When a name is resolved via DNS, the application, i.e. getaddrinfo(), asks for an IPv4 and IPv6 address via the local resolver. In Ubuntu, systemd's resolved is used as a stub resolver (not so on AWS Linux 2023, but that is another story).

The stub resolver is supposed to cache the query result. But why is resolvectl statistics still showing high cache miss numbers? Turning on debug log-level in resolved (resolvectl log-level debug) reveals the answer...

Turns out, Ubuntu chooses not to cache negative responses (LP: #1668771). In case the DNS A record (IPv4) is properly resolved, but not the DNS AAAA record (IPv6), the AAAA result is not cached and will be queried over and over.

On Ubuntu 26.04 (and likely earlier), this odd behavior can be changed in /usr/lib/systemd/resolved.conf.d/cache-no-negative.conf:

# Ubuntu defaults to Cache=no-negative. See LP: #1668771.

[Resolve]
#Cache=no-negative

The command systemd-analyze cat-config systemd/resolved.conf is useful to see the full resolved config (consisting of various parts).

posted at: 00:54 | path: /configuration | permanent link

See Pieter Bakker's tips for Postfix to pass internet.nl checks.

posted at: 15:57 | path: /configuration | permanent link

gmx.de uses a TLS alert (71) to claim insufficient security. After disabling TLSv1 in postfix, it works (i.e. mail is delivered). Amazing.

postfix/smtpd[3923583]: TLS SNI mail.pmeerw.net from mout.gmx.net[212.227.15.18] not matched, using default chain
postfix/smtpd[3923583]: Untrusted TLS connection established from mout.gmx.net[212.227.15.18]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (3072 bits) client-digest SHA256
postfix/smtpd[3923583]: warning: TLS library problem: error:0A00042F:SSL routines::tlsv1 alert insufficient security:../ssl/record/rec_layer_s3.c:916:SSL alert number 71:
postfix/smtpd[3923583]: NOQUEUE: lost connection after STARTTLS from mout.gmx.net[212.227.15.18]
postfix/smtpd[3923583]: disconnect from mout.gmx.net[212.227.15.18] ehlo=1 starttls=1 commands=2

posted at: 14:49 | path: /configuration | permanent link

It's easy, just run sudo fwupdmgr get-updates followed by sudo fwupdmgr update. The system needs to be on AC power to perform the update.

posted at: 22:07 | path: /configuration | permanent link

It's possible to just list multiple domains in opendkim.conf which will all get signed with the same key indicated by KeyFile and Selector (as pointed out here).

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector 'mail' (e.g. mail._domainkey.example.com)
# hacky, multiple domains, all share the same key and the same DNS setup
# so we also need mail._domainkey.bla.net and mail._domainkey.blub.org DNS records
Domain                  example.com, bla.net, blub.org
KeyFile                 /etc/dkimkeys/example.com.key
Selector                mail

A more complex way with individual mappins is described here.

A good way to test the setup is appmaildev.com's DKIM Test.

posted at: 10:10 | path: /configuration | permanent link