dns: no callback / mail bounce

webspacez

Verified User
Joined
Apr 29, 2020
Messages
8
I have a client who has trouble receiving email from an exchange server. In my maillog I get the following error and can't work out why our server is rejecting the email. I think I have read every page on the internet but have not found a clear explanation for this problem. My sys admin says that it is something on there side but the comapny can mail the whole world except us.

Jul 22 16:27:11 web01 spamd[153901]: dns: no callback for id 58357/IN/A/whatever.com.multi.surbl.org, ignored, packet on next debug line
Jul 22 16:27:11 web01 spamd[153901]: dns: no likely matching queries for id 58357
Jul 22 16:27:11 web01 spamd[153901]: dns: no callback for id 49040/IN/A/recieveremail.com.multi.surbl.org, ignored, packet on next debug line
Jul 22 16:27:11 web01 spamd[153901]: dns: no likely matching queries for id 49040

Does someone have any idea what is going on ??
 
Apparently you have spamassassin configured to do dns lookups.

dns_options opts (default: norotate, nodns0x20, edns=4096)
..........

Option dns0x20 enables randomization of letters in a DNS query label according to draft-vixie-dnsext-dns0x20, decreasing a chance of collisions of responses (by chance or by a malicious intent) by increasing spread as provided by a 16-bit query ID and up to 16 bits of a port number, with additional bits as encoded by flipping case (upper/lower) of letters in a query. The number of additional random bits corresponds to the number of letters in a query label. Should work reliably with all mainstream DNS servers - do not turn on if you see frequent info messages "dns: no callback for id:" in the log, or if RBL or URIDNS lookups do not work for no apparent reason.
 
First thanks for your fast reply. It took some time fix the above but now have a different error in log file..

2020-07-27 12:33:17 TLS error on connection from mailserver.ofsomeone.com [89.140.99.106] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

It is weird as we have are only having this problem with two exchange servers that are being rejected by our server. Rest of the email works fine. Any ideas anybody?
 
First thanks for your fast reply. It took some time fix the above but now have a different error in log file..

2020-07-27 12:33:17 TLS error on connection from mailserver.ofsomeone.com [89.140.99.106] (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

It is weird as we have are only having this problem with two exchange servers that are being rejected by our server. Rest of the email works fine. Any ideas anybody?

YUP the admins of that Exchange servers should take some action, they can find howto in Microsoft docs.

You should have some old as ssl 3 and tls 1.0 1.1 switched off at you DA box but read some about Security and tls versions also ciphers, then you can decide how safe or unsafe you want your configs
 
Its a bit hard to tell 2x multi nationals to change their config. Is there a way in DA that I can accept old SSL / TLS so my client can receive emails from their client. Or is this a BIG NO GO??

Strange thing is that it always worked until 5x weeks ago. Could it be that something change with an update of DA? And they can email everybody except us..
 
Last edited:
Its a bit hard to tell 2x multi nationals to change their config.
It's less hard if you tell them Gmail and Microsoft (biggest mail company's in the world) are going to drop TLS 1.0 and 1.1 too. It's time to upgarde.

Anyway, if I'm not mistaken, you can still switch to the old method, in directadmin.conf you have to change this setting from intermediate to old:
Code:
 ssl_configuration=old
Don't forget to restart directadmin.

Maybe you can find additional info in this thread:
 
Unfortunately big companies often have outdated exchange configs but it forces me to use backward compatibility I suppose. I will give it a try and and let you know if it solved the problem. Thank you so much!
The DA community Rocks!
 
Unfortunately big companies often have outdated exchange configs but it forces me to use backward compatibility I suppose. I will give it a try and and let you know if it solved the problem. Thank you so much!
The DA community Rocks!

Please take care of a signed kind of "contract" saying they are using some old not safe software, and some lines about that they are responsible for that if something goes wrong.

Please do also that they are responsible for own backups and some more.

In Holland there was a case where the IT service partner has to pay damage after hack, even after telling the company some.... so better have it written out and signed then!

Even multi or KING... :whistle:

I did point out some of bigger .., did changed in q1 2020 then.
 
In the end I had to tell 2 (BIG) multi nationals to update there own machines but was able to give them a good reason for this. Just to tell them that their email bounces / get rejected by our server would be very unprofessional. So yet again thank you all!
 
Just to tell them that their email bounces / get rejected by our server would be very unprofessional.
You would be correct with that. But stating you/they can't keep using deprecated older (EOL) and unsafe protocols would be professional enough.
 
Back
Top