Hi All,

I've got one that I'm stumped on. Usually I can find the problems on
these but this one is a tough one.

We have a mailserver running Sendmail 8.13.8 it is a FreeBSD 6.2 system.
It processes a couple
hundred K of mail a day with no trouble.

A customer recently complained about not being able to send mail to a
coorespondent,
the destination e-mail address is username [at] tcmcorp.com Sendmail is spitting
out an error:

stat=Host unknown (Name server: tcmcorp.com: host not found)

I've tried on a completely separate mailserver running the same Sendmail
and operating system
to send mail to this domain, with the same error.

However I can query the domain with dig and nslookup and it looks
perfectly fine, the
MX record is there and address records are there, the nameservers are
reachable, etc.

I know darn well that there's some kind of problem with the tcmcorp.com
zone file
but I'll be damned if I can figure out what it is. The customer is claiming
that he can send
and receive mail to and from his coorespondent using hotmail/gmail/etc. and
so it must
be our mailserver that is at fault.

Our customers send mail to thousands of other domains during the day
without this
kind of problem so I'm pretty sure it's not us.

Any suggestions?

Ted Mittelstaedt
tedm [at] ipinc.net

In article <newscache$vk2wmj$gfp$1 [at] news.ipinc.net>,
"Ted Mittelstaedt" <tedm [at] ipinc.net> wrote:

> Hi All,
>
> I've got one that I'm stumped on. Usually I can find the problems on
> these but this one is a tough one.
>
> We have a mailserver running Sendmail 8.13.8 it is a FreeBSD 6.2 system.
> It processes a couple
> hundred K of mail a day with no trouble.
>
> A customer recently complained about not being able to send mail to a
> coorespondent,
> the destination e-mail address is username [at] tcmcorp.com Sendmail is spitting
> out an error:
>
> stat=Host unknown (Name server: tcmcorp.com: host not found)

The DNS TTL's for the relevant authoritative records for tcmcorp.com are
all quite short, and while that will theoretically work, in practice it
is a recipe for random temporary DNS failures. If your DNS resolvers are
weak, you will see problems getting mail there. You might see this worse
if you have sendmail's host status caching enabled.

Also, two of the three listed mail exchangers for tcmcorp.com are
refusing port 25 connections. If you have connectivity problems to the
primary MX, you will try the others and fail to connect.

--
Now where did I hide that website...

"Bill Cole" <bill [at] scconsult.com> wrote in message
news:bill-99CD6B.10432717082007 [at] news.det.sbcglobal.net...
> In article <newscache$vk2wmj$gfp$1 [at] news.ipinc.net>,
> "Ted Mittelstaedt" <tedm [at] ipinc.net> wrote:
>
> > Hi All,
> >
> > I've got one that I'm stumped on. Usually I can find the problems on
> > these but this one is a tough one.
> >
> > We have a mailserver running Sendmail 8.13.8 it is a FreeBSD 6.2
system.
> > It processes a couple
> > hundred K of mail a day with no trouble.
> >
> > A customer recently complained about not being able to send mail to a
> > coorespondent,
> > the destination e-mail address is username [at] tcmcorp.com Sendmail is
spitting
> > out an error:
> >
> > stat=Host unknown (Name server: tcmcorp.com: host not found)
>
> The DNS TTL's for the relevant authoritative records for tcmcorp.com are
> all quite short, and while that will theoretically work, in practice it
> is a recipe for random temporary DNS failures.

Thanks, Bill! I didn't even notice that. You have good eyes!

> If your DNS resolvers are
> weak, you will see problems getting mail there.

Well, this is a problem because if I get your meaning what is happening is
the short TTL is causing every query to generate a new root server query,
and that is taking extra time, and sendmail isn't waiting around for the
response. Whereas, nslookup, dig, and friends are taking the extra time to
wait. The problem here is that this delay is, in my understanding, mostly
going to be due to factors very much beyond my control. Even if I were to
replace both our nameservers (dns1.ipinc.net and dns2.ipinc.net) with
lightning fast systems, that isn't going to speed the amount of time that
the roots respond and that the authoratative nameservers for the domain
respond.

Or am I not understanding the problem correctly?

> You might see this worse
> if you have sendmail's host status caching enabled.
>

From sendmail.cf:


# persistent host status directory
#O HostStatusDirectory=.hoststat

So no, I don't think it is enabled.

> Also, two of the three listed mail exchangers for tcmcorp.com are
> refusing port 25 connections. If you have connectivity problems to the
> primary MX, you will try the others and fail to connect.

That shouldn't give me a host not found error, that should give me a
host not responding or some such. But, I am glad you found that because
it is far easier to explain this to a customer than the TTL issue and it
is a much more obvious issue. Of course we know it should not be a
problem if the primary answers - but now I can argue that if they screwed
that up, they screwed the TTL up as well and have alot more authority.

Ted

In article <newscache$uyxxmj$5k11$1 [at] news.ipinc.net>,
"Ted Mittelstaedt" <tedm [at] ipinc.net> wrote:

> "Bill Cole" <bill [at] scconsult.com> wrote in message
> news:bill-99CD6B.10432717082007 [at] news.det.sbcglobal.net...
> > In article <newscache$vk2wmj$gfp$1 [at] news.ipinc.net>,
> > "Ted Mittelstaedt" <tedm [at] ipinc.net> wrote:
> >
> > > Hi All,
> > >
> > > I've got one that I'm stumped on. Usually I can find the problems on
> > > these but this one is a tough one.
> > >
> > > We have a mailserver running Sendmail 8.13.8 it is a FreeBSD 6.2
> system.
> > > It processes a couple
> > > hundred K of mail a day with no trouble.
> > >
> > > A customer recently complained about not being able to send mail to a
> > > coorespondent,
> > > the destination e-mail address is username [at] tcmcorp.com Sendmail is
> spitting
> > > out an error:
> > >
> > > stat=Host unknown (Name server: tcmcorp.com: host not found)
> >
> > The DNS TTL's for the relevant authoritative records for tcmcorp.com are
> > all quite short, and while that will theoretically work, in practice it
> > is a recipe for random temporary DNS failures.
>
> Thanks, Bill! I didn't even notice that. You have good eyes!
>
> > If your DNS resolvers are
> > weak, you will see problems getting mail there.
>
> Well, this is a problem because if I get your meaning what is happening is
> the short TTL is causing every query to generate a new root server query,
> and that is taking extra time, and sendmail isn't waiting around for the
> response. Whereas, nslookup, dig, and friends are taking the extra time to
> wait. The problem here is that this delay is, in my understanding, mostly
> going to be due to factors very much beyond my control. Even if I were to
> replace both our nameservers (dns1.ipinc.net and dns2.ipinc.net) with
> lightning fast systems, that isn't going to speed the amount of time that
> the roots respond and that the authoratative nameservers for the domain
> respond.
>
> Or am I not understanding the problem correctly?

That's as good a theory as any... If you've tuned your Sendmail resolver
options and timeouts for performance over robustness, you could trigger
that sort of problem.

I've seen very short TTL's cause trouble primarily with places using
shoddy caching resolvers (e.g. Microsoft's name server, the late
unlamented MacDNS, etc.) and have never really diagnosed it in depth to
lay blame. I don't think Sendmail in a default config should be running
into problems of its own creation, but a packet trace might yield the
truth.

--
Now where did I hide that website...