Pkg exim4 users - Jul 2007 - Broken DNS servers cause all connections to Defer

Folks,

We''re using sa-exim and exim-daemon-heavy out of Sarge and Etch in
combination with a bunch of other packages to provide mx-proxy based
spamfiltering services for a whole slew of domains. I really could not
be happier with the performance and flexibility of our setup, except for
one pretty big issue.

Say we''ve got an FQDN listed in local_host_whitelist or
local_host_blacklist.

If it''s an invalid FQDN and the authoritative nameservers for that FQDN
are reachable, everything''s fine. Exim will do the lookup, recognize
it''s an invalid FQDN and take appropriate action.

HOWEVER - if the authoritative nameservers for that FQDN aren''t
reachable, Exim won''t be able complete the lookup and will defer *all*
incoming connections until:
1) You remove the FQDN with broken DNS servers, OR
2) The DNS servers for the FQDN come back up, allowing for successful
DNS resolutions.

This sucks, because it means if I blacklist "spammy.mcspam.com" and
the
DNS servers for that domain go down, all email is deferred until I
notice it and remove the domain.

I see two major options:

1) Resolve all FQDN in local_host_whitelist / local_host_blacklist to IP
addresses via a script of some sort, omitting FQDN that don''t resolve
when the script runs,
2) Reconfigure exim to ignore domains or time out differently when doing
DNS lookups.

Option 1 would be easy but yucky. I''m not entirely sure where to go for
option 2. We have a caching nameserver in front of our exims, but I
don''t like the idea of molesting DNS lookups too much.

Thoughts?

--DJCP

-- 
-**---****-----******-------********---------**********
Daniel Collis-Puro
Software Engineer
End Point Corp.
dan at endpoint.com
(office) 781-477-0885
**********---------********-------******-----****---**-

On Sun, Jul 29, 2007 at 11:04:42AM -0400, Daniel Collis-Puro
wrote:
> 1) Resolve all FQDN in local_host_whitelist / local_host_blacklist to IP
> addresses via a script of some sort, omitting FQDN that don''t
resolve
> when the script runs,
> 2) Reconfigure exim to ignore domains or time out differently when doing
> DNS lookups.
> 
> Option 1 would be easy but yucky. I''m not entirely sure where to
go for
> option 2. We have a caching nameserver in front of our exims, but I
> don''t like the idea of molesting DNS lookups too much.
I would probably try if bind or whatever DNS server you use can be
tweaked to return what exim wants to see. The correct thing - in exim
- would be a defer_ok option for the white/blacklist, but exim doesn''t
seem to have this at the moment. This would be a worthwhile
enhancement, so there should be a wishlist request in the uptream
bugzilla.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190