Mailing List Archive: Problem with postfix-policyd-spf-perl

Problem with postfix-policyd-spf-perl

paul.hutchings at mira

Jul 17, 2008, 6:03 AM

Post #1 of 18 (14845 views)

I'm using Postfix and postfix-policyd-spf-perl (2.005) and this last
couple of weeks I've been experiencing messages from @tiscali.co.uk
being bounced for failing SPF policy.

Problem is whenever I use any online tester and enter the MTA and IP's
etc. they say it passes the policy, so now I'm a little unclear if it

could be something at my end, or a transient error with Tiscali's DNS or
MTAs (and I suspect trying to speak to anyone at Tiscali would take so
long it's simpler to just white list them).

This is an example of the rejection:

http://www.openspf.org/Why?s=helo&id=mk-filter-2-a-4.mail.uk.tiscali.com
&ip=212.74.100.53&r=relay.mira.co.uk

It only seems to happen with Tiscali.

As an example /var/log/maillog shows:

Jul 17 10:10:40 relay postfix/smtpd[3635]: connect from
mk-filter-3-a-1.mail.uk.tiscali.com[212.74.100.54]

Jul 17 10:10:41 relay postfix/policy-spf[3636]: handler
sender_policy_framework: is decisive.

Jul 17 10:10:41 relay postfix/policy-spf[3636]: : Policy action=550
Please see
http://www.openspf.org/Why?s=helo&id=mk-filter-3-a-4.mail.uk.tiscali.com
&ip=212.74.100.54&r=relay.mira.co.uk

Jul 17 10:10:41 relay postfix/smtpd[3635]: NOQUEUE: reject: RCPT from
mk-filter-3-a-1.mail.uk.tiscali.com[212.74.100.54]: 550 5.7.1 <recipient
at ourdomain.co.uk>: Recipient address rejected: Please see
http://www.openspf.org/Why?s=helo&id=mk-filter-3-a-4.mail.uk.tiscali.com
&ip=212.74.100.54&r=relay.mira.co.uk; from=<sender at tiscali.co.uk>
to=<recipient at ourdomain.co.uk> proto=ESMTP
helo=<mk-filter-3-a-4.mail.uk.tiscali.com>

TIA

Paul

Paul Hutchings

Network Administrator, MIRA Ltd.

Tel: 44 (0)24 7635 5378

Fax: 44 (0)24 7635 8378

mailto:paul.hutchings@mira.co.uk

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Problem with postfix-policyd-spf-perl [ In reply to ]

scott at kitterman

Jul 17, 2008, 6:30 AM

Post #2 of 18 (14699 views)

On Thu, 17 Jul 2008 14:03:58 +0100 "Paul Hutchings"
<paul.hutchings@mira.co.uk> wrote:
>I'm using Postfix and postfix-policyd-spf-perl (2.005) and this last
>couple of weeks I've been experiencing messages from @tiscali.co.uk
>being bounced for failing SPF policy.
>
>
>
>Problem is whenever I use any online tester and enter the MTA and IP's
>etc. they say it passes the policy, so now I'm a little unclear if it
>
>could be something at my end, or a transient error with Tiscali's DNS or
>MTAs (and I suspect trying to speak to anyone at Tiscali would take so
>long it's simpler to just white list them).
>
>
>
>This is an example of the rejection:
>
>
>
>http://www.openspf.org/Why?s=helo&id=mk-filter-2-a-4.mail.uk.tiscali.com
>&ip=212.74.100.53&r=relay.mira.co.uk
>
>
>
>It only seems to happen with Tiscali.
>
>
>
>As an example /var/log/maillog shows:
>
>
>
>Jul 17 10:10:40 relay postfix/smtpd[3635]: connect from
>mk-filter-3-a-1.mail.uk.tiscali.com[212.74.100.54]
>
>Jul 17 10:10:41 relay postfix/policy-spf[3636]: handler
>sender_policy_framework: is decisive.
>
>Jul 17 10:10:41 relay postfix/policy-spf[3636]: : Policy action=550
>Please see
>http://www.openspf.org/Why?s=helo&id=mk-filter-3-a-4.mail.uk.tiscali.com
>&ip=212.74.100.54&r=relay.mira.co.uk
>
>Jul 17 10:10:41 relay postfix/smtpd[3635]: NOQUEUE: reject: RCPT from
>mk-filter-3-a-1.mail.uk.tiscali.com[212.74.100.54]: 550 5.7.1 <recipient
>at ourdomain.co.uk>: Recipient address rejected: Please see
>http://www.openspf.org/Why?s=helo&id=mk-filter-3-a-4.mail.uk.tiscali.com
>&ip=212.74.100.54&r=relay.mira.co.uk; from=<sender at tiscali.co.uk>
>to=<recipient at ourdomain.co.uk> proto=ESMTP
>helo=<mk-filter-3-a-4.mail.uk.tiscali.com>

