Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
TESTMXLOOKUP(1)		    Double Precision, Inc.	       TESTMXLOOKUP(1)

NAME
       testmxlookup - Look up mail servers for a domain

SYNOPSIS

       testmxlookup [@ip-address | --dnssec | --udpsize	n | --sts |
		    --sts-override=mode	| --sts-purge] {domain}

       testmxlookup {--sts-expire | --sts-cache-disable	| --sts-cache-enable |
		    --sts-cache-enable=size}

DESCRIPTION
       testmxlookup reports the	names and IP addresses of mail servers that
       receive mail for	the domain, as well as the domain's published STS
       policy. This is useful in diagnosing mail delivery problems.

       testmxlookup sends a DNS	MX query for the specified domain, followed by
       A/AAAA queries, if needed.  testmxlookup	lists the hostname and the IP
       address of every	mail server, and its MX	priority. The domain's strict
       transport security (STS)	policy status, if one is published, precedes
       the mail	server list.

   DIAGNOSTICS
       The error message "Hard error" indicates	that the domain	does not
       exist, or does not have any mail	servers. The error message "Soft
       error" indicates	a temporary error condition (usually a network failure
       of some sorts, or the local DNS server is down).

       "STS: testing" or "STS: enforcing" preceding the	list of	mail servers
       indicates that the domain publishes an STS policy.  "ERROR: STS Policy
       verification failed" appearing after an individual mail server
       indicates that the mail server's	name does not meet the domain's	STS
       policy.

       "STS: testing" or "STS: enforcing" by itself, with no further messages,
       indicates that all listed mail servers comply with the listed STS
       policy. If you are attempting to	install	your own STS policy this is a
       simple means of checking	its validity.

   OPTIONS
       @ip-address
	   Specify the DNS server's IP address,	where to send the DNS query
	   to, overriding the default DNS server addresses read	from
	   /etc/resolv.conf.

	   "ip-address"	must be	a literal, numeric, IP address.

       --dnssec
	   Enable the DNSSEC extension.	If the DNS server has DNSSEC enabled,
	   and the specified domain's DNS records are signed, the list of IP
	   addresses is	suffixed by "(DNSSEC)",	indicating a signed response.

	   This	is a diagnostic	option.	Older DNS servers may respond with an
	   error, to a DNSSEC query.

       --udpsize n
	   Specify that	n is the largest UDP packet size that the DNS server
	   may send. This option is only valid together	with "--dnssec". If
	   "--dnssec" always returns an	error, try "--udpsize 512" (the
	   default setting is 1280 bytes, which	is adequate for	Ethernet, but
	   other kinds of networks may impose lower limits).

       --sts
	   Do not issue	an MX query, and display the domain's raw STS policy
	   file.

       --sts-cache-disable
	   Turn	off STS	lookups, checking, and verification.  STS is enabled
	   by default, but requires that a global systemwide list of SSL
	   certificate authorities is available, and that TLS_TRUSTCERTS is
	   specified in	/usr/local/etc/courier/courierd.  STS can be disabled,
	   if needed.

       --sts-cache-enable
	   Reenable STS	lookups, checking, and verification, and set the size
	   of the internal cache to its	default	value. Specify "=size" to
	   enable and set a non-default	cache size, a positive value
	   indicating the approximate number of	most recent domains whose STS
	   policies get	cached internally.

       --sts-override=policy
	   Override the	domain's STS enforcement mode.	policy is one of:
	   "none", "testing", or "enforce", and	overrides the cached domain
	   STS policy setting.

	       Note
	       This is a diagnostic or a testing tool.	Courier	may eventually
	       purge the cached	policy setting,	or the domain can update its
	       policy, replacing the overridden	setting.

       --sts-purge
	   Remove the domain's cached STS policy, and retrieve and cache the
	   domain's policy, again.

       --sts-expire
	   Execute Courier's STS policy	expiration process. Nothing happens
	   unless /var/spool/courier/sts's size	exceeds	the configured cache
	   size	setting. The oldest cached policy files	get removed to bring
	   the cache size down to its maximum size.

   STRICT TRANSPORT SECURITY
       Courier automatically downloads and caches domains' STS policy files by
       default,	in an internal cache with a default size of 1000 domains.

	   Note

	   The cache size setting is approximate.  Courier purges stale	cache
	   entries periodically, and the size of the cache can temporarily
	   exceed its set size,	by as much as a	factor of two.
	   /var/spool/courier/sts must be owned	by courier:courier, and	uses
	   one file per	mail domain. The maximum cache size depends on the
	   capabilities	of the underlying filesystem.

	   testmxlookup	must be	executed with sufficient privileges to access
	   the cache directory (by root, or by courier). Without sufficient
	   privileges testmxlookup still attempts to use the cache directory
	   even	without	write permissions on it, as long as it's accessible,
	   and attempts	to download the	STS policy for a domain	that's not
	   already cached; but,	of course, won't be able to save the
	   downloaded policy in	the cache directory.

SEE ALSO
       courier(8)[1], RFC 1035[2], RFC 8461[3].

AUTHOR
       Sam Varshavchik
	   Author

NOTES
	1. courier(8)
	   http://www.courier-mta.org/courier.html

	2. RFC 1035
	   https://www.ietf.org/rfc/rfc1035.txt

	3. RFC 8461
	   https://www.ietf.org/rfc/rfc8461.txt

Courier	Mail Server		  01/22/2022		       TESTMXLOOKUP(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=testmxlookup&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help