Welcome to the mailbox.org user forum!
 

Previously working email alias fails with error 450? [SOLVED]

9699984 shared this question 11 months ago
Need Answer

Hi,

FYI.

Due to a change in domain host, the security key for my custom domain could temporary not be resolved by DNS. This situation only lasted for ~6 hours.

The result was that my email alias "@my-domain.com" gave an error "450 4.1.8 Sender address rejected: Domain not found". Luckily this is only a temporary error and smtp servers will keep on trying to deliver the message. So you're not necessarily losing emails (in the short term).

First, I made sure the DNS was OK for my domain with the proper security key, mx servers and spf text. I made sure the DNS was propagated worldwide via https://www.whatsmydns.net with the proper info (key, mx, spf).

The email alias kept on failing, even after 10 hours of succesful worldwide propagation.

Deleting the email alias from the webportal didn't help either. The custom domain can be deleted and added back. But this doesn't change the situation.

In the end, the situation resolved itself after 24 hours. Not sure why. I'm guessing it has to do with some backoffice internal mailbox.org process.

So anyone in the same situation: make sure the dns is OK, verify it is properly propagated wordwide and then wait for 24 hours ...

Best Answer
photo

[SOLVED]

Comments (23)

photo
1

[SOLVED]

photo
1

Having same issue.. Have waited over 24 hours. Any ideas?

photo
1

Please provide more details. Without any details, nobody can help.

I had a look into your account. Yoiu don't have any alias with an external hosted domain.

photo
1

The OP usecase was an externally hosted domain ("someone@somewhere.com") that was configured to work with mailbox.org (final mailbox "someone1@mailbox.org"). This requires some configurations in the domain's DNS ("somewhere.com"). When this configuration changed without the proper handover between moving DNS servers (my bad), mailbox still tries to reach the old one. Even after trying to reconfigure everything correctly in the mailbox admin interface. Hence the "not found" error. This resolved itself n a 24h delay. If your config is correct of course ... Best of luck.

photo
1

70cba75295a7bb40a1b2466f26c35928dig TXT [removed].[removed].org.

; <<>> DiG 9.13.0 <<>> TXT

[removed].[removed].org.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19482

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

; COOKIE: [removed] (good)

;; QUESTION SECTION:

;[removed].[removed].org. IN TXT

;; ANSWER SECTION:

[removed].[removed].org. 1800 IN TXT "caa10c5c5fd2c14ce2af3c20978541809e0b573f"

;; Query time: 100 msec

;; SERVER: 192.168.0.1#53(192.168.0.1)

;; WHEN: Fri Aug 10 13:24:24 MDT 2018

;; MSG SIZE rcvd: 171

And it resolves fine from my VPS in Germany.. Not sure why Mailbox.org doesn't see it.

photo
1

I should add I've been trying for nearly 3 days.

Ich bin Ihnen dankbar.

photo
1

For sure we see everything in the DNS that is out there. It's "just" DNS.

But if you made something wrong, than we can't analyse it, if we don't have the details.

I can't tell you anything based on "[removed].[removed].org". And there's nothing generic for the userforum. I just can tell you: if it's right it will work.

This is an individual support case where you have to provide some details.

photo
1

Attempted to use the form, but do not speak fluent german. Mind simply emailing me directly, and I can paste the entire dig, unredacted?

photo
1

We will happily find another provider. Thank you kindly.

photo
1

This morning I sent you a private e-mail to your mailaddress offering a personal support channel to send me the entire dig, unredacted. As requested by you.

So I offered direct 4th level support form the CEO of mailbox.org. At the weekend. With just some hours response time. To solve a problem that has nothing to do with mailbox.org but will be some kind of mistake in setting up the DNS records at your DNS provider. Anyway.

So: Feel free to get help and support from me, we will solve that issue, fore sure. But not taking this (requested) help and then changing the provider if there's most likely an error in the external DNS setup is a bit curious and doesn't hit the real problem.

photo
1

Your lack of response does bother me a bit. Although your FAQ states you do not provide support for external domains, I find mailbox.org culpable for the issue at hand.

