Bug#991026: exim4: DANE error: tlsa lookup DEFER

Simon Josefsson simon at josefsson.org
Tue Jul 13 09:25:52 BST 2021


Package: exim4
Version: 4.92-8+deb10u6

I got bounces due to delivery failures when mailing someone from my
exim4-based mail server.  The log file contains:

2021-07-13 06:20:20.720 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [2a02:250:0:48::13]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.721 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [2a02:250:0:48::12]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.722 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [2a02:250:0:48::11]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.722 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [2a02:250:0:48::14]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.723 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [93.188.3.11]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.723 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [93.188.3.12]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.723 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [93.188.3.13]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.724 [13321] 1m1lRa-0002RD-DO H=mailcluster.loopia.se [93.188.3.14]:25: DANE error: tlsa lookup DEFER
2021-07-13 06:20:20.726 [13320] 1m1lRa-0002RD-DO == xxx at vetiveradv.se R=dnslookup T=remote_smtp defer (-36): DANE error: tlsa lookup DEFER

After a couple of days, it times out and I get a bounce back.

Before I could try the 'hosts_try_dane' option, I changed the
/etc/resolv.conf DNS servers from my ISP's to my own 127.0.0.1 unbound
instance, thinking it may be a DNS server problem.  Indeed, that
resolved my problem, and delivery worked again.

While the domain might contain buggy DANE records (it passes some checks
[2] though?), it seems like a exim4 problem that things works fine with
one DNS server and not another.  I'm guessing the problem was not with
the DANE records, but with the responses received from the DNS server?
How can I debug the DNS problem further?

This is the first case this happened, and I'm emailing many domains with
DANE records, so I'm a bit puzzled what went wrong here.

/Simon

[1] https://lists.exim.org/lurker/message/20200325.171053.9794c778.en.html
[2] https://dane.sys4.de/smtp/vetiveradv.se
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20210713/1336c313/attachment.sig>


More information about the Pkg-exim4-maintainers mailing list