It does seem odd. When I can get my laptop to a network, I'll do some testing with the policy
server. It looks like it should not have rejected the mail.

I'm curious if you have the same problem with the Python version
(pypolicyd-spf)?

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

paul.hutchings at mira

Jul 17, 2008, 6:57 AM

Post #3 of 18 (14674 views)

I'd need to take a look at how easy it is to get the python bits on my
CentOS 5.2 box - I know enough to get by but have never touched python
and am a "rpms please" newbie wherever possible :-)

It's odd it only happens with Tiscali - the problem is we don't receive
enough mail from them that I could sensibly turn on any sort of
debugging because the logs would just fill before anything from them
came in, and 8/10 times it'd be let in anyway.

TIA
Paul

Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378
Fax: 44 (0)24 7635 8378
mailto:paul.hutchings@mira.co.uk

-----Original Message-----
From: Scott Kitterman [mailto:scott@kitterman.com]
Sent: 17 July 2008 14:31
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Problem with postfix-policyd-spf-perl

On Thu, 17 Jul 2008 14:03:58 +0100 "Paul Hutchings"
<paul.hutchings@mira.co.uk> wrote:
>I'm using Postfix and postfix-policyd-spf-perl (2.005) and this last
>couple of weeks I've been experiencing messages from @tiscali.co.uk
>being bounced for failing SPF policy.
>
>
>
>Problem is whenever I use any online tester and enter the MTA and IP's
>etc. they say it passes the policy, so now I'm a little unclear if it
>
>could be something at my end, or a transient error with Tiscali's DNS
or
>MTAs (and I suspect trying to speak to anyone at Tiscali would take so
>long it's simpler to just white list them).
>
>
>
>This is an example of the rejection:
>
>
>
>http://www.openspf.org/Why?s=helo&id=mk-filter-2-a-4.mail.uk.tiscali.co
m
>&ip=212.74.100.53&r=relay.mira.co.uk
>
>
>
>It only seems to happen with Tiscali.
>
>
>
>As an example /var/log/maillog shows:
>
>
>
>Jul 17 10:10:40 relay postfix/smtpd[3635]: connect from
>mk-filter-3-a-1.mail.uk.tiscali.com[212.74.100.54]
>
>Jul 17 10:10:41 relay postfix/policy-spf[3636]: handler
>sender_policy_framework: is decisive.
>
>Jul 17 10:10:41 relay postfix/policy-spf[3636]: : Policy action=550
>Please see
>http://www.openspf.org/Why?s=helo&id=mk-filter-3-a-4.mail.uk.tiscali.co
m
>&ip=212.74.100.54&r=relay.mira.co.uk
>
>Jul 17 10:10:41 relay postfix/smtpd[3635]: NOQUEUE: reject: RCPT from
>mk-filter-3-a-1.mail.uk.tiscali.com[212.74.100.54]: 550 5.7.1
<recipient
>at ourdomain.co.uk>: Recipient address rejected: Please see
>http://www.openspf.org/Why?s=helo&id=mk-filter-3-a-4.mail.uk.tiscali.co
m
>&ip=212.74.100.54&r=relay.mira.co.uk; from=<sender at tiscali.co.uk>
>to=<recipient at ourdomain.co.uk> proto=ESMTP
>helo=<mk-filter-3-a-4.mail.uk.tiscali.com>

It does seem odd. When I can get my laptop to a network, I'll do some
testing with the policy
server. It looks like it should not have rejected the mail.

