Pavel Timofeev
2013-Aug-06 11:10 UTC
Sendmail-8.14.7 doesn't work with MS DNS in IPv4 network
Hello!
I found a problem in new FreeBSD 9.2-{BETA2,RC1} which uses Sendmail-8.14.7.
If you try to send email from FreeBSD 9.2 in IPv4 network with MS DNS
you won't receive it.
But in same time email passes from FreeBSD 9.1-RELEASE which uses
Sendmail-8.14.5.
It's because of two things.
First thing: Sendmail behaviour changed between these two releases
when it tries to resolve mx server name. For example, I did `echo foo
| mail timp at xxx.ru`.
Sendmail-8.14.5's tcpdump output:
14:30:45.061950 IP 10.0.2.15.30979 > hercules.xxx.ru.domain: 62684+
MX? xxx.ru. (24)
14:30:45.063064 IP hercules.xxx.ru.domain > 10.0.2.15.30979: 62684*
1/0/1 MX kalmar.xxx.ru. 10 (63)
14:30:45.063624 IP 10.0.2.15.39212 > hercules.xxx.ru.domain: 62685+
AAAA? kalmar.xxx.ru. (31)
14:30:45.064460 IP hercules.xxx.ru.domain > 10.0.2.15.39212: 62685* 0/1/0
(82)
14:30:45.064766 IP 10.0.2.15.44381 > hercules.xxx.ru.domain: 62686+ A?
kalmar.xxx.ru. (31)
14:30:45.065530 IP hercules.xxx.ru.domain > 10.0.2.15.44381: 62686*
1/0/0 A 192.168.31.190 (47)
14:30:45.066014 IP 10.0.2.15.42197 > hercules.xxx.ru.domain: 62687+ A?
kalmar.xxx.ru. (31)
14:30:45.066810 IP hercules.xxx.ru.domain > 10.0.2.15.42197: 62687*
1/0/0 A 192.168.31.190 (47)
14:30:45.071833 IP 10.0.2.15.23534 > hercules.xxx.ru.domain: 62688+
PTR? 15.2.0.10.in-addr.arpa. (40)
Sendmail-8.14.7's tcpdump output:
14:59:50.793338 IP reticulum.xxx.ru.19032 > hercules.xxx.ru.domain:
53417+ AAAA? xxx.ru. (24) [13/98]
14:59:50.793662 IP hercules.xxx.ru.domain > reticulum.xxx.ru.19032:
53417* 0/1/0 (75)
14:59:50.793696 IP reticulum.xxx.ru.55299 > hercules.xxx.ru.domain:
53418+ A? xxx.ru. (24)
14:59:50.794087 IP hercules.xxx.ru.domain > reticulum.xxx.ru.55299:
53418* 7/0/0 A 192.168.2.11, A 192.168.2.12, A 192.168.41.4, A
192.168.14.12, A 192.168.34.100, A 192.168.34.110, A 192.168.44.19 (136)
14:59:50.973445 IP reticulum.xxx.ru.29244 > hercules.xxx.ru.domain:
53419+ MX? xxx.ru. (24)
14:59:50.973754 IP hercules.xxx.ru.domain > reticulum.xxx.ru.29244:
53419* 1/0/1 MX kalmar.xxx.ru. 10 (63)
14:59:50.974061 IP reticulum.xxx.ru.56461 > hercules.xxx.ru.domain:
53420+ AAAA? kalmar.xxx.ru. (31)
14:59:50.974340 IP hercules.xxx.ru.domain > reticulum.xxx.ru.56461:
53420* 0/1/0 (82)
14:59:50.974570 IP reticulum.xxx.ru.28332 > hercules.xxx.ru.domain:
53421+ AAAA? kalmar.xxx.ru. (31)
14:59:50.974887 IP hercules.xxx.ru.domain > reticulum.xxx.ru.28332:
53421* 0/1/0 (82)
14:59:50.974919 IP reticulum.xxx.ru.21453 > hercules.xxx.ru.domain:
53422+ AAAA? kalmar. (24)
14:59:50.975290 IP hercules.xxx.ru.domain > reticulum.xxx.ru.21453:
53422 ServFail 0/0/0 (24)
14:59:50.975314 IP reticulum.xxx.ru.63038 > hercules.xxx.ru.domain:
53422+ AAAA? kalmar. (24)
14:59:50.975674 IP hercules.xxx.ru.domain > reticulum.xxx.ru.63038:
