Bug 11893 - Mails from the main mail server to internal servers cannot be delivered
Summary: Mails from the main mail server to internal servers cannot be delivered
Status: CLOSED FIXED
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: Mail & Mailing Lists (show other bugs)
Version: unspecified
Hardware: unspecified Unspecified
: Will affect an average number of users Major Usability
Assignee: Peter Müller
QA Contact: Peter Müller
URL: https://www.linuxtopia.org/online_boo...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-04 14:30 UTC by Michael Tremer
Modified: 2018-11-10 12:11 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Tremer 2018-10-04 14:30:12 UTC 
This seems to be the problem:

> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.web02.i.ipfire.org type=TLSA: Host not found, try again
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.web02.i.ipfire.org type=TLSA: Host not found, try again
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: TLS policy lookup for [web02.i.ipfire.org]/web02.i.ipfire.org: TLSA lookup error for web02.i.ipfire.org:25
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: warning: TLS policy lookup for [web02.i.ipfire.org]/web02.i.ipfire.org: TLSA lookup error for web02.i.ipfire.org:25
> Oct  3 20:15:25 mail01 postfix/smtp[17467]: E330021B9E5D: to=<bugzilla@web02.i.ipfire.org>, orig_to=<bugzilla@ipfire.org>, relay=none, delay=5.5, delays=0.38/0.03/5.1/0, dsn=4.7.5, status=deferred (TLSA lookup error for web02.i.ipfire.org:25)

However, after a couple of retries, postfix is able to deliver this email.
Comment 1 Peter Müller 2018-10-04 18:40:54 UTC 
Yes, it falls back to "encrypted" delivery policy.

Until #11898 is ready, delivery to internal systems must using this policy by default.
Comment 2 Peter Müller 2018-10-04 18:58:35 UTC 
Problem should be solved by using a TLS specific map for internal transports.

As mentioned, this is only a temporary solution.

Please test and confirm.
Comment 3 Michael Tremer 2018-10-04 19:12:23 UTC 
Thanks for looking at this.

Do you have any idea why this wasn't really an issue for a long time and now
every single email seems to be running into it?
Comment 4 Peter Müller 2018-11-09 17:57:44 UTC 
After the mail session we had yesterday, I think this is fixed. Is it?
Comment 5 Michael Tremer 2018-11-10 12:11:39 UTC 
Yes... still need to test this a little, but I guess this is done.