Provided by: courier-base_1.0.16-3build5_amd64 bug

NAME

       testmxlookup - Look up mail servers for a domain

SYNOPSIS

       testmxlookup [@ip-address | --dnssec | --udpsize n | --sts | --sts-override=mode |
                    --sts-purge] {domain}

       testmxlookup {--sts-expire | --sts-cache-disable | --sts-cache-enable |
                    --sts-cache-enable=size}

DESCRIPTION

       testmxlookup reports the names and IP addresses of mail servers that receive mail for the
       domain, as well as the domain's published STS policy. This is useful in diagnosing mail
       delivery problems.

       testmxlookup sends a DNS MX query for the specified domain, followed by A/AAAA queries, if
       needed.  testmxlookup lists the hostname and the IP address of every mail server, and its
       MX priority. The domain's strict transport security (STS) policy status, if one is
       published, precedes the mail server list.

   DIAGNOSTICS
       The error message “Hard error” indicates that the domain does not exist, or does not have
       any mail servers. The error message "Soft error" indicates a temporary error condition
       (usually a network failure of some sorts, or the local DNS server is down).

       “STS: testing” or “STS: enforcing” preceding the list of mail servers indicates that the
       domain publishes an STS policy.  “ERROR: STS Policy verification failed” appearing after
       an individual mail server indicates that the mail server's name does not meet the domain's
       STS policy.

       “STS: testing” or “STS: enforcing” by itself, with no further messages, indicates that all
       listed mail servers comply with the listed STS policy. If you are attempting to install
       your own STS policy this is a simple means of checking its validity.

   OPTIONS
       @ip-address
           Specify the DNS server's IP address, where to send the DNS query to, overriding the
           default DNS server addresses read from /etc/resolv.conf.

           “ip-address” must be a literal, numeric, IP address.

       --dnssec
           Enable the DNSSEC extension. If the DNS server has DNSSEC enabled, and the specified
           domain's DNS records are signed, the list of IP addresses is suffixed by “(DNSSEC)”,
           indicating a signed response.

           This is a diagnostic option. Older DNS servers may respond with an error, to a DNSSEC
           query.

       --udpsize n
           Specify that n is the largest UDP packet size that the DNS server may send. This
           option is only valid together with “--dnssec”. If “--dnssec” always returns an error,
           try “--udpsize 512” (the default setting is 1280 bytes, which is adequate for
           Ethernet, but other kinds of networks may impose lower limits).

       --sts
           Do not issue an MX query, and display the domain's raw STS policy file.

       --sts-cache-disable
           Turn off STS lookups, checking, and verification.  STS is enabled by default, but
           requires that a global systemwide list of SSL certificate authorities is available,
           and that TLS_TRUSTCERTS is specified in /etc/courier/courierd.  STS can be disabled,
           if needed.

       --sts-cache-enable
           Reenable STS lookups, checking, and verification, and set the size of the internal
           cache to its default value. Specify “=size” to enable and set a non-default cache
           size, a positive value indicating the approximate number of most recent domains whose
           STS policies get cached internally.

       --sts-override=policy
           Override the domain's STS enforcement mode.  policy is one of: “none”, “testing”, or
           “enforce”, and overrides the cached domain STS policy setting.

               Note
               This is a diagnostic or a testing tool.  Courier may eventually purge the cached
               policy setting, or the domain can update its policy, replacing the overridden
               setting.

       --sts-purge
           Remove the domain's cached STS policy, and retrieve and cache the domain's policy,
           again.

       --sts-expire
           Execute Courier's STS policy expiration process. Nothing happens unless
           /var/lib/courier/sts's size exceeds the configured cache size setting. The oldest
           cached policy files get removed to bring the cache size down to its maximum size.

   STRICT TRANSPORT SECURITY
       Courier automatically downloads and caches domains' STS policy files by default, in an
       internal cache with a default size of 1000 domains.

           Note
           The cache size setting is approximate.  Courier purges stale cache entries
           periodically, and the size of the cache can temporarily exceed its set size, by as
           much as a factor of two.  /var/lib/courier/sts must be owned by courier:courier, and
           uses one file per mail domain. The maximum cache size depends on the capabilities of
           the underlying filesystem.

           testmxlookup must be executed with sufficient privileges to access the cache directory
           (by root, or by courier). Without sufficient privileges testmxlookup still attempts to
           use the cache directory even without write permissions on it, as long as it's
           accessible, and attempts to download the STS policy for a domain that's not already
           cached; but, of course, won't be able to save the downloaded policy in the cache
           directory.

SEE ALSO

       courier(8)[1], RFC 1035[2], RFC 8461[3].

AUTHOR

       Sam Varshavchik
           Author

NOTES

        1. courier(8)
           http://www.courier-mta.org/courier.html

        2. RFC 1035
           https://www.ietf.org/rfc/rfc1035.txt

        3. RFC 8461
           https://www.ietf.org/rfc/rfc8461.txt