Mailing List Archive: TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006

TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006

Jul 23, 2008, 7:58 AM

Post #1 of 6 (12305 views)

Hi!

I'm using postfix/smtpd-policy.pl 2.006
and I have problem receiving email from domain which are using DNS's SPF
record

Jul 21 04:05:50 smtpext4 postfix/policy-spf[20420]: : SPF TempError
('SERVFAIL' error on DNS 'SPF' lookup of 'mail.cga-quebec.org'):
HELO/EHLO: mail.cga-quebec.org
Jul 21 04:05:50 smtpext4 postfix/policy-spf[1238]: : Policy
action=DEFER_IF_PERMIT SPF-Result=mail.cga-quebec.org: 'SERVFAIL' error
on DNS 'SPF' lookup of 'mail.cga-quebec.org'
Jul 21 04:05:50 smtpext4 postfix/smtpd[1236]: NOQUEUE: reject: RCPT from
mail.cga-quebec.org[69.70.72.86]: 450 4.7.1 <sender1@cga-quebec.org>:
Sender address rejected: SPF-Result=mail.cga-quebec.org: 'SERVFAIL'
error on DNS 'SPF' lookup of 'mail.cga-quebec.org';
from=<sender1@cga-quebec.org> to=<recipient1@hec.ca> proto=ESMTP
helo=<mail.cga-quebec.org>

# dig +short SPF cga-quebec.org
209.172.51.216

# dig +short TXT cga-quebec.org
"v=spf1 a mx ip4:216.252.70.146 ip4:69.70.72.86 -all"

I noticed incoherences between SPF and TXT records

If I understand correctly, SPF record has priority above TXT record.

Why does it said "'SERVFAIL' error on DNS 'SPF' lookup" ?
Why does it return an "TempError" ?

I have this error with many domains which are using misconfigured SPF
record.TEMPError :

How can I change the behaviour to evaluate TXT record first !!

Am I the only one with that problem ?

Any workaround ?

Thanks,
Eddy

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

RE: TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006 [ In reply to ]

steve at teamITS

Jul 23, 2008, 9:41 AM

Post #2 of 6 (12130 views)

Permalink

Eddy Beliveau wrote on 7/23/2008 9:58:01 AM:

> ('SERVFAIL' error on DNS 'SPF' lookup of 'mail.cga-quebec.org'):

Note this says 'mail.cga-quebec.org' not 'cga-quebec.org' which
was your example. If the HELO hostname 'mail.cga-quebec.org' doesn't
have an SPF record that shouldn't cause an SPF failure, I wouldn't
think. There is something off with their DNS system though since
'mail.cga-quebec.org' gets the failure but 'blah.cga-quebec.org'
returns NXDOMAIN (invalid hostname). mail.cga-quebec.org has different
name servers than cga-quebec.org, so I guess they are just offline.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Hi! I'm a tagline virus - copy me!

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006 [ In reply to ]

scott at kitterman

Jul 23, 2008, 10:02 AM

Post #3 of 6 (12132 views)

Permalink

On Wednesday 23 July 2008 10:58:01 Eddy Beliveau wrote:
> Hi!
>
> I'm using postfix/smtpd-policy.pl 2.006
> and I have problem receiving email from domain which are using DNS's SPF
> record
>
> Jul 21 04:05:50 smtpext4 postfix/policy-spf[20420]: : SPF TempError
> ('SERVFAIL' error on DNS 'SPF' lookup of 'mail.cga-quebec.org'):
> HELO/EHLO: mail.cga-quebec.org
> Jul 21 04:05:50 smtpext4 postfix/policy-spf[1238]: : Policy
> action=DEFER_IF_PERMIT SPF-Result=mail.cga-quebec.org: 'SERVFAIL' error
> on DNS 'SPF' lookup of 'mail.cga-quebec.org'
> Jul 21 04:05:50 smtpext4 postfix/smtpd[1236]: NOQUEUE: reject: RCPT from
> mail.cga-quebec.org[69.70.72.86]: 450 4.7.1 <sender1@cga-quebec.org>:
> Sender address rejected: SPF-Result=mail.cga-quebec.org: 'SERVFAIL'
> error on DNS 'SPF' lookup of 'mail.cga-quebec.org';
> from=<sender1@cga-quebec.org> to=<recipient1@hec.ca> proto=ESMTP
> helo=<mail.cga-quebec.org>
>
> # dig +short SPF cga-quebec.org
> 209.172.51.216
>
> # dig +short TXT cga-quebec.org
> "v=spf1 a mx ip4:216.252.70.146 ip4:69.70.72.86 -all"
>
> I noticed incoherences between SPF and TXT records
>
> If I understand correctly, SPF record has priority above TXT record.
>
> Why does it said "'SERVFAIL' error on DNS 'SPF' lookup" ?
> Why does it return an "TempError" ?