53422 ServFail 0/0/0 (24)
14:59:50.975749 IP reticulum.xxx.ru.38393 > hercules.xxx.ru.domain:
53423+ AAAA? kalmar.xxx.ru. (31)
14:59:50.976105 IP hercules.xxx.ru.domain > reticulum.xxx.ru.38393:
53423* 0/1/0 (82)
14:59:50.976176 IP reticulum.xxx.ru.45558 > hercules.xxx.ru.domain:
53424+ AAAA? kalmar. (24)
14:59:50.976483 IP hercules.xxx.ru.domain > reticulum.xxx.ru.45558:
53424 ServFail 0/0/0 (24)
14:59:50.976512 IP reticulum.xxx.ru.45297 > hercules.xxx.ru.domain:
53424+ AAAA? kalmar. (24)
14:59:50.976864 IP hercules.xxx.ru.domain > reticulum.xxx.ru.45297:
53424 ServFail 0/0/0 (24)
All of them asked MX and got it - kalmar.xxx.ru. Then they went to
resolve kalmar.xxx.ru.
Sendmail-8.14.5 asked one time for 'AAAA kalmar.xxx.ru.' and then went
to ask 'A kalmar.xxx.ru.'.
But Sendmail-8.15.7 asked several times for 'AAAA kalmar.xxx.ru.' and
then went to ask 'AAAA kalmar.' Without xxx.ru at then end, just
servername. What for? I don't know. This is change.
And yes, sendmail ignored ADDITIONAL SECTION from MX record and tried
to resolve mx server name independently.
Second thing: Sendmail-8.15.7 doesn't work with MS DNS in IPv4 network.
MS DNS answers SERVFAIL on 'AAAA kalmar.'
But BIND answers NXDOMAIN on same query.
In case of SERVFAIL answer Sendmail never goes to ask for any A
records. It tries to resolve 'AAAA kalmar.' again and again.
In case of NXDOMAIN answer Sendmail goes to ask for A record and no problem.
I checked it, set BIND server as DNS server for this test host.
In my network there are only MS DNS servers.
I tried to install sendmail-8.14.5 on FreeBSD 9.2-RC1 and got no
problem with email.
I tried to use ip6addrctl. No effect.
So what we gonna do? There will be so many crying persons in
mailinglist after 9.2-RELEASE I think)
P.S. here is russian version small discussion
http://ru-freebsd.livejournal.com/226451.html
Pavel Timofeev
2013-Aug-06 12:47 UTC
Sendmail-8.14.7 doesn't work with MS DNS in IPv4 network
I know about WorkAroundBrokenAAAA. I used default system configuration of sendmail so WorkAroundBrokenAAAA was set by default. 2013/8/6 Pavel Timofeev <timp87 at gmail.com>:> Hello! > > I found a problem in new FreeBSD 9.2-{BETA2,RC1} which uses Sendmail-8.14.7. > If you try to send email from FreeBSD 9.2 in IPv4 network with MS DNS > you won't receive it. > But in same time email passes from FreeBSD 9.1-RELEASE which uses > Sendmail-8.14.5. > > It's because of two things. > > First thing: Sendmail behaviour changed between these two releases > when it tries to resolve mx server name. For example, I did `echo foo > | mail timp at xxx.ru`. > > Sendmail-8.14.5's tcpdump output: > 14:30:45.061950 IP 10.0.2.15.30979 > hercules.xxx.ru.domain: 62684+ > MX? xxx.ru. (24) > 14:30:45.063064 IP hercules.xxx.ru.domain > 10.0.2.15.30979: 62684* > 1/0/1 MX kalmar.xxx.ru. 10 (63) > 14:30:45.063624 IP 10.0.2.15.39212 > hercules.xxx.ru.domain: 62685+ > AAAA? kalmar.xxx.ru. (31) > 14:30:45.064460 IP hercules.xxx.ru.domain > 10.0.2.15.39212: 62685* 0/1/0 (82) > 14:30:45.064766 IP 10.0.2.15.44381 > hercules.xxx.ru.domain: 62686+ A? > kalmar.xxx.ru. (31) > 14:30:45.065530 IP hercules.xxx.ru.domain > 10.0.2.15.44381: 62686* > 1/0/0 A 192.168.31.190 (47) > 14:30:45.066014 IP 10.0.2.15.42197 > hercules.xxx.ru.domain: 62687+ A? > kalmar.xxx.ru. (31) > 14:30:45.066810 IP hercules.xxx.ru.domain > 10.0.2.15.42197: 62687* > 1/0/0 A 192.168.31.190 (47) > 14:30:45.071833 IP 10.0.2.15.23534 > hercules.xxx.ru.domain: 62688+ > PTR? 15.2.0.10.in-addr.arpa. (40) > > > Sendmail-8.14.7's tcpdump output: > 14:59:50.793338 IP reticulum.xxx.ru.19032 > hercules.xxx.ru.domain: > 53417+ AAAA? xxx.ru. (24) [13/98] > 14:59:50.793662 IP hercules.xxx.ru.domain > reticulum.xxx.ru.19032: > 53417* 0/1/0 (75) > 14:59:50.793696 IP reticulum.xxx.ru.55299 > hercules.xxx.ru.domain: > 53418+ A? xxx.ru. (24) > 14:59:50.794087 IP hercules.xxx.ru.domain > reticulum.xxx.ru.55299: > 53418* 7/0/0 A 192.168.2.11, A 192.168.2.12, A 192.168.41.4, A > 192.168.14.12, A 192.168.34.100, A 192.168.34.110, A 192.168.44.19 (136) > 14:59:50.973445 IP reticulum.xxx.ru.29244 > hercules.xxx.ru.domain: > 53419+ MX? xxx.ru. (24) > 14:59:50.973754 IP hercules.xxx.ru.domain > reticulum.xxx.ru.29244: > 53419* 1/0/1 MX kalmar.xxx.ru. 10 (63) > 14:59:50.974061 IP reticulum.xxx.ru.56461 > hercules.xxx.ru.domain: > 53420+ AAAA? kalmar.xxx.ru. (31) > 14:59:50.974340 IP hercules.xxx.ru.domain > reticulum.xxx.ru.56461: > 53420* 0/1/0 (82) > 14:59:50.974570 IP reticulum.xxx.ru.28332 > hercules.xxx.ru.domain: > 53421+ AAAA? kalmar.xxx.ru. (31) > 14:59:50.974887 IP hercules.xxx.ru.domain > reticulum.xxx.ru.28332: > 53421* 0/1/0 (82) > 14:59:50.974919 IP reticulum.xxx.ru.21453 > hercules.xxx.ru.domain: > 53422+ AAAA? kalmar. (24) > 14:59:50.975290 IP hercules.xxx.ru.domain > reticulum.xxx.ru.21453: > 53422 ServFail 0/0/0 (24) > 14:59:50.975314 IP reticulum.xxx.ru.63038 > hercules.xxx.ru.domain: > 53422+ AAAA? kalmar. (24) > 14:59:50.975674 IP hercules.xxx.ru.domain > reticulum.xxx.ru.63038: > 53422 ServFail 0/0/0 (24) > 14:59:50.975749 IP reticulum.xxx.ru.38393 > hercules.xxx.ru.domain: > 53423+ AAAA? kalmar.xxx.ru. (31) > 14:59:50.976105 IP hercules.xxx.ru.domain > reticulum.xxx.ru.38393: > 53423* 0/1/0 (82) > 14:59:50.976176 IP reticulum.xxx.ru.45558 > hercules.xxx.ru.domain: > 53424+ AAAA? kalmar. (24) > 14:59:50.976483 IP hercules.xxx.ru.domain > reticulum.xxx.ru.45558: > 53424 ServFail 0/0/0 (24) > 14:59:50.976512 IP reticulum.xxx.ru.45297 > hercules.xxx.ru.domain: > 53424+ AAAA? kalmar. (24) > 14:59:50.976864 IP hercules.xxx.ru.domain > reticulum.xxx.ru.45297: > 53424 ServFail 0/0/0 (24) > > > All of them asked MX and got it - kalmar.xxx.ru. Then they went to > resolve kalmar.xxx.ru. > Sendmail-8.14.5 asked one time for 'AAAA kalmar.xxx.ru.' and then went > to ask 'A kalmar.xxx.ru.'