On Mon, Mar 30, 2020 at 03:25:54PM +0800, daniel via Exim-users wrote:
> Here is one example of the actual problem i have just recently tested on
> the problem server without apply the option fix (source domain masked
> for privacy reason):
>
> 2020-03-30 15:02:59 1jIoRn-0004MT-RH <= [email protected] H=(vps.xxx.com)
> [::1]:45888 P=esmtpa A=dovecot_login:[email protected] S=572
> [email protected] T="test" for [email protected]
> 2020-03-30 15:02:59 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc
> 1jIoRn-0004MT-RH
> 2020-03-30 15:02:59 1jIoRn-0004MT-RH Sender identification U=basecrea
> D=xxx.com [email protected]
> 2020-03-30 15:02:59 1jIoRn-0004MT-RH SMTP connection outbound 1585551779
> 1jIoRn-0004MT-RH xxx.com [email protected]
> 2020-03-30 15:03:40 1jIoRn-0004MT-RH H=tidamg2.tid.gov.hk [202.38.18.3]: DANE
> error: tlsa lookup DEFER
> 2020-03-30 15:04:20 1jIoRn-0004MT-RH H=tidamg1.tid.gov.hk [202.38.18.2]: DANE
> error: tlsa lookup DEFER
> 2020-03-30 15:05:00 1jIoRn-0004MT-RH H=tidamg3.tid.gov.hk [203.184.133.146]:
> DANE error: tlsa lookup DEFER
> 2020-03-30 15:05:00 1jIoRn-0004MT-RH == [email protected] R=dkim_lookuphost
> T=dkim_remote_smtp defer (-36): DANE error: tlsa lookup DEFER
There is nothing wrong with the DNS configuration of tid.gov.hk:
tid.gov.hk. IN MX 10 tidamg1.tid.gov.hk. ; NoError AD=1
tid.gov.hk. IN MX 10 tidamg2.tid.gov.hk. ; NoError AD=1
tid.gov.hk. IN MX 30 tidamg3.tid.gov.hk. ; NoError AD=1
tidamg1.tid.gov.hk. IN A 202.38.18.2 ; NoError AD=1
tidamg1.tid.gov.hk. IN AAAA ? ; NODATA AD=1
_25._tcp.tidamg1.tid.gov.hk. IN TLSA ? ; NXDomain AD=1
tidamg2.tid.gov.hk. IN A 202.38.18.3 ; NoError AD=1
tidamg2.tid.gov.hk. IN AAAA ? ; NODATA AD=1
_25._tcp.tidamg2.tid.gov.hk. IN TLSA ? ; NXDomain AD=1
tidamg3.tid.gov.hk. IN A 203.184.133.146 ; NoError AD=1
tidamg3.tid.gov.hk. IN AAAA ? ; NODATA AD=1
_25._tcp.tidamg3.tid.gov.hk. IN TLSA ? ; NXDomain AD=1
https://dnsviz.net/d/_25._tcp.tidamg1.tid.gov.hk/XoMFCg/dnssec/
https://dnsviz.net/d/_25._tcp.tidamg2.tid.gov.hk/XoMFEQ/dnssec/
https://dnsviz.net/d/_25._tcp.tidamg3.tid.gov.hk/XoMFeg/dnssec/
Off-list, you reported using Google's resolvers at 8.8.8.8 and 8.8.4.4,
and those also (even in your own manual tests with "dig") reported no
issues (returned NXDomain, not ServFail).
I don't know why your Exim is reporting "tlsa lookup DEFER", but you
need to get more detailed output from your Exim that shows the DNS
queries made, and answers received, and double-check your resolver
configuration. Is Exim perhaps querying a different resolver than you
thought.
You may need to record the DNS-related traffic (UDP port 53), while
retrying delivery to the problem domain, in a tcpdump PCAP file and
post that to the list or to me off-list.
Perhaps you have an outdated version of Exim with a known issue in
DNS resolution, or a base OS with a problem in the stub resolver code
in its C-library?
Whatever the issue is, more details are needed, but what is fairly clear
is that the gov.hk folks are right, and the problem is not with their
DNS.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
