Spamassassin: NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Spamassassin: NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
I'm reviewing messages from several email servers I manage, trying to clean up odd errors. I get the following message from spamassassin running on a server:
Code:
0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
The entire header is shown below (nothing particularly confidential). The originator of the message is from novatec-inc.com, which does have an MX and A record. Likewise the recipient host is horeb-wright3.org, also with MX and A records:
Code:
# host novatec-inc.com
novatec-inc.com has address 184.57.114.221
novatec-inc.com mail is handled by 10 novatec-inc.com.
# host horeb-wright3.org
horeb-wright3.org has address 24.96.253.242
horeb-wright3.org mail is handled by 10 horeb-wright3.org.
So, why the "Envelope sender has no MX or A DNS records" notice from Spamassassin? I did do some web searching, but didn't find a satisfying answer. Mostly discussions of PTR and TXT records.
The message header:
Code:
From CofH@horeb-wright3.org Sat Mar 30 16:35:21 2019
Return-Path: <CofH@horeb-wright3.org>
Received: from hiram.local (localhost [127.0.0.1])
by hiram.novatec-inc.com (8.15.2/8.15.2) with ESMTP id x2UKZK4E030629;
Sat, 30 Mar 2019 16:35:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=horeb-wright3.org;
s=hiram; t=1553978120;
bh=X0E1BITYYCDuG6vIe/MCs9w5HtjXmgxPDB2/x5EhHP4=;
h=From:Reply-To:Date:To:Subject;
b=IrlAmlJ2jT9k5489vHTq0XKh/tovd4zvuQpFpn5YozZYeAtdbwUs21j4Bz/6s7dNq
jnf0eLJQ/pSQ5ajyW4MV3VdRMQzHWoHF8u6wChdOzFnR/XaXY4RiGfygB1p+Llzxts
CqxqOXMQ2fsjTi1n8o5+Vkts0aP6Ow0b1eG6Wd7Q=
Received: (from daemon@localhost)
by hiram.local (8.15.2/8.15.2/Submit) id x2UKZKsP030628;
Sat, 30 Mar 2019 16:35:20 -0400
Received: from dnvrco-cmomta02.email.rr.com (dnvrco-outbound-snat.email.rr.com [107.14.73.226])
by hiram.novatec-inc.com (8.15.2/8.15.2) with ESMTP id x2UKQ5wg028371
for <officers@horeb-wright3.org>; Sat, 30 Mar 2019 16:26:05 -0400
Received: from server.novatec-inc.com ([184.57.114.221])
by cmsmtp with ESMTP
id AKYDhpMT3iYm2AKYGhip6i; Sat, 30 Mar 2019 20:26:04 +0000
Received: from server.novatec-inc.com (localhost [127.0.0.1])
by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id x2UKPxZC017173
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
Sat, 30 Mar 2019 16:25:59 -0400
Received: (from mfoley@localhost)
by server.novatec-inc.com (8.15.2/8.15.2/Submit) id x2UKPxwO017172;
Sat, 30 Mar 2019 16:25:59 -0400
From: "Mark Foley" <CofH@horeb-wright3.org>
Reply-To: mfoley@novatec-inc.com
Message-Id: <201903302025.x2UKPxwO017172@server.novatec-inc.com>
Date: Sat, 30 Mar 2019 16:25:59 -0400
To: "Mailing List" <maillist@horeb-wright3.org>
Subject: Your horeb-wright3.org
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,NO_DNS_FOR_FROM,T_SPF_HELO_TEMPERROR autolearn=no
autolearn_force=no version=3.4.1-_revision__1.0__
X-Spam-Report:
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
* 0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed (temperror)
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Spam-Checker-Version: SpamAssassin 3.4.1-_revision__1.0__ (2015-04-28) on
hiram.local
X-CMAE-Envelope: MS4wfLKw9Ds6CHFTfz4wUiCmn3eDBpEsU0SQnf5lYMQp52TwdtoTpWAf1+nT43epRXEozhTpHs/UFnRKUxjmbocAj2WJDRec1lKVjAjbiimsvs/P2OwAW5Tr
s5yUO05Nu8biWzmZxt90v5LGIF8W2oI5qRGsAzp1aUU7Z0R18n9YAJWp9rs3UVMSSXTxtqTMenOAtpWmGzzJCIJ1TjfWqitHTdA=
I'm finding a A record for that, but no MX record. But, isn't the Envelope Sender domain on the posted header horeb-wright3.org:
Code:
Return-Path: <CofH@horeb-wright3.org>
which certainly has appropriate DNS.