My main interest for using Mailbox.org is it's spam filtering, but I'm not sure this benefit outweighs the condescending response from support.

Your response time is atrocious. I appreciate your help none the less.

I have not recieved any emails to my inbox: coloradomountain@mailbox.org

photo
1

I have already switched providers, but to provide some transparency, please take a look at my full dig output:

dig +short TXT a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org.

"caa10c5c5fd2c14ce2af3c20978541809e0b573f"

photo
1

My mistake, I sent my e-mail this morning to the other participant of this thread and not to you. Sorry.

To your request: You have *NOT* set this DNS record.

To your case:

The 4 nameservers of he.net does know this record. The internet doesn't.

peer@flash ~ $ host -t TXT a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org 8.8.8.8

Using domain server:

Name: 8.8.8.8

Address: 8.8.8.8#53

Aliases:

Host a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org not found: 2(SERVFAIL)

peer@flash ~ $ host -t TXT a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org 9.9.9.9

Using domain server:

Name: 9.9.9.9

Address: 9.9.9.9#53

Aliases:

Host a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org not found: 2(SERVFAIL)

peer@flash ~ $ dig a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org TXT @8.8.8.8

; <<>> DiG 9.9.9-P1 <<>> a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org TXT @8.8.8.8

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47940

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org. IN TXT

;; Query time: 126 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Sat Aug 11 15:41:38 CEST 2018

;; MSG SIZE rcvd: 90

Sorry. You should open a support request at your DNS hosting provider. Or maybe you should change this DNS provider. But not your mail provider. This record IS NOT correctly available. Even not for Google at 8.8.8.8.

photo
1

Very strange, check this:

host -t TXT a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org 208.67.222.222

Using domain server:

Name: 208.67.222.222

Address: 208.67.222.222#53

Aliases:

a5d68379b9f19135ce1fda56fd710d2e375f7a64.coloradomountain.org descriptive text "caa10c5c5fd2c14ce2af3c20978541809e0b573f"

208.67.222.222 being Cisco openDNS

photo
1

Yes.

This is why we request customers to get support from their (paid) DNS hosting service.

In the last 18 month exactly 100% of those support issues weren't a mailbox.org problem. But at the end people are angry about us, blame us we should give support and cancel their account. Doesn't make fun.

Sorry, I'd really love to help you. But I can not debug (and repair) the world wide network infrastructure of your DNS hosting company.

peer@flash ~ $ host -t SOA coloradomountain.org 8.8.8.8

Using domain server:

Name: 8.8.8.8

Address: 8.8.8.8#53

Aliases:

Host coloradomountain.org not found: 2(SERVFAIL)

This is a routing / network / rate limiting / blacklisting / $somewhat issue where your DNS provider is responsible.

peer@flash ~ $ host -t MX coloradomountain.org 8.8.8.8

Using domain server:

Name: 8.8.8.8

Address: 8.8.8.8#53

Aliases:

Host coloradomountain.org not found: 2(SERVFAIL)

photo
1

I got the solution. Your DNSSEC is broken.

So all reliable good well configured DNS resolvers with DNSSEC enabled will see NO RECORDS from coloradomountain.org (no matter where you host your website or mail).

Have a look at

http://dnsviz.net/d/coloradomountain.org/dnssec/

and

https://dnssec-analyzer.verisignlabs.com/coloradomountain.org

Looks like an incomplete or not cleanly reverted DNSSEC setup. Have you tried and stopped using DNSSEC in the past?

peer@flash ~ $ dig coloradomountain.org DS +nodnssec +short

2371 13 2 6B81D67DA1066BE17BA3C0E41E6678A8B6A06282BB805FF823B3663E 982ADEDD

photo
1

Could you confirm what DNS resolver mailbox.org is using?

Are you sure you have no interest debugging further? This is clearly an issue with my DNS provider, I appreciate your time thus far.

I should mention I have enjoyed my time with mailbox.org, and ultimately would like to continue but several issues have brought me to wonder if continuing with you is the right option for me.

