[svlug] About exim bounce messages

William R. Ward bill at wards.net
Mon Nov 26 18:36:02 PST 2001

Derek J. Balling writes:
>Surely this error message should replace:
>(host -t MX domain)
>(host -t MX domain  /or/  host -t A domain)
>Since it doesn't actually NEED an MX record if the host at the A 
>record handles its own mail. And this is an interesting point I ask, 
>$  host -t a c1714876-a.stcla1.sfba.home.com
>c1714876-a.stcla1.sfba.home.com has address

While I agree that it would be nice to send it to the A record, I
think it is not consistent with the RFC to do so.  An MX record is
mandatory to receive mail, I believe.  There is an MX record for
"home.com" itself - would that apply?  In which case, either
bill at home.com or postmaster at home.com got some surprising e-mail!  But
I never got those, due to the lack of an MX entry.

To explain the second bounce error that was sent (which I did
receive): After home.wards.net was working, and my envelope set to
that value, it wasn't working because the MX for home.wards.net was
mistakenly pointing to mail.wards.net, which is the machine (at my
ISP) that hosts the domain wards.net.  But that machine doesn't answer
to home.wards.net, so those messages failed.  I fixed the MX to point
back to itself, as it should have been all along, and things started
to work finally.

A more detailed story of my DNS woes follows, for the benefit of

I started off with the envelope set to the machine's hostname,
komodo.home.wards.net.  But the *.home.wards.net zone was hidden from
outside view, so that hostname couldn't be resolved.  It took me a
while to notice that, since most MTA's (e.g. sendmail) don't mind.

When I tried to post to svlug at svlug.org, I was getting (cryptic, IMHO)
bounce messages from exim because it couldn't resolve the hostname in
the DNS.  It confused me because the I could resolve the hostname just
fine - but that was because it was for my private (192.168) network,
which of course only I could access.

I changed the envelope to home.wards.net, and surprisingly got the
same problem, even though there was an A record for home.wards.net in
the wards.net zone.  While I researched the problem, I set the
envelope to the home.com address and was finally able to post.

The reason home.wards.net didn't work was that surprisingly, using
BIND 9 anyway, if you delegate a sub-domain to the same nameserver,
but with access restrictions, those restrictions apply to the entries
for that name in the "parent" zone as well!  In other words, I wanted
*.home.wards.net to be private, but home.wards.net as a hostname to be
public.  But that doesn't seem to be possible if both are hosted on
the same (BIND 9) nameserver.

I'm not sure if this is a bug in BIND, or a misunderstanding on my
part.  I would have expected the restrictions to only apply to the
entries in the zone file for which the restriction is defined.

To fix this temporarily, I just removed the restricted access.  Now
all and sundry can find out the IP for *.home.wards.net machines, but
it doesn't matter because they're all 192.168 addresses, and cannot be
routed to.  The long-term solution will be to implement a "view"-based
BIND 9 config when I have the time to get it figured out.


William R Ward            bill at wards.net          http://www.wards.net/~bill/
     If you're not part of the solution, you're part of the precipitate.

More information about the svlug mailing list