testmxlookup — Look up mail servers for a domain
testmxlookup
[ @ip-address
| --dnssec | --udpsize n
| --sts | --sts-override=mode
| --sts-purge ] {domain
}
testmxlookup
{ --sts-expire | --sts-cache-disable | --sts-cache-enable | --sts-cache-enable=size
}
testmxlookup reports the names and IP addresses of mail
servers that receive mail for the domain
,
as well as the domain
's published
STS policy.
This is useful in diagnosing mail delivery problems.
testmxlookup sends a DNS MX query for the specified domain, followed by A/AAAA queries, if needed. testmxlookup lists the hostname and the IP address of every mail server, and its MX priority. The domain's strict transport security (STS) policy status, if one is published, precedes the mail server list.
The error message “Hard error” indicates that the domain does not exist, or does not have any mail servers. The error message "Soft error" indicates a temporary error condition (usually a network failure of some sorts, or the local DNS server is down).
“STS: testing” or “STS: enforcing” preceding the list of mail servers indicates that the domain publishes an STS policy. “ERROR: STS Policy verification failed” appearing after an individual mail server indicates that the mail server's name does not meet the domain's STS policy.
“STS: testing” or “STS: enforcing” by itself, with no further messages, indicates that all listed mail servers comply with the listed STS policy. If you are attempting to install your own STS policy this is a simple means of checking its validity.
@ip-address
Specify the DNS server's IP address, where to send the DNS
query to, overriding the default DNS server addresses read from
/etc/resolv.conf
.
“ip-address” must be a literal, numeric, IP address.
--dnssec
Enable the DNSSEC
extension. If the DNS
server has DNSSEC
enabled, and the
specified domain's DNS records are signed, the list of
IP addresses is suffixed by “(DNSSEC)”, indicating
a signed response.
This is a diagnostic option. Older DNS servers may respond with an error, to a DNSSEC query.
--udpsize
n
Specify that n
is the largest
UDP packet size that the DNS server may
send. This option is only valid together with
“--dnssec”.
If “--dnssec” always returns an error, try
“--udpsize 512” (the default setting is 1280
bytes, which is adequate for Ethernet, but other kinds of
networks may impose lower limits).
--sts
Do not issue an MX query, and display the domain's raw STS policy file.
--sts-cache-disable
Turn off STS lookups, checking, and
verification. STS is enabled by default,
but requires that a global systemwide list of
SSL certificate authorities is available, and
that TLS_TRUSTCERTS
is specified in
/etc/courier/courierd. STS can be disabled,
if needed.
--sts-cache-enable
Reenable STS lookups, checking, and
verification, and set the size of the internal cache to its
default value. Specify “=size
”
to enable and set a non-default cache size, a positive value
indicating the approximate number of most recent domains
whose STS policies get cached internally.
--sts-override=policy
Override the domain's
STS enforcement mode.
policy
is one of:
“none”,
“testing”, or
“enforce”, and overrides the cached
domain STS policy setting.
This is a diagnostic or a testing tool. Courier may eventually purge the cached policy setting, or the domain can update its policy, replacing the overridden setting.
--sts-purge
Remove the domain's cached STS policy, and retrieve and cache the domain's policy, again.
--sts-expire
Execute
Courier's
STS policy expiration process. Nothing
happens unless
/var/spool/courier/sts
's size exceeds the
configured cache size setting.
The oldest cached policy files get removed
to bring the cache size down to its maximum size.
Courier automatically downloads and caches domains' STS policy files by default, in an internal cache with a default size of 1000 domains.
The cache size setting is approximate.
Courier
purges stale cache entries periodically, and the size of the
cache can temporarily exceed its set size, by as much as a factor
of two.
/var/spool/courier/sts
must be owned by daemon:daemon, and uses one file
per mail domain. The maximum cache size depends on the
capabilities of the underlying filesystem.
testmxlookup must be executed with sufficient privileges to access the cache directory (by root, or by daemon). Without sufficient privileges testmxlookup still attempts to use the cache directory even without write permissions on it, as long as it's accessible, and attempts to download the STS policy for a domain that's not already cached; but, of course, won't be able to save the downloaded policy in the cache directory.