I'm curious if you have the same problem with the Python version
(pypolicyd-spf)?

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

ubuntu at kitterman

Jul 17, 2008, 7:12 AM

Post #4 of 18 (14678 views)

> I'd need to take a look at how easy it is to get the python bits on my
> CentOS 5.2 box - I know enough to get by but have never touched python
> and am a "rpms please" newbie wherever possible :-)

It should be easy enough. The only two modules it needs are pydns and
pyspf. Both are on sourceforge and have RPMs:

http://sourceforge.net/projects/pydns
http://sourceforge.net/projects/pymilter

(pyspf is a separate download in the pymilter project)

The Python policy server is available here:

http://www.openspf.org/Software#python-postfix-policyd-spf

To install that, unpack the tarball and cd into the package directory.

Then:

$ python setup.py build

and as root (however you do that on your system)

# python setup.py install

Then see man policyd-spf for details.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

ubuntu at kitterman

Jul 17, 2008, 7:40 AM

Post #5 of 18 (14699 views)

> It's odd it only happens with Tiscali - the problem is we don't receive
> enough mail from them that I could sensibly turn on any sort of
> debugging because the logs would just fill before anything from them
> came in, and 8/10 times it'd be let in anyway.

The Python version of the policy server is a bit more verbose in it's
logging by default. I'm unsure if it's a Tiscali issue or due to the
public wifi I'm using right now, but I get a Temperror result with the
Python policy server:

Jul 17 10:18:11 scott-laptop policyd-spf[18084]: Temperror; identity=helo;
client-ip=212.74.100.54; helo=mk-filter-3-a-4.mail.uk.tiscali.com;
envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
Jul 17 10:18:42 scott-laptop policyd-spf[18084]: Temperror;
identity=mailfrom; client-ip=212.74.100.54;
helo=mk-filter-3-a-4.mail.uk.tiscali.com;
envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk

I do get the reject from the Perl one, but I'm not sure why. It will
defer on Temperror, not reject.

I grabbed a tcpdump and it appears to go along normally and then just
stop. It works with other domains from here, so I don't think it's just
an issue with the wifi here.

I believe that there may be a subtle difference in the way that the
underlying SPF libraries treat certain DNS errors that explains why the
Perl library returns a permanent error and the Python one says temporary.

The Python policy server does not defer Temperror by default (at it's
easily configurable in it's config file in any case). I suspect some
Tiscali specific DNS brain damage. I believe that switching to the Python
policy server will solve it for you.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

paul.hutchings at mira

Jul 17, 2008, 8:11 AM

Post #6 of 18 (14707 views)

Ok this is what I get:

[root@relay tmp]# rpm -ivh python-pydns-2.3.1-1.el5.noarch.rpm
Preparing... ###########################################
[100%]
1:python-pydns ###########################################
[100%]
[root@relay tmp]# rpm -ivh --test python-pyspf-2.0.4-2.el5.noarch.rpm
Preparing... ###########################################
[100%]
file /usr/bin/spfquery from install of python-pyspf-2.0.4-2.el5
conflicts with file from package perl-Mail-SPF-2.005-1.el5.rf

Presumably at face value it's a conflict, but of course I have
perl-Mail-SPF-2.005-1.el5.rf installed for things like the perl SPF
policy daemon to work as well as (presumably) Spamassassin and
MailScanner to be able to do their stuff with DNS.