I tried to run the headers through spamc, but no spam was detected. mfoley, try
Code:
spamc -R < emailmsg
Sometimes the full report (-R) gives more information.
Also, I vaguely recall that DNS validation can be turned off in spamassassin, which causes all of the DNS related rules to fire. Does this happen on every email on that server?
I'll try to remember where that is set...off to apache.org...
Update:
Quote:
By default, most installations of SpamAssassin don't turn on the network tests,...
Quote:
How to turn on network tests
Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests.
On my CentOS 7 server, the "start-up options file" is /etc/mail/spamassassin/local.cf
Well, is this part of my issue? server.novatec-inc.com is the actual host, but the DNS and MX record are for novatec-inc.com:
Code:
host novatec-inc.com
novatec-inc.com has address 184.57.114.221
novatec-inc.com mail is handled by 10 novatec-inc.com.
I would have thought that DNS resolution wouldn't really case about hosts associated with that domain. Also, server.novatec-inc.com does resolve:
Code:
$ host server.novatec-inc.com
server.novatec-inc.com has address 184.57.114.221
But no MX record. Is spamassassin looking for an MX record associated specifically with this host, that would be a problem.
Quote:
Originally Posted by scasey
Also, I vaguely recall that DNS validation can be turned off in spamassassin, which causes all of the DNS related rules to fire. Does this happen on every email on that server?
Did you mean "causes all of the DNS related rules to not fire"? Yes, this happens on every email sent from novatec-inc.com to horeb-wright3.org. It also appears to happen on other senders. Here's relevant spamassassin reports from a "junk" mail from gmail.com:
Code:
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
* (pradhankarishma22[at]gmail.com)
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
So, this is rather puzzling. There is little doubt that gmail.com has both MX and DNS records, lots of MX records in fact.
Is this simply a bogus spamassassin rule that doesn't work?
Would the LQ consensus be to simply turn off this rule?
Did you mean "causes all of the DNS related rules to not fire"? Yes, this happens on every email sent from novatec-inc.com to horeb-wright3.org. It also appears to happen on other senders. Here's relevant spamassassin reports from a "junk" mail from gmail.com:
Code:
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
* (pradhankarishma22[at]gmail.com)
* 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records
So, this is rather puzzling. There is little doubt that gmail.com has both MX and DNS records, lots of MX records in fact.
No, I meant would fire...if the DNS checking is turned off, then all "there is no DNS" rules would match, because that would be the case...spamassassin would not see DNS for them.
This would also happen if there were problems with DNS resolution on that server, again falsely reporting NO DNS because it can't be checked.
Quote:
Originally Posted by mfoley
Is this simply a bogus spamassassin rule that doesn't work?
Would the LQ consensus be to simply turn off this rule?
No, the rule is valid and does work, but it requires access to DNS to work as expected.
I'm going to post this, then confirm and edit with how to be sure spamassassin is configured to check DNS.
Please confirm there are no problems with name resolution on that server, since it's the only one behaving that way.
I'm hardly a consensus, but I wouldn't turn it off until verifying those two things, and not even then, unless it's resulting in false positives. Is it?
