17 Mailer postfix/smtp[13561]: 9BEA23EC68:
to=<[email protected]>, relay=none, delay=4509,
delays=4236/0.05/272/0, dsn=4.7.5, status=deferred
(TLSA lookup error for dhmx02.web.de:25)
电子邮件返回以下信息:
This is the mail system at host mx00.unser-mail-server.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<[email protected]>: TLSA lookup error for dhmx02.web.de:25
Reporting-MTA: dns; mx00.unser-mail-server.com
X-Postfix-Queue-ID: 9BEA23EC68
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Mon, 23 Aug 2021 04:24:08 +0200 (CEST)
Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 4.7.5
Diagnostic-Code: X-Postfix; TLSA lookup error for dhmx02.web.de:25
服务器上使用以下软件(Debian 10):
root|mailer|/etc/rspamd|# dpkg --list | egrep -i -- "(unbound|postfix|rspam|dovecot)"
ii dovecot-core 1:2.3.4.1-5+deb10u5 amd64 secure POP3/IMAP server - core files
ii dovecot-imapd 1:2.3.4.1-5+deb10u5 amd64 secure POP3/IMAP server - IMAP daemon
ii dovecot-lmtpd 1:2.3.4.1-5+deb10u5 amd64 secure POP3/IMAP server - LMTP server
ii dovecot-managesieved 1:2.3.4.1-5+deb10u5 amd64 secure POP3/IMAP server - ManageSieve server
ii dovecot-mysql 1:2.3.4.1-5+deb10u5 amd64 secure POP3/IMAP server - MySQL support
ii dovecot-sieve 1:2.3.4.1-5+deb10u5 amd64 secure POP3/IMAP server - Sieve filters support
ii libunbound8:amd64 1.9.0-2+deb10u2 amd64 library implementing DNS resolution and validation
ii postfix 3.4.14-0+deb10u1 amd64 High-performance mail transport agent
ii postfix-mysql 3.4.14-0+deb10u1 amd64 MySQL map support for Postfix
ii rspamd 2.5-1~bpo10+1 amd64 Rapid spam filtering system
ii unbound 1.9.0-2+deb10u2 amd64 validating, recursive, caching DNS resolver
ii unbound-anchor 1.9.0-2+deb10u2 amd64 utility to securely fetch the root DNS trust anchor
服务器上使用 Unbound 作为解析器,这可能是原因吗?
我该如何修复TLSA lookup error for dhmx02.web.de:25
?这似乎与接收方的服务器有关,但他声称他只能从我们的邮件服务器接收电子邮件。
有人知道如何解决这个问题吗?
答案1
这似乎是systemd-resolved
使用“存根”解析器时的一个错误。我在 Postfix 日志中看到了很多类似的消息:
Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.cluster5.us.messagelabs.com type=TLSA: Host not found, try again
我的机器上的 DNS 解析器指向 systemd-resolved 存根(Ubuntu 22.04 上的默认设置):
$ cat /etc/resolv.conf | grep nameserver
nameserver 127.0.0.53
$ resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
注意 DNSSEC 已启用(否则 Postfix 无法执行 DANE)。现在,如果我查询 messagelab 服务器的 TLSA 记录,我会SERVFAIL
从存根解析器获得:
$ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
;; resolution failed: SERVFAIL
而如果我查询上游 DNS 或 Google DNS,我会得到经过 DNSSEC 验证的(负面)响应:
$ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
;; resolution failed: ncache nxrrset
; negative response, fully validated
; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET
; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ...
; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP AAAA SRV NAPTR SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA
; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
; messagelabs.com. RRSIG SOA ...
我假设 Postfix(即smtp_tls_security_level = dane
“机会主义 DANE”)通过降级为“加密”来处理负面响应,而响应SERVFAIL
会使其完全拒绝连接。
我的解决方案是不使用systemd-resolved
存根解析器。在/etc/systemd/resolved.conf
集合中:
DNS=... your upstream servers if not already given through DHCP ...
DNSStubListener=no
然后重启服务如果 Postfix 已 chrooted,则重新启动它:
systemctl restart systemd-resolved
systemctl restart postfix
顺便说一句:不确定这是否可以被视为 Postfix 错误(同样),但肯定它似乎systemd-resolved
不应该返回SERVFAIL
这里。