Sorry I'm not trying to appear obtuse here, it's just that as a relative
beginner, and having a fully working live system I don't want to mess
too much vs. whitelisting a single domain, IYSWIM.

Interesting that you're seeing strange things happen with your own
testing with regards to that domain - any idea what may be acting up
with their DNS though?

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Problem with postfix-policyd-spf-perl [ In reply to ]

johna at onevista

Jul 17, 2008, 8:22 AM

Post #7 of 18 (14686 views)

On Thu July 17 2008, Scott Kitterman wrote:
> > It's odd it only happens with Tiscali - the problem is we don't receive
> > enough mail from them that I could sensibly turn on any sort of
> > debugging because the logs would just fill before anything from them
> > came in, and 8/10 times it'd be let in anyway.
>
> Jul 17 10:18:11 scott-laptop policyd-spf[18084]: Temperror; identity=helo;
> client-ip=212.74.100.54; helo=mk-filter-3-a-4.mail.uk.tiscali.com;
> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
> Jul 17 10:18:42 scott-laptop policyd-spf[18084]: Temperror;
> identity=mailfrom; client-ip=212.74.100.54;
> helo=mk-filter-3-a-4.mail.uk.tiscali.com;
> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>
> I do get the reject from the Perl one, but I'm not sure why. It will
> defer on Temperror, not reject.

the SPF record for mk-filter-3-a-4.mail.uk.tiscali.com is "v=spf1 a -all"
the A record for mk-filter-3-a-4.mail.uk.tiscali.com is 212.74.100.42
You are receiving mail from 212.74.100.54
SPF seems to working correctly!

johna

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

scott at kitterman

Jul 17, 2008, 8:23 AM

Post #8 of 18 (14665 views)

On Thu, 17 Jul 2008 16:11:58 +0100 "Paul Hutchings"
<paul.hutchings@mira.co.uk> wrote:
>Ok this is what I get:
>
>[root@relay tmp]# rpm -ivh python-pydns-2.3.1-1.el5.noarch.rpm
>Preparing... ###########################################
>[100%]
> 1:python-pydns ###########################################
>[100%]
>[root@relay tmp]# rpm -ivh --test python-pyspf-2.0.4-2.el5.noarch.rpm
>Preparing... ###########################################
>[100%]
> file /usr/bin/spfquery from install of python-pyspf-2.0.4-2.el5
>conflicts with file from package perl-Mail-SPF-2.005-1.el5.rf
>
>Presumably at face value it's a conflict, but of course I have
>perl-Mail-SPF-2.005-1.el5.rf installed for things like the perl SPF
>policy daemon to work as well as (presumably) Spamassassin and
>MailScanner to be able to do their stuff with DNS.
>
>Sorry I'm not trying to appear obtuse here, it's just that as a relative
>beginner, and having a fully working live system I don't want to mess
>too much vs. whitelisting a single domain, IYSWIM.

The perl and python libraries both provide an spfquery tool, so the
conflict is real. In Debian the tools are packaged in separate binary
packages to avoid this exact problem. I have only enough experience with
RPM to know I never want to use an RPM based distro again. Perhaps someone
else can help.

>Interesting that you're seeing strange things happen with your own
>testing with regards to that domain - any idea what may be acting up
>with their DNS though?

Not yet. I got a good tcpdump, so when I get some time maybe I can get it sorted. I'm pretty
tied up with $WORK the next couple of days.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Problem with postfix-policyd-spf-perl [ In reply to ]

scott at kitterman

Jul 17, 2008, 8:33 AM

Post #9 of 18 (14665 views)

