Exim4 cannot resolve DNS queries

I would like to ask for help as I’m experiencing issues with delivering and receiving emails on Hestia. Emails are getting stuck in the queue because Exim defers the delivery endlessly, and the error message says:

2024-05-09 11:34:32 1s55RG-001x5z-Jv == [email protected] R=dnslookup T=remote_smtp defer (-54): retry time not reached for any host for 'gmail.com'

I’m using an Ubuntu 22.04 instance on Oracle OCI, without any DNS server configured on the OCI infrastructure (do I need to configure it?). I’m located in Europe, and the server is in South America (I initially thought it might be due to latency, but after local checks, it seems not).

I found discussions in the forum about issues related to Spamhaus and public resolvers. Initially, I used Cloudflare (1.1.1.1) as my resolver, but then I switched to Quad9 (9.9.9.9).

I ran dig +short @9.9.9.9 "$(echo '136.147.183.216' | awk -F '.' '{print $4,$3,$2,$1}' | sed 's/\s/\./g' | sed 's/$/\.zen\.spamhaus\.org/')" and the response was empty, indicating everything is okay. However, I still cannot deliver emails.

After struggling with this issue, I decided to go back to basic tests. I tried telnet alt1.gmail-smtp-in.l.google.com 25, but there was no response. The port is open on iptables, and on Oracle, I have ingress/egress open to all ports. I’m not sure what’s happening here.

To work around the problem, I configured an external SMTP (smtp2go). It initially delivers emails, but randomly starts giving errors like “cannot resolve gmail,” causing all emails to fail and get stuck in the queue.

Oracle Cloud usually blocks outbound connections to port 25, you should talk to them just in case they can unblock it for you.

You could show the entire exim log of one of those defered mails.

To view messages in queue:
exim -bp

Then you will get the ids for queued mails and you could check exim logs to view what is happening with that mail.

For example, if you get the id 1qvIUn-000444-0p, to search exim logs, use this exigrep command:

exigrep 1qvIUn-000444-0p /var/log/exim4/mainlog*

I forgot to say that you shouldn’t use 9.9.9.9 too.

$ for i in {01..10};do echo -n "Test $i: "; dig +short @9.9.9.9 "$(echo '136.147.183.216' | awk -F '.' '{OFS="."; print $4,$3,$2,$1}' | sed 's/$/\.zen\.spamhaus\.org/')";echo; done | grep '^T'
Test 01: 
Test 02: 
Test 03: 
Test 04: 
Test 05: 127.255.255.254
Test 06: 127.255.255.254
Test 07: 127.255.255.254
Test 08: 127.255.255.254
Test 09: 127.255.255.254
Test 10: 

Second try:

$ for i in {01..10};do echo -n "Test $i: "; dig +short @9.9.9.9 "$(echo '136.147.183.216' | awk -F '.' '{OFS="."; print $4,$3,$2,$1}' | sed 's/$/\.zen\.spamhaus\.org/')";echo; done | grep '^T'
Test 01: 127.255.255.254
Test 02: 127.255.255.254
Test 03: 127.255.255.254
Test 04: 127.255.255.254
Test 05: 127.255.255.254
Test 06: 127.255.255.254
Test 07: 127.255.255.254
Test 08: 127.255.255.254
Test 09: 127.255.255.254
Test 10: 127.255.255.254

If you still want to use a public dns, use 8.8.8.8 See edit below.

$ for i in {01..10};do echo -n "Test $i: "; dig +short @8.8.8.8 "$(echo '136.147.183.216' | awk -F '.' '{OFS="."; print $4,$3,$2,$1}' | sed 's/$/\.zen\.spamhaus\.org/')";echo; done | grep '^T'
Test 01: 
Test 02: 
Test 03: 
Test 04: 
Test 05: 
Test 06: 
Test 07: 
Test 08: 
Test 09: 
Test 10: 

Edit: I’ve been testing it and Google DNS won’t get any error BUT it always get a blank answer so it isn’t useful to check ips.

See below reply to view an example.

If you want to use a free public dns that is allowed (at the time of writing this post) by Spamhaus, you could use ControlD DNS (76.76.2.0)

If you test ip 127.0.0.2 against Zen Spamhaus, you should get that the ip is listed 3 times (by PBL, XBL and SBL).

$ dig @76.76.2.0 2.0.0.127.zen.spamhaus.org txt +short
"Listed by PBL, see https://check.spamhaus.org/query/ip/127.0.0.2"
"Listed by XBL, see https://check.spamhaus.org/query/ip/127.0.0.2"
"Listed by SBL, see https://check.spamhaus.org/sbl/query/SBL2"

Let’s see what happens when using 8.8.8.8… spoiler… nothing!

$ dig @8.8.8.8 2.0.0.127.zen.spamhaus.org txt +short

While we’re at it, let’s try 9.9.9.9 as well:

$ dig @9.9.9.9 2.0.0.127.zen.spamhaus.org txt +short
"Listed by SBL, see https://check.spamhaus.org/sbl/query/SBL2"
"Listed by PBL, see https://check.spamhaus.org/query/ip/127.0.0.2"
"Listed by XBL, see https://check.spamhaus.org/query/ip/127.0.0.2"

And it works… but it is because Spamhaus is not blocking all public ips used by 9.9.9.9 to query Spamhaus DNS servers, so if we try again…

$ dig @9.9.9.9 2.0.0.127.zen.spamhaus.org txt +short
"Error: open resolver; https://check.spamhaus.org/returnc/pub/74.63.25.238/"

Conclusion, you should not use neither 1.1.1.1, 9.9.9.9 nor 8.8.8.8 as your DNS resolvers.

1 Like