Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛: TLSA records cannot be fetched due to timeout #1255

Open
1 task done
clamydo opened this issue Feb 26, 2025 · 0 comments
Open
1 task done

🐛: TLSA records cannot be fetched due to timeout #1255

clamydo opened this issue Feb 26, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@clamydo
Copy link

clamydo commented Feb 26, 2025
edited
Loading

What happened?

In the troubleshooter as well when actually delivering mails, stalwart fails to fetch the DANE TLSA records due to a timeout.

I get log messages like:

INFO Error fetching TLSA record (dane.tlsa-record-fetch-error) queueId = 226831316630802434, from = "[email protected]", to = ["[email protected]"], size = 2376, total = 1, domain = "posteo.de", hostname = "mx04.posteo.de", causedBy = DNS error (mail-auth.dns-error) { details = "request timed out" }, strict = false, elapsed = 15004ms

Setting the level to debug does not reveal more.

I have confirmed that I manually can fetch those records on the server:

$ resolvectl tlsa mx01.posteo.de:25
_25._tcp.mx01.posteo.de IN TLSA 3 1 1 2a2413f46c23290866a3fb9c1658a404bcf6a71373d002a29d67c23ed8df298d
        -- Cert. usage: Domain-issued certificate
        -- Selector: SubjectPublicKeyInfo
        -- Matching type: SHA-256 -- link: eth0
_25._tcp.mx01.posteo.de IN TLSA 3 1 1 2ad38769dc6a92ed98fb7a45514c0a74919ebc9fa13514c5c742c92080a66874
        -- Cert. usage: Domain-issued certificate
        -- Selector: SubjectPublicKeyInfo
        -- Matching type: SHA-256 -- link: eth0
_25._tcp.mx01.posteo.de IN TLSA 3 1 1 a73a9adb16bd5a4131df79c446438e138da78fbb64d4ebad97017a4fad4ec92e
        -- Cert. usage: Domain-issued certificate
        -- Selector: SubjectPublicKeyInfo
        -- Matching type: SHA-256 -- link: eth0
_25._tcp.mx01.posteo.de IN TLSA 3 1 1 13815b2c03f7bd63c54869706428442edab706d5b018a27575ca989129a196d5
        -- Cert. usage: Domain-issued certificate
        -- Selector: SubjectPublicKeyInfo
        -- Matching type: SHA-256 -- link: eth0
-- Information acquired via protocol DNS in 63.9ms.

and

$ dig +dnssec _25._tcp.mx01.posteo.de. TLSA

; <<>> DiG 9.18.33 <<>> +dnssec _25._tcp.mx01.posteo.de. TLSA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49204
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;_25._tcp.mx01.posteo.de.       IN      TLSA

;; ANSWER SECTION:
_25._tcp.mx01.posteo.de. 289    IN      TLSA    3 1 1 13815B2C03F7BD63C54869706428442EDAB706D5B018A27575CA9891 29A196D5
_25._tcp.mx01.posteo.de. 289    IN      TLSA    3 1 1 2A2413F46C23290866A3FB9C1658A404BCF6A71373D002A29D67C23E D8DF298D
_25._tcp.mx01.posteo.de. 289    IN      TLSA    3 1 1 2AD38769DC6A92ED98FB7A45514C0A74919EBC9FA13514C5C742C920 80A66874
_25._tcp.mx01.posteo.de. 289    IN      TLSA    3 1 1 A73A9ADB16BD5A4131DF79C446438E138DA78FBB64D4EBAD97017A4F AD4EC92E
_25._tcp.mx01.posteo.de. 289    IN      RRSIG   TLSA 8 5 900 20250306000000 20250213000000 23244 posteo.de. sEtd+wZADzl4V5huz6fOAJGPtQ7ef7nb1mgw8XdgJ8qhiUbh2/pDwV/w Ry218zGCwJIqh/M6Oem5LjPWY3MC4ABROJJSt4b60+8J9obaAVhk+n28 VcsyVkyVAfvNH/ugvk9ipOrXFL5VJKOy84+2ugJNrnxhH7E6jQijCQbp AfLlgCytHBJdPT5blplEESSwII4frLEnq+g8tEbnrEPipKLDUrVJ5kVv xCsxG37RB0Xx5siaaUAnW0E8l6AELxONYRWBBJ/CvMCMHHX6aJLt8oII dXHuotn8U6TOT2deMI9QruJAn5YLv/3pwWbk3PN55W+8QOBGu//PddIf chufRA==

