dhmx02.web.de:25 的 TLSA 查找错误

dhmx02.web.de:25 的 TLSA 查找错误

我们正在运行邮件服务器,并且日志中总是出现相同的错误(针对特定收件人):

Aug 23 05:39:17 Mailer postfix/smtp[13561]: warning: DANE
    TLSA lookup problem: Host or domain name not found. Name 
    service error for name=_25._tcp.dhmx02.web.de type=TLSA:
    Host not found, try again
Aug 23 05:39:17 Mailer postfix/smtp[13561]: warning: TLS
    policy lookup for xyz.com/dhmx02.web.de: TLSA lookup
    error for dhmx02.web.de:25
Aug 23 05:39:17 Mailer postfix/smtp[13561]: 9BEA23EC68:
    to=<[email protected]>, relay=none, delay=4509,
    delays=4236/0.05/272/0, dsn=4.7.5, status=deferred
    (TLSA lookup error for dhmx02.web.de:25)

电子邮件返回以下信息:

This is the mail system at host mx00.unser-mail-server.com.
I'm sorry to have to inform you that your message could not
 be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
 delete your own text from the attached returned message.
The mail system
<[email protected]>: TLSA lookup error for dhmx02.web.de:25
Reporting-MTA: dns; mx00.unser-mail-server.com
 X-Postfix-Queue-ID: 9BEA23EC68
 X-Postfix-Sender: rfc822; [email protected]
 Arrival-Date: Mon, 23 Aug 2021 04:24:08 +0200 (CEST)
Final-Recipient: rfc822; [email protected]
 Original-Recipient: rfc822;[email protected]
 Action: failed
 Status: 4.7.5
 Diagnostic-Code: X-Postfix; TLSA lookup error for dhmx02.web.de:25

服务器上使用以下软件(Debian 10):

root|mailer|/etc/rspamd|# dpkg --list | egrep -i -- "(unbound|postfix|rspam|dovecot)"                                                             
ii  dovecot-core                   1:2.3.4.1-5+deb10u5               amd64        secure POP3/IMAP server - core files                            
ii  dovecot-imapd                  1:2.3.4.1-5+deb10u5               amd64        secure POP3/IMAP server - IMAP daemon                           
ii  dovecot-lmtpd                  1:2.3.4.1-5+deb10u5               amd64        secure POP3/IMAP server - LMTP server                           
ii  dovecot-managesieved           1:2.3.4.1-5+deb10u5               amd64        secure POP3/IMAP server - ManageSieve server                    
ii  dovecot-mysql                  1:2.3.4.1-5+deb10u5               amd64        secure POP3/IMAP server - MySQL support                         
ii  dovecot-sieve                  1:2.3.4.1-5+deb10u5               amd64        secure POP3/IMAP server - Sieve filters support                 
ii  libunbound8:amd64              1.9.0-2+deb10u2                   amd64        library implementing DNS resolution and validation              
ii  postfix                        3.4.14-0+deb10u1                  amd64        High-performance mail transport agent
ii  postfix-mysql                  3.4.14-0+deb10u1                  amd64        MySQL map support for Postfix
ii  rspamd                         2.5-1~bpo10+1                     amd64        Rapid spam filtering system
ii  unbound                        1.9.0-2+deb10u2                   amd64        validating, recursive, caching DNS resolver
ii  unbound-anchor                 1.9.0-2+deb10u2                   amd64        utility to securely fetch the root DNS trust anchor

服务器上使用 Unbound 作为解析器,这可能是原因吗?

我该如何修复TLSA lookup error for dhmx02.web.de:25?这似乎与接收方的服务器有关,但他声称他只能从我们的邮件服务器接收电子邮件。

有人知道如何解决这个问题吗?

答案1

这似乎是systemd-resolved使用“存根”解析器时的一个错误。我在 Postfix 日志中看到了很多类似的消息:

Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.cluster5.us.messagelabs.com type=TLSA: Host not found, try again

我的机器上的 DNS 解析器指向 systemd-resolved 存根(Ubuntu 22.04 上的默认设置):

$ cat /etc/resolv.conf | grep nameserver
nameserver 127.0.0.53

$ resolvectl status
Global
    Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub

注意 DNSSEC 已启用(否则 Postfix 无法执行 DANE)。现在,如果我查询 messagelab 服务器的 TLSA 记录,我会SERVFAIL从存根解析器获得:

$ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
;; resolution failed: SERVFAIL

而如果我查询上游 DNS 或 Google DNS,我会得到经过 DNSSEC 验证的(负面)响应:

$ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA
;; resolution failed: ncache nxrrset
; negative response, fully validated
; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET
; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ...
; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP AAAA SRV NAPTR SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA
; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
; messagelabs.com. RRSIG SOA ...

我假设 Postfix(即smtp_tls_security_level = dane“机会主义 DANE”)通过降级为“加密”来处理负面响应,而响应SERVFAIL会使其完全拒绝连接。

我的解决方案是不使用systemd-resolved存根解析器。在/etc/systemd/resolved.conf集合中:

DNS=... your upstream servers if not already given through DHCP ...
DNSStubListener=no

然后重启服务如果 Postfix 已 chrooted,则重新启动它

systemctl restart systemd-resolved
systemctl restart postfix

顺便说一句:不确定这是否可以被视为 Postfix 错误(同样),但肯定它似乎systemd-resolved不应该返回SERVFAIL这里。

相关内容