The DNS record type "SPF" is relatively new and some DNS servers do not react
well to type "SPF" queries. I've seen this before, but it is rare. From an
SPF design perspective TempError is the correct SPF result when the domain's
DNS server says it is broken (in the design, all DNS level errors are
considered temporary, even though some, like this, are not really).

> I have this error with many domains which are using misconfigured SPF
> record.TEMPError :
>
> How can I change the behaviour to evaluate TXT record first !!

The policy server uses the Mail::SPF library. This is a function of that
library and not one I can change at the application level. If you are open
to switching applications, the Python implementation does not defer TempError
by default (and can easily be changed in a config file) and the python-spf
library does not query type SPF by default.

I've mentioned this to the Mail::SPF author.

> Am I the only one with that problem ?

It is rare, but certainly not unheard of.

> Any workaround ?

Switching to the Python implementation is the only one I can offer.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006 [ In reply to ]

eddy.beliveau at hec

Jul 23, 2008, 11:59 AM

Post #4 of 6 (12118 views)

Permalink

Hi! Scott and Steve.

Many thanks for your replies.

Yes, I would like to give a try to "python-spf"

Do you have some url explaining how to install the application and its
library ?

Thanks again,
Eddy

-------- Message original --------

>
> The policy server uses the Mail::SPF library. This is a function of that
> library and not one I can change at the application level. If you are open
> to switching applications, the Python implementation does not defer TempError
> by default (and can easily be changed in a config file) and the python-spf
> library does not query type SPF by default.
>
> I've mentioned this to the Mail::SPF author.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006 [ In reply to ]

eddy.beliveau at hec

Jul 23, 2008, 12:20 PM

Post #5 of 6 (12125 views)

Permalink

Oups!

I forgot to say that I'm using postfix 2.5.1

Thanks for the howto, if it exists.

Eddy

-------- Message original --------
Sujet : Re: [spf-help] TempError problem with misconfigured SPF record
with postfix/smtpd-policy.pl 2.006
De : eddy beliveau <eddy.beliveau@hec.ca>
Pour : spf-help@v2.listbox.com
Date : 2008-07-23 14:59

> Hi! Scott and Steve.
>
> Many thanks for your replies.
>
> Yes, I would like to give a try to "python-spf"
>
> Do you have some url explaining how to install the application and its
> library ?
>
> Thanks again,
> Eddy
>
> -------- Message original --------
>
>
>>
>> The policy server uses the Mail::SPF library. This is a function of
>> that library and not one I can change at the application level. If
>> you are open to switching applications, the Python implementation does
>> not defer TempError by default (and can easily be changed in a config
>> file) and the python-spf library does not query type SPF by default.
>>
>> I've mentioned this to the Mail::SPF author.
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Re: TempError problem with misconfigured SPF record with postfix/smtpd-policy.pl 2.006 [ In reply to ]

scott at kitterman

Jul 23, 2008, 12:47 PM

Post #6 of 6 (12109 views)

Permalink

On Wed, 23 Jul 2008 14:59:22 -0400 eddy beliveau <eddy.beliveau@hec.ca>
wrote:
>Hi! Scott and Steve.
>
>Many thanks for your replies.
>
>Yes, I would like to give a try to "python-spf"
>
>Do you have some url explaining how to install the application and its
>library ?
>
The Python implementation of the SPF policy server can also be found at
http://www.openspf.org/Software and IIRC the included README describes
where to get pyspf and python-dns. They may also be in the package
management system of your OS/distribution.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com