. > But Sendmail-8.15.7 asked several times for 'AAAA kalmar.xxx.ru.' and > then went to ask 'AAAA kalmar.' Without xxx.ru at then end, just > servername. What for? I don't know. This is change. > And yes, sendmail ignored ADDITIONAL SECTION from MX record and tried > to resolve mx server name independently. > > > > Second thing: Sendmail-8.15.7 doesn't work with MS DNS in IPv4 network. > MS DNS answers SERVFAIL on 'AAAA kalmar.' > But BIND answers NXDOMAIN on same query. > In case of SERVFAIL answer Sendmail never goes to ask for any A > records. It tries to resolve 'AAAA kalmar.' again and again. > In case of NXDOMAIN answer Sendmail goes to ask for A record and no problem. > I checked it, set BIND server as DNS server for this test host. > > In my network there are only MS DNS servers. > I tried to install sendmail-8.14.5 on FreeBSD 9.2-RC1 and got no > problem with email. > I tried to use ip6addrctl. No effect. > > So what we gonna do? There will be so many crying persons in > mailinglist after 9.2-RELEASE I think) > > P.S. here is russian version small discussion > http://ru-freebsd.livejournal.com/226451.html
Gregory Shapiro
2013-Aug-07 16:05 UTC
Sendmail-8.14.7 doesn't work with MS DNS in IPv4 network
> I found a problem in new FreeBSD 9.2-{BETA2,RC1} which uses Sendmail-8.14.7. > If you try to send email from FreeBSD 9.2 in IPv4 network with MS DNS > you won't receive it. > But in same time email passes from FreeBSD 9.1-RELEASE which uses > Sendmail-8.14.5.The recent release made the following change: --- sendmail/conf.c 25 Jan 2011 18:31:30 -0000 8.1168 +++ sendmail/conf.c 5 Apr 2013 17:39:09 -0000 8.1182 @@ -4726,7 +4726,12 @@ #else /* (SOLARIS > 10000 && SOLARIS < 20400) || (defined(SOLARIS) && SOLARIS < 204) || (defined(sony_news) && defined(__svr4)) */ int nmaps; # if NETINET6 - int flags = AI_DEFAULT|AI_ALL; +# ifndef SM_IPNODEBYNAME_FLAGS + /* For IPv4-mapped addresses, use: AI_DEFAULT|AI_ALL */ +# define SM_IPNODEBYNAME_FLAGS AI_ADDRCONFIG +# endif /* SM_IPNODEBYNAME_FLAGS */ + + int flags = SM_IPNODEBYNAME_FLAGS; int err; # endif /* NETINET6 */ char *maptype[MAXMAPSTACK]; Which is described in this release note: Drop support for IPv4-mapped IPv6 addresses to prevent the MTA from using a mapped address over a legitimate IPv6 address and to enforce the proper semantics over the IPv6 connection. Problem noted by Ulrich Sporlein. It looks like that SERVFAIL from Microsoft's DNS server is getting in the way of that. I can look at adding this exception to WorkAroundBrokenAAAA as a possibility for a future release. I'd also like to hear feedback on whether the above change (changing getipnodebyname() flags from 'AI_DEFAULT | AI_ALL' to 'AI_ADDRCONFIG' went too far and what the accepted norm is for getipnodebyname().