DNS resolution issue for certain domains with Postfix.

GGamodeur · 2025-04-08T20:52:06+00:00

Hello,
I recently installed Mailcow and I’m encountering some difficulties with receiving emails. I’m not sure if you’ll be able to help me. I apologize in advance for my poor English.
I noticed that I’m not receiving certain emails, and after investigating a bit, I realized that the issue is happening at the Postfix level.

08/04/2025 22:05:43 info NOQUEUE: reject: RCPT from unknown[91.211.164.20]: 450 4.1.8 <noreply@ldlc.com>: Sender address rejected: Domain not found; from=<noreply@ldlc.com> to=<exemple@exemple.com> proto=ESMTP helo=<mail.groupe-ldlc.com>

My first instinct was to run a “dig” from the different containers.

Posfix:

dig ldlc.com => KO

root@7325df837d6f:/etc/postfix# dig ldlc.com

; <<>> DiG 9.18.33-1_deb12u2-Debian <<>> ldlc.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26655
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ldlc.com. IN A

;; Query time: 4003 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Tue Apr 08 22:39:00 CEST 2025
;; MSG SIZE rcvd: 26

dig google.com => OK

root@7325df837d6f:/etc/postfix# dig google.fr

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> google.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16527
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.fr.                     IN      A

;; ANSWER SECTION:
google.fr.              300     IN      A       142.250.179.99

;; Query time: 395 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Tue Apr 08 22:39:40 CEST 2025
;; MSG SIZE  rcvd: 54

Dovecot

dig ldlc.com => KO
dig google.com => OK

Unbound

dig ldlc.com => OK
dig google.com => OK

On the machine that hosts all the containers.

dig ldlc.com => OK
dig google.com => OK

My server has both an IPv4 and an IPv6 address.

If you need more information, don’t hesitate to ask.
Thank you for your help.

DocFraggle · 2025-04-08T21:11:46+00:00

Run

dig +trace ldlc.com

to see where it’s failing

GGamodeur · 2025-04-09T05:31:58+00:00

DocFraggle

root@7325df837d6f:/# dig +trace ldlc.com

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +trace ldlc.com
;; global options: +cmd
.			44195	IN	NS	l.root-servers.net.
.			44195	IN	NS	c.root-servers.net.
.			44195	IN	NS	a.root-servers.net.
.			44195	IN	NS	k.root-servers.net.
.			44195	IN	NS	j.root-servers.net.
.			44195	IN	NS	d.root-servers.net.
.			44195	IN	NS	i.root-servers.net.
.			44195	IN	NS	e.root-servers.net.
.			44195	IN	NS	f.root-servers.net.
.			44195	IN	NS	g.root-servers.net.
.			44195	IN	NS	h.root-servers.net.
.			44195	IN	NS	b.root-servers.net.
.			44195	IN	NS	m.root-servers.net.
.			44195	IN	RRSIG	NS 8 0 518400 20250421170000 20250408160000 53148 . HEfVigBsoJQoHTY26YsMjEfiu4GXYus0kZOPVhf/faffwq6OZvYZ283y hjIt5alPBCHyCgXS6FI5GuDs0CP/NpYY1HpL5MNf4Kuyi0i1HWIPGTZB 5vKijMWtBPcRnXFQOlgHwsrvzZqMs4LW5yDt6PSGG/8r4IYVceSTVNH3 Lbbg25y7Q5qp8KgnS3JjACk1u+kTHwPl2M5RZj9n7E3HUuxfa5sN08rc bsXVs7wDk1JCgNTaRGNmhhYhEHqP0tZ0A2pMKjZtxdCHDCRgnZYrw1Nk LzMEaY2alikCfFjpaTIuL1f/i6gxwUZjs2YwyNX/BsDrG9tRCA/KJkRl SHHoNA==
;; Received 525 bytes from 127.0.0.11#53(127.0.0.11) in 0 ms

com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			86400	IN	DS	19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.			86400	IN	RRSIG	DS 8 1 86400 20250421200000 20250408190000 53148 . ddXeXhrcxQ5H/1tkqEg25/Xb4QTBNdqf56t0EXP/hFwh/+MwVnMD4ORz 0dWiq1CL2mzKDIXCFEfzjzW90STjKhfSj1hQhdMqvMZV0Pny7zIJ1b5x vJPEPHf8Awb6/dgjszEz57UCxE57oF4FP9Ru0/f8oTJlqD911ay4n7y5 Q9Upnj5T/3QDQmuWQ1G5prlZPSJrVbPyfbxwry1u3nbixr/V7+T6sCh6 59c97om+fFW+k6Vgy1V/oE81hAv2quoVplZj8VlNpbAriuJF9ItmQHEW fkNX0giXiAugkE66QUHwD5jWgnW4EsJoAvGUyCI8ruRp2szu8HKpos1G aifaoQ==
;; Received 1196 bytes from 2001:500:2::c#53(c.root-servers.net) in 7 ms

ldlc.com.		172800	IN	NS	ns10.groupe-ldlc.com.
ldlc.com.		172800	IN	NS	ns20.groupe-ldlc.com.
ldlc.com.		172800	IN	NS	ns30.groupe-ldlc.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250413021040 20250406010040 23202 com. q2m1iXdbJn0UrtzQuUdkWW3rTB9+0zhmZADiPGEhxx6T+jilxd4HRJib f0mv41QUxTzRyNg4FaWdgXNQfQcCuQ==
A0JS98UQ20CQ5DEOKDDSI3MOQCF5O39C.com. 900 IN NSEC3 1 1 0 - A0JSD7GUHMIETL081PKSOATA41P6R8DR NS DS RRSIG
A0JS98UQ20CQ5DEOKDDSI3MOQCF5O39C.com. 900 IN RRSIG NSEC3 13 2 900 20250413024610 20250406013610 23202 com. VcJCWwEXpm0vAPxRXgWwfVKaJjtMUITJckR2UibHni0nGTBg6Vyz8DMa HmBwaAsTM210p5qwCEOP4fJysUCh9A==
couldn't get address for 'ns10.groupe-ldlc.com': failure
couldn't get address for 'ns20.groupe-ldlc.com': failure
couldn't get address for 'ns30.groupe-ldlc.com': failure
dig: couldn't get address for 'ns10.groupe-ldlc.com': no more

DocFraggle · 2025-04-09T06:10:35+00:00

Gamodeur

couldn't get address for 'ns10.groupe-ldlc.com': failure
couldn't get address for 'ns20.groupe-ldlc.com': failure
couldn't get address for 'ns30.groupe-ldlc.com': failure
dig: couldn't get address for 'ns10.groupe-ldlc.com': no more

That’s strange… do you have any kind of external firewall or a separate firewall running on the host system which may block packets? selinux maybe?

GGamodeur · 2025-04-09T15:48:09+00:00

DocFraggle
Thank you for your response. Indeed, the issue was coming from the “Edge Network Firewall” of my hosting provider, OVH. I hadn’t really checked that point because most DNS resolutions were working fine or, in some cases, only partially. I also adjusted some long response times on my SMTP along the way.