'\" t
.\"<!-- Copyright 1999 - 2019 Double Precision, Inc.  See COPYING for -->
.\"<!-- distribution information. -->
.\"     Title: testmxlookup
.\"    Author: Sam Varshavchik
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 10/28/2020
.\"    Manual: Double Precision, Inc.
.\"    Source: Courier Mail Server
.\"  Language: English
.\"
.TH "TESTMXLOOKUP" "1" "10/28/2020" "Courier Mail Server" "Double Precision, Inc."
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
testmxlookup \- Look up mail servers for a domain
.SH "SYNOPSIS"
.HP \w'\fBtestmxlookup\fR\ 'u
\fBtestmxlookup\fR [@\fIip\-address\fR | \-\-dnssec | \-\-udpsize\ \fIn\fR | \-\-sts | \-\-sts\-override=\fImode\fR | \-\-sts\-purge] {\fIdomain\fR}
.HP \w'\fBtestmxlookup\fR\ 'u
\fBtestmxlookup\fR {\-\-sts\-expire | \-\-sts\-cache\-disable | \-\-sts\-cache\-enable | \-\-sts\-cache\-enable=\fIsize\fR}
.SH "DESCRIPTION"
.PP
\fBtestmxlookup\fR
reports the names and IP addresses of mail servers that receive mail for the
\fIdomain\fR, as well as the
\fIdomain\fR\*(Aqs published
STS
policy\&. This is useful in diagnosing mail delivery problems\&.
.PP
\fBtestmxlookup\fR
sends a DNS MX query for the specified domain, followed by A/AAAA queries, if needed\&.
\fBtestmxlookup\fR
lists the hostname and the IP address of every mail server, and its MX priority\&. The domain\*(Aqs strict transport security (STS) policy status, if one is published, precedes the mail server list\&.
.SS "DIAGNOSTICS"
.PP
The error message
\(lqHard error\(rq
indicates that the domain does not exist, or does not have any mail servers\&. The error message "Soft error" indicates a temporary error condition (usually a network failure of some sorts, or the local DNS server is down)\&.
.PP
\(lqSTS: testing\(rq
or
\(lqSTS: enforcing\(rq
preceding the list of mail servers indicates that the domain publishes an
STS
policy\&.
\(lqERROR: STS Policy verification failed\(rq
appearing after an individual mail server indicates that the mail server\*(Aqs name does not meet the domain\*(Aqs
STS
policy\&.
.PP
\(lqSTS: testing\(rq
or
\(lqSTS: enforcing\(rq
by itself, with no further messages, indicates that all listed mail servers comply with the listed
STS
policy\&. If you are attempting to install your own STS policy this is a simple means of checking its validity\&.
.SS "OPTIONS"
.PP
@ip\-address
.RS 4
Specify the DNS server\*(Aqs IP address, where to send the DNS query to, overriding the default DNS server addresses read from
/etc/resolv\&.conf\&.
.sp
\(lqip\-address\(rq
must be a literal, numeric, IP address\&.
.RE
.PP
\-\-dnssec
.RS 4
Enable the
DNSSEC
extension\&. If the DNS server has
DNSSEC
enabled, and the specified domain\*(Aqs DNS records are signed, the list of IP addresses is suffixed by
\(lq(DNSSEC)\(rq, indicating a signed response\&.
.sp
This is a diagnostic option\&. Older DNS servers may respond with an error, to a DNSSEC query\&.
.RE
.PP
\-\-udpsize \fIn\fR
.RS 4
Specify that
\fIn\fR
is the largest
UDP
packet size that the DNS server may send\&. This option is only valid together with
\(lq\-\-dnssec\(rq\&. If
\(lq\-\-dnssec\(rq
always returns an error, try
\(lq\-\-udpsize 512\(rq
(the default setting is 1280 bytes, which is adequate for Ethernet, but other kinds of networks may impose lower limits)\&.
.RE
.PP
\-\-sts
.RS 4
Do not issue an MX query, and display the domain\*(Aqs raw
STS
policy file\&.
.RE
.PP
\-\-sts\-cache\-disable
.RS 4
Turn off
STS
lookups, checking, and verification\&.
STS
is enabled by default, but requires that a global systemwide list of SSL certificate authorities is available, and that
\fBTLS_TRUSTCERTS\fR
is specified in /etc/courier/courierd\&.
STS
can be disabled, if needed\&.
.RE
.PP
\-\-sts\-cache\-enable
.RS 4
Reenable
STS
lookups, checking, and verification, and set the size of the internal cache to its default value\&. Specify
\(lq=size\(rq
to enable and set a non\-default cache size, a positive value indicating the approximate number of most recent domains whose
STS
policies get cached internally\&.
.RE
.PP
\-\-sts\-override=\fIpolicy\fR
.RS 4
Override the domain\*(Aqs
STS
enforcement mode\&.
\fIpolicy\fR
is one of:
\(lqnone\(rq,
\(lqtesting\(rq, or
\(lqenforce\(rq, and overrides the cached domain
STS
policy setting\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
This is a diagnostic or a testing tool\&.
Courier
may eventually purge the cached policy setting, or the domain can update its policy, replacing the overridden setting\&.
.sp .5v
.RE
.RE
.PP
\-\-sts\-purge
.RS 4
Remove the domain\*(Aqs cached
STS
policy, and retrieve and cache the domain\*(Aqs policy, again\&.
.RE
.PP
\-\-sts\-expire
.RS 4
Execute
Courier\*(Aqs
STS
policy expiration process\&. Nothing happens unless
/var/lib/courier/sts\*(Aqs size exceeds the configured cache size setting\&. The oldest cached policy files get removed to bring the cache size down to its maximum size\&.
.RE
.SS "STRICT TRANSPORT SECURITY"
.PP
Courier
automatically downloads and caches domains\*(Aq
STS
policy files by default, in an internal cache with a default size of 1000 domains\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.PP
The cache size setting is approximate\&.
Courier
purges stale cache entries periodically, and the size of the cache can temporarily exceed its set size, by as much as a factor of two\&.
/var/lib/courier/sts
must be owned by courier:courier, and uses one file per mail domain\&. The maximum cache size depends on the capabilities of the underlying filesystem\&.
.PP
\fBtestmxlookup\fR
must be executed with sufficient privileges to access the cache directory (by root, or by courier)\&. Without sufficient privileges
\fBtestmxlookup\fR
still attempts to use the cache directory even without write permissions on it, as long as it\*(Aqs accessible, and attempts to download the STS policy for a domain that\*(Aqs not already cached; but, of course, won\*(Aqt be able to save the downloaded policy in the cache directory\&.
.sp .5v
.RE
.SH "SEE ALSO"
.PP
\m[blue]\fB\fBcourier\fR(8)\fR\m[]\&\s-2\u[1]\d\s+2,
\m[blue]\fBRFC 1035\fR\m[]\&\s-2\u[2]\d\s+2,
\m[blue]\fBRFC 8461\fR\m[]\&\s-2\u[3]\d\s+2\&.
.SH "AUTHOR"
.PP
\fBSam Varshavchik\fR
.RS 4
Author
.RE
.SH "NOTES"
.IP " 1." 4
\fBcourier\fR(8)
.RS 4
\%http://www.courier-mta.org/courier.html
.RE
.IP " 2." 4
RFC 1035
.RS 4
\%https://www.ietf.org/rfc/rfc1035.txt
.RE
.IP " 3." 4
RFC 8461
.RS 4
\%https://www.ietf.org/rfc/rfc8461.txt
.RE