On Thu, 17 Jul 2008 11:22:13 -0400 John Adams <johna@onevista.com> wrote:
>On Thu July 17 2008, Scott Kitterman wrote:
>> > It's odd it only happens with Tiscali - the problem is we don't receive
>> > enough mail from them that I could sensibly turn on any sort of
>> > debugging because the logs would just fill before anything from them
>> > came in, and 8/10 times it'd be let in anyway.
>>
>> Jul 17 10:18:11 scott-laptop policyd-spf[18084]: Temperror;
identity=helo;
>> client-ip=212.74.100.54; helo=mk-filter-3-a-4.mail.uk.tiscali.com;
>> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>> Jul 17 10:18:42 scott-laptop policyd-spf[18084]: Temperror;
>> identity=mailfrom; client-ip=212.74.100.54;
>> helo=mk-filter-3-a-4.mail.uk.tiscali.com;
>> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>>
>> I do get the reject from the Perl one, but I'm not sure why. It will
>> defer on Temperror, not reject.
>
>the SPF record for mk-filter-3-a-4.mail.uk.tiscali.com is "v=spf1 a -all"
>the A record for mk-filter-3-a-4.mail.uk.tiscali.com is 212.74.100.42
>You are receiving mail from 212.74.100.54
>SPF seems to working correctly!

Interesting.

I'm away from wifi right now. I don't think I was getting that. Would
someone please check and see if all their DNS servers are serving the same
record?

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

paul.hutchings at mira

Jul 17, 2008, 9:21 AM

Post #10 of 18 (14670 views)

Thanks Scott, my main concern is if it's something my end acting up that
is under my control.

For how much business mail we get from Tiscali, that happens to come via
those MTA's it's not a show stopper, and if it is their fault so be it,
my worry was if the postfix-policy-spf-perl was somehow broken and
people needed to know etc.

I'll stay on the list and wait and see if anyone has the resource to do
any digging - it's ability that I'm lacking!

Cheers,
Paul

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

steve at teamITS

Jul 17, 2008, 9:27 AM

Post #11 of 18 (14661 views)

>> the SPF record for mk-filter-3-a-4.mail.uk.tiscali.com is "v=spf1 a
-all"
>> the A record for mk-filter-3-a-4.mail.uk.tiscali.com is 212.74.100.42
>> You are receiving mail from 212.74.100.54
>> SPF seems to working correctly!
>
> Interesting.
>
> I'm away from wifi right now. I don't think I was getting that.
Would
> someone please check and see if all their DNS servers are serving the
> same record?

Yes.

;; ANSWER SECTION:
mk-filter-3-a-4.mail.uk.tiscali.com. 3600 IN TXT "v=spf1 a -all"

;; ANSWER SECTION:
mk-filter-3-a-4.mail.uk.tiscali.com. 3600 IN A 212.74.100.42

;; AUTHORITY SECTION:
uk.tiscali.com. 3600 IN NS ns0.tiscali.co.uk.
uk.tiscali.com. 3600 IN NS ns0.as9105.com.

;; ADDITIONAL SECTION:
ns0.as9105.com. 604800 IN A 212.139.129.130
ns0.tiscali.co.uk. 604800 IN A 212.74.114.132

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Bad command or file name. Go stand in the corner.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

paul.hutchings at mira

Jul 17, 2008, 9:41 AM

Post #12 of 18 (14664 views)

Can I get an explanation in simple terms please?

Obviously we have an SPF record and I know the basic principle i.e. mail
from @mira.co.uk can only originate from relay.mira.co.uk or a couple of
other hosts) in our case as that's how I have our mail flow configured
for all devices.

Where I'm struggling is that in this case the email is coming from an
@tiscali.co.uk address, and the SPF record for tiscali.co.uk seems to
specify a bunch of /24's of which the MTA that caused the problem (one
of several) seems to be in?

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

steve at teamITS

Jul 17, 2008, 9:48 AM

Post #13 of 18 (14664 views)

Paul Hutchings wrote on 7/17/2008 11:41:20 AM:

> Where I'm struggling is that in this case the email is coming from an
> @tiscali.co.uk address, and the SPF record for tiscali.co.uk seems to
> specify a bunch of /24's of which the MTA that caused the problem (one
> of several) seems to be in?

