[Pkg-exim4-users] Broken DNS servers cause all connections to Defer

Daniel Collis-Puro dan at endpoint.com
Sun Jul 29 15:04:42 UTC 2007


We're using sa-exim and exim-daemon-heavy out of Sarge and Etch in
combination with a bunch of other packages to provide mx-proxy based
spamfiltering services for a whole slew of domains. I really could not
be happier with the performance and flexibility of our setup, except for
one pretty big issue.

Say we've got an FQDN listed in local_host_whitelist or

If it's an invalid FQDN and the authoritative nameservers for that FQDN
are reachable, everything's fine. Exim will do the lookup, recognize
it's an invalid FQDN and take appropriate action.

HOWEVER - if the authoritative nameservers for that FQDN aren't
reachable, Exim won't be able complete the lookup and will defer *all*
incoming connections until:
1) You remove the FQDN with broken DNS servers, OR
2) The DNS servers for the FQDN come back up, allowing for successful
DNS resolutions.

This sucks, because it means if I blacklist "spammy.mcspam.com" and the
DNS servers for that domain go down, all email is deferred until I
notice it and remove the domain.

I see two major options:

1) Resolve all FQDN in local_host_whitelist / local_host_blacklist to IP
addresses via a script of some sort, omitting FQDN that don't resolve
when the script runs,
2) Reconfigure exim to ignore domains or time out differently when doing
DNS lookups.

Option 1 would be easy but yucky. I'm not entirely sure where to go for
option 2. We have a caching nameserver in front of our exims, but I
don't like the idea of molesting DNS lookups too much.



Daniel Collis-Puro
Software Engineer
End Point Corp.
dan at endpoint.com
(office) 781-477-0885

More information about the Pkg-exim4-users mailing list