I'll be back...
dns_available { yes | test[: name1 name2...] | no } (default: test)
By default, SpamAssassin will query some default hosts on the internet to attempt to check if DNS is working or not. The problem is that it can introduce some delay if your network connection is down, and in some cases it can wrongly guess that DNS is unavailable because the test connections failed. SpamAssassin includes a default set of 13 servers, among which 3 are picked randomly.
You can however specify your own list by specifying
SpamAssassin's network rules are run in parallel. This can cause overhead in terms of the number of file descriptors required; it is recommended that the minimum limit on file descriptors be raised to at least 256 for safety.
So if dns_available no in the config file, DNS checking is turned off.
If there's nothing in the config file, then it's doing the default behaviour described.
No, I meant would fire...if the DNS checking is turned off, then all "there is no DNS" rules would match, because that would be the case...spamassassin would not see DNS for them.
This would also happen if there were problems with DNS resolution on that server, again falsely reporting NO DNS because it can't be checked.
No, the rule is valid and does work, but it requires access to DNS to work as expected.
I'm going to post this, then confirm and edit with how to be sure spamassassin is configured to check DNS.
Please confirm there are no problems with name resolution on that server, since it's the only one behaving that way.
As shown in my previous posts, I am able to DNS resolve using 'host'. Plus I can ssh from there to any domain. So the computer itself is resolving domains. my /etc/resolv.conf name servers are configured as 8.8.8.8 and 66.193.88.3.
I've check the emails received on 3 other servers that I maintain, all running spamassassin, and none of them have the NO_DNS_FOR_FROM notice, only this one.
Quote:
I'm hardly a consensus, but I wouldn't turn it off until verifying those two things, and not even then, unless it's resulting in false positives. Is it?
dns_available { yes | test[: name1 name2...] | no } (default: test)
By default, SpamAssassin will query some default hosts on the internet to attempt to check if DNS is working or not. The problem is that it can introduce some delay if your network connection is down, and in some cases it can wrongly guess that DNS is unavailable because the test connections failed. SpamAssassin includes a default set of 13 servers, among which 3 are picked randomly.
You can however specify your own list by specifying
SpamAssassin's network rules are run in parallel. This can cause overhead in terms of the number of file descriptors required; it is recommended that the minimum limit on file descriptors be raised to at least 256 for safety.
So if dns_available no in the config file, DNS checking is turned off.
If there's nothing in the config file, then it's doing the default behaviour described.
I tried the suggested 'dns_available test: domain1.tld domain2.tld domain3.tld' in my local.cf file. That did seem to work, although I am limited to the sending addresses I can try. Neverthless, the one I tested with did give the NO_DNS_FOR_FROM notice in the past and this time it did not. I'll await some more messages to the site to confirm.
If that works, as it appears it might, do you have any idea why this one computer has this issue? Could it be the 8.8.8.8 nameserver? None of the other computers are using that and I don't think I really need to. I have nameservers from the ISP.
Yeah...it’s not the server that wasn’t resolving DNS, it was only spamassassin.
Maybe compare the spamassassin configs to find out what’s different on this installation?
What name servers did you add to the config? Did you include the google nameserver?
Yeah...it’s not the server that wasn’t resolving DNS, it was only spamassassin.
Maybe compare the spamassassin configs to find out what’s different on this installation?
What name servers did you add to the config? Did you include the google nameserver?
But, doesn't spamassassin use the server to resolve DNS? How else would it do it?
I'm going to remove the 'dns_available test:' from spamassassin. And, I've removed both of those nameservers from resolv.conf. The 2nd one was for Time-Warner and the ISP was changed to WOWway. I've added Wowway nameservers. I'll see what the results are with these changes.
But, doesn't spamassassin use the server to resolve DNS? How else would it do it?
What I’m saying is that spamassassin can be configured to NOT check DNS, in which case rules that NEED a DNS check would be true, and add points.
If spamassassin is so configured, it doesn’t matter how the host is configured, because SA won’t try to use it.
So, again, compare the spamassassin configuration of the malfunctioning server to a server that’s not reporting DNS failures.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