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Feb 26 11:29:42 CET 2025
;; MSG SIZE  rcvd: 537

From the troubleshooter:

Email Delivery Process

MX Lookup for posteo.de

Querying MX records for domain posteo.de..

Completed in 4 ms

MX Lookup Successful

Successfully fetched MX records for domain.

    mx01.posteo.de., mx03.posteo.de., mx04.posteo.de. with preference 10

MTA-STS Policy Fetch

Fetching MTA-STS policy for domain...

Completed in 69 ms

MTA-STS Policy Fetched Successfully

Successfully fetched MTA-STS policy for domain

    Enforce policy
    Policy authorizes MX mx01.posteo.de
    Policy authorizes MX mx03.posteo.de
    Policy authorizes MX mx04.posteo.de
    Policy authorizes MX posteo.de
    Policy ID is 20210422082040Z
    Policy max-age is 1209600

TLS-RPT Record Fetch

Fetching TLS Reporting record for host...

Completed in 57 ms

TLS-RPT Record Fetched Successfully

TLS Reporting record for host fetched successfully.

    Send TLS report to e-mail [email protected]

Delivery attempt to host mx04.posteo.de

Attempting to deliver message to host mx04.posteo.de...

MTA-STS Verification Successful

This host is authorized by the published MTA-STS policy.

TLSA Record Lookup

Looking up TLSA records for host...

Completed in 15 seconds and 4 ms

TLSA Record Lookup Failed

DNS resolution error: request timed out

IP Address Lookup

Looking up A and AAAA records for host...

Completed in 8 ms

IP Address Lookup Successful

Successfully fetched A/AAAA records for host.

    185.67.36.64
    185.67.36.71

Connecting to 185.67.36.64

Attempting to establish TCP connection to 185.67.36.64 on port 25...

Completed in 4 ms

Connection Established

Successfully connected to remote SMTP server.

SMTP Greeting Read

Reading SMTP greeting from remote host...

Completed in 718 ms

SMTP Greeting Read Successfully

Successfully read SMTP greeting.

EHLO Stage

Sending EHLO command to remote host...

Completed in 4 ms

EHLO Command Accepted

EHLO command accepted by remote host.

Starting TLS

Attempting to upgrade clear-text connection to TLS...

Completed in 14 ms

TLS Handshake Successful

Successfully upgraded the connection to TLS.

EHLO Stage

Sending EHLO command to remote host...

Completed in 11 ms

EHLO Command Accepted

EHLO command accepted by remote host.

Close Connection

Sending QUIT command and closing connection...

Completed in 4 ms

Connection Closed

SMTP Transaction finished.

How can we reproduce the problem?

Run the troubleshooter for a DANE enabled domain or send an e-mail.

Version

v0.11.x (Using 0.11.6-unstable-2025-02-04 on NixOS)

What database are you using?

RocksDB

What blob storage are you using?

RocksDB

Where is your directory located?

Internal

What operating system are you using?

Linux

Relevant log output

INFO Error fetching TLSA record (dane.tlsa-record-fetch-error) queueId = 226831316630802434, from = "[email protected]", to = ["[email protected]"], size = 2376, total = 1, domain = "posteo.de", hostname = "mx04.posteo.de", causedBy = DNS error (mail-auth.dns-error) { details = "request timed out" }, strict = false, elapsed = 15004ms

Code of Conduct

  • I agree to follow this project's Code of Conduct
@clamydo clamydo added the bug Something isn't working label Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clamydo