What John pointed out is that the sending mail server is
apparently telling the world that it's name is
"mk-filter-3-a-4.mail.uk.tiscali.com." The SPF record for
"mk-filter-3-a-4.mail.uk.tiscali.com" is telling the world that it's IP
is 212.74.100.42, but the message is coming from a different IP,
212.74.100.54. It is the SPF record for
mk-filter-3-a-4.mail.uk.tiscali.com that is causing the failure, not the
record for tiscali.co.uk. Therefore the fail result is correct.

----------
> Jul 17 10:18:11 scott-laptop policyd-spf[18084]: Temperror;
identity=helo;
> client-ip=212.74.100.54; helo=mk-filter-3-a-4.mail.uk.tiscali.com;
> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
> Jul 17 10:18:42 scott-laptop policyd-spf[18084]: Temperror;
> identity=mailfrom; client-ip=212.74.100.54;
> helo=mk-filter-3-a-4.mail.uk.tiscali.com;
> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>
> I do get the reject from the Perl one, but I'm not sure why. It will
> defer on Temperror, not reject.

the SPF record for mk-filter-3-a-4.mail.uk.tiscali.com is "v=spf1 a
-all"
the A record for mk-filter-3-a-4.mail.uk.tiscali.com is 212.74.100.42
You are receiving mail from 212.74.100.54
SPF seems to working correctly!
----------

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- A juggler is a schizophrenic playing catch.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

scott at kitterman

Jul 17, 2008, 9:57 AM

Post #14 of 18 (14695 views)

On Thu, 17 Jul 2008 11:48:21 -0500 "Steve Yates" <steve@teamITS.com> wrote:
>Paul Hutchings wrote on 7/17/2008 11:41:20 AM:
>
>> Where I'm struggling is that in this case the email is coming from an
>> @tiscali.co.uk address, and the SPF record for tiscali.co.uk seems to
>> specify a bunch of /24's of which the MTA that caused the problem (one
>> of several) seems to be in?
>
> What John pointed out is that the sending mail server is
>apparently telling the world that it's name is
>"mk-filter-3-a-4.mail.uk.tiscali.com." The SPF record for
>"mk-filter-3-a-4.mail.uk.tiscali.com" is telling the world that it's IP
>is 212.74.100.42, but the message is coming from a different IP,
>212.74.100.54. It is the SPF record for
>mk-filter-3-a-4.mail.uk.tiscali.com that is causing the failure, not the
>record for tiscali.co.uk. Therefore the fail result is correct.
>
>----------
>> Jul 17 10:18:11 scott-laptop policyd-spf[18084]: Temperror;
>identity=helo;
>> client-ip=212.74.100.54; helo=mk-filter-3-a-4.mail.uk.tiscali.com;
>> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>> Jul 17 10:18:42 scott-laptop policyd-spf[18084]: Temperror;
>> identity=mailfrom; client-ip=212.74.100.54;
>> helo=mk-filter-3-a-4.mail.uk.tiscali.com;
>> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>>
>> I do get the reject from the Perl one, but I'm not sure why. It will
>> defer on Temperror, not reject.
>
>the SPF record for mk-filter-3-a-4.mail.uk.tiscali.com is "v=spf1 a
>-all"
>the A record for mk-filter-3-a-4.mail.uk.tiscali.com is 212.74.100.42
>You are receiving mail from 212.74.100.54
>SPF seems to working correctly!
>----------

I took a quick look at the logs when I was testing earlier and the Python policy server was
registering Temperror for both Mail From and HELO, while the Perl one, correctly, rejected due
to HELO Fail.

1. Tiscali's HELO record for that server is wrong and it'd be good if
someone would tell them.

2. I need to figure out why the Python DNS library couldn't get a response.

Thanks,

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

paul.hutchings at mira

Jul 17, 2008, 10:04 AM

Post #15 of 18 (14669 views)

Thanks that makes sense - what confused me though is that I thought SPF
only worked at a domain level i.e. why is it looking up an SPF (TXT)
record for an individual host?