I should mention to you that your Spam filtering is absolutely amazing, as well as your integration the GPG. These features are rarely found on other providers. I have had some issue with delivery times, but have ultimately have enjoyed your service.

Danke

photo
1

Does mailbox.org have a donation form?

photo
1

(I haven't finished debugging, but in general it looks like this is the reason. At least, for sure, there IS something wrong and it's a waste of time to debug something if at least one error is already known but unfixed.)

We're using Bind9 and PowerDNS and they're resolving everything by themself (no forwarding to somebody else). But also 8.8.8.8 (Google) and 9.9.9.9 are DNSSEC enabled and they don't have records.

This has NOTHING to do with mailbox.org. Not at all. Okay, we're doing it right and well and secure and that we're using DNSSEC... Sorry for that. :-)

But mailbox.org has the knowledge, experience, competence and an enthusiastic team to provide 90 minutes of debugging other companies' problems for 1,- EUR/month customers (even if we explained before that we can't do that for good reasons). I don't know if that's normal and if other ISPs would do this / have done this?

You must be aware: Right now, if your DNS is broken, you will NOT receive all of your mails, because DNSSEC enabled ISPs will also not get MX Records of your domain. I hope your new ISP will have a infrastructure to show and debug problems lilke this if your mail domain is not working...

But: Thanks for your friendly words.

If you have experienced mail delivery time problems, please disable greylisting. Except of that we don't have deferred deliveries. We're monitoring everything every minute. We don't have deferring queues here. For sure.

If you have real issues I'd be interested in knowing what's the problem. As you can see here, it's often not a problem of mailbox.org, but sometimes more a problem of general disfunctional internet issues or misunderstandings by the customer.

photo
1

I want to confirm this issue is resolved, and was due to error in my own configuration. Please forgive the inconvenience.

As per my last comment, does mailbox.org have a donation form?

photo
1

Thanks, that's very honorable from your side. I'm happy to help you and is good to hear that it's fixed / could be fixed right now. If you're happy right now it is is perfect for us and we don't need donation forms.

photo
photo
1

Hello,

I have a very similar problem for my custom domain nrbrt.com.

Since it is not possible to enable DNSSEC in the DNS management of my domain registrar (https://www.webhod.de/), I switched my DNS management to a free DNS hosting service (https://www.1984hosting.com/), enabled DNSSEC and told my registrar (parent zone) to change the nameservers to the ones of the DNS hosting service (child zone) and add the DS Key records. Just as described by the tutorial of the Internet Society: https://www.internetsociety.org/resources/deploy360/2012/step-by-step-how-to-use-a-dnssec-ds-record-to-link-a-registar-to-a-dns-hosting-provider-4/

However, I experience the same issue when DNSSEC is enabled. I cannot sent any mails from my alias and always get "450 4.1.8 Sender address rejected: Domain not found". This is confirmed by DNSstuff with 2 respecive fails: https://www.dnsstuff.com/tools#dnsReport|type=domain&&value=nrbrt.com

Also, when I type in `host -t SOA nrbrt.com 8.8.8.8` I'll get `Host nrbrt.com not found: 2(SERVFAIL)` as answer. How long do I normally need to wait until google as this record?

From the answer of Peer Heinlein, I'm not really sure how to solve this problem and how to proceed to get this problem solved. My domain registrar told me that I should ask my mail provider about the rejected E-Mails and this it what I do now.

Can you help me out? Is it not possible to have mailbox with DNSSEC enabled or does the problem result from wrong configuration on the domain registrar or DNS hosting service side?

I would appreciate any help which gets me forward with this.

Thank you in advance!

photo
1

The problem is not solved, but the reason is that the DS Records at the .com-TLD point to wrong DNSKeys at my domain-zone even though my domain provider (and I thought registrar as well) set the correct records on my zone and communicated it to the .com-TLD). As my domain provider now tries to resolves this problem with the registrar, I switched DNSSEC off and all works well as before. I'll keep you updated.