[Pkg-exim4-users] Broken DNS servers cause all connections to Defer

[Daniel Collis-Puro]

Folks,

We're using sa-exim and exim-daemon-heavy out of Sarge and Etch in
combination with a bunch of other packages to provide mx-proxy based
spamfiltering services for a whole slew of domains. I really could not
be happier with the performance and flexibility of our setup, except for
one pretty big issue.

Say we've got an FQDN listed in local_host_whitelist or
local_host_blacklist.

If it's an invalid FQDN and the authoritative nameservers for that FQDN
are reachable, everything's fine. Exim will do the lookup, recognize
it's an invalid FQDN and take appropriate action.

HOWEVER - if the authoritative nameservers for that FQDN aren't
reachable, Exim won't be able complete the lookup and will defer *all*
incoming connections until:
1) You remove the FQDN with broken DNS servers, OR
2) The DNS servers for the FQDN come back up, allowing for successful
DNS resolutions.

This sucks, because it means if I blacklist "spammy.mcspam.com" and the
DNS servers for that domain go down, all email is deferred until I
notice it and remove the domain.

I see two major options:

1) Resolve all FQDN in local_host_whitelist / local_host_blacklist to IP
addresses via a script of some sort, omitting FQDN that don't resolve
when the script runs,
2) Reconfigure exim to ignore domains or time out differently when doing
DNS lookups.

Option 1 would be easy but yucky. I'm not entirely sure where to go for
option 2. We have a caching nameserver in front of our exims, but I
don't like the idea of molesting DNS lookups too much.

Thoughts?

--DJCP

-- 
-**---****-----******-------********---------**********
Daniel Collis-Puro
Software Engineer
End Point Corp.
dan at endpoint.com
(office) 781-477-0885
**********---------********-------******-----****---**-