-----Original Message-----
From: Steve Yates [mailto:steve@teamITS.com]
Sent: 17 July 2008 17:48
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Problem with postfix-policyd-spf-perl

Paul Hutchings wrote on 7/17/2008 11:41:20 AM:

> Where I'm struggling is that in this case the email is coming from an
> @tiscali.co.uk address, and the SPF record for tiscali.co.uk seems to
> specify a bunch of /24's of which the MTA that caused the problem (one
> of several) seems to be in?

What John pointed out is that the sending mail server is
apparently telling the world that it's name is
"mk-filter-3-a-4.mail.uk.tiscali.com." The SPF record for
"mk-filter-3-a-4.mail.uk.tiscali.com" is telling the world that it's IP
is 212.74.100.42, but the message is coming from a different IP,
212.74.100.54. It is the SPF record for
mk-filter-3-a-4.mail.uk.tiscali.com that is causing the failure, not the
record for tiscali.co.uk. Therefore the fail result is correct.

----------
> Jul 17 10:18:11 scott-laptop policyd-spf[18084]: Temperror;
identity=helo;
> client-ip=212.74.100.54; helo=mk-filter-3-a-4.mail.uk.tiscali.com;
> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
> Jul 17 10:18:42 scott-laptop policyd-spf[18084]: Temperror;
> identity=mailfrom; client-ip=212.74.100.54;
> helo=mk-filter-3-a-4.mail.uk.tiscali.com;
> envelope-from=test@tiscali.co.uk; receiver=test@mira.co.uk
>
> I do get the reject from the Perl one, but I'm not sure why. It will
> defer on Temperror, not reject.

the SPF record for mk-filter-3-a-4.mail.uk.tiscali.com is "v=spf1 a
-all"
the A record for mk-filter-3-a-4.mail.uk.tiscali.com is 212.74.100.42
You are receiving mail from 212.74.100.54
SPF seems to working correctly!
----------

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- A juggler is a schizophrenic playing catch.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

steve at teamITS

Jul 17, 2008, 10:19 AM

Post #16 of 18 (14636 views)

Paul Hutchings wrote on 7/17/2008 12:04:39 PM:

> Thanks that makes sense - what confused me though is that I thought
SPF
> only worked at a domain level i.e. why is it looking up an SPF (TXT)
> record for an individual host?

http://www.openspf.org/FAQ/Examples

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- "Have you ever tried going mad without power? It's boring. No one
listens to you!" - Russ Cargill

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: Problem with postfix-policyd-spf-perl [ In reply to ]

paul.hutchings at mira

Jul 17, 2008, 10:31 AM

Post #17 of 18 (14630 views)

Perfect and my bad for not reading the FAQ - thanks very much and nice
to know it's not me but the huge ISP at fault :-)

Thanks again!

-----Original Message-----
From: Steve Yates [mailto:steve@teamITS.com]
Sent: 17 July 2008 18:20
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Problem with postfix-policyd-spf-perl

Paul Hutchings wrote on 7/17/2008 12:04:39 PM:

> Thanks that makes sense - what confused me though is that I thought
SPF
> only worked at a domain level i.e. why is it looking up an SPF (TXT)
> record for an individual host?

http://www.openspf.org/FAQ/Examples

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- "Have you ever tried going mad without power? It's boring. No one
listens to you!" - Russ Cargill

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

--
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: Problem with postfix-policyd-spf-perl [ In reply to ]

scott at kitterman

Jul 17, 2008, 10:20 PM

Post #18 of 18 (14644 views)

One final note:

This was hard to troubleshoot because, by default, the policy server doesn't
log if it's acting based on Mail From or HELO results. I've fixed that and
released a new version (2.006). It has no other changes, so there's no
urgent need to upgrade.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com