On Wed, Apr 24, 2024 at 07:43:35AM +0200, Reto via Postfix-users wrote:
> On Mon, Apr 22, 2024 at 03:50:34PM GMT, Viktor Dukhovni via Postfix-users
> wrote:
> > and this (specifically, !UNAVAIL=return) turns soft DNS failures into
> > hard errors.
> >
> > The solution, on any production mail server, is to remove (with
> > prejudice)
> >
> > resolve [!UNAVAIL=return]
>
> This doesn't sound right...
> All that says is once you've gotten a response from systemd-resolve that the
> lookup
> chain should end, which, if it's actually running, is what you want.
> As the lookup via DNS already happened there after all, there's no reason to
> repeat it.
>
> It doesn't have an impact whatsoever on soft vs hard fail, resolve either
> gives you the
> domain after the lookup or whatever response it got from the upstream server
> (DNS or what have you).
Whether or not it sounds right, it happens to to be true that "return"
yields a "hard" no such host, even when the last service used
tempfailed. One might reasonably consider this a glibc bug, but perhaps
they have some use-case to justify this behaviour.
Regardless, as things stand, the default Fedora 39 nsswitch.conf makes
Postfix restrictions much too fragile, and needs to be avoided.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
