Mailing List Archive

SPF record problems
2 of our users have recently received the following error messages. We
have a rather complicated setup and I have obviously missed something.
Below the error messages I have listed our setup. I could use any
thoughts on what I need to do to get the SPF record correct to match our
setup.









There was a SMTP communication problem with the recipient's email
server. Please contact your system administrator.

<mail.fishers.in.us #5.5.0 smtp;550 The sender did not meet Sender
Policy Framework rules. Please see http://spf.pobox.com
<http://spf.pobox.com/> >





And







The following recipient(s) could not be reached:



'k_fox@mail.fletcherchrysler.com' on 3/3/2010 9:23 AM

You do not have permission to send to this recipient. For
assistance, contact your system administrator.

<mail.fishers.in.us #5.7.1 smtp;550 5.7.1
<k_fox@mail.fletcherchrysler.com
<mailto:k_fox@mail.fletcherchrysler.com>>... Relaying denied. IP name
possibly forged [64.255.243.147]>









Our current SPF record is: "v=spf1 a mx a:fishers.hamcty.iquest.net
a:fishers2.hamcty.iquest.net a:IP-64-255-243-147.nframe.net
a:IP-64-255-243-150.nframe.net mx:mail4.fishers.in.us
mx:mail3.fishers.in.us mx:mail2.fishers.in.us mx:mail.fishers.in.us
~all"





Our setup is: We have one exchange server. We have 2 firewalls, each
with a connection to 2 ISP's.



Public IP's for mail server: 208.40.242.35 mail2.fishers.in.us

208.40.242.61 mail3.fishers.in.us

209.43.92.27 mail.fishers.in.us

209.43.92.11 mail4.fishers.in.us



Mail3 and Mail4 are on the secondary firewall and will only work if the
primary is down. ( this is not a problem, only stated for information
purposes )



When mail is translated out through the firewall it is usually tagged as
coming from one of our 4 firewall address.



Firewall addresses: 209.43.47.195

64.255.243.150

209.43.47.194

64.255.243.147



At first we had problems with other mail servers performing reverse dns
lookups since they saw the firewall IP's and not the public IP's of the
mail server. We fixed this issue by having our IPS and domain owner
place pointer records for the firewall ip's to the public IP's.



To add to this, we also are looking to use Symantec Brightmail Gateway.
I am currently testing it my translating the mail2.fishers.in.us mx
record (208.40.242.35) to the internal ip of the gateway.





Here is a link with more information.

http://www.dnsstuff.com/tools/dnsreport?domain=www.fishers.in.us&format=
raw&loadresults=true&token=20e1dbb3e23239dc16e2310916d0e017



Thank you,







Isaac Crowe

Sr. Systems Administrator

Town of Fishers

317-595-3478





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: SPF record problems [ In reply to ]
Crowe, Isaac wrote on Thu, Mar 4 2010 at 8:08 am:

> 2 of our users have recently received the following error messages. We
> have a rather complicated setup and I have obviously missed something.
> Below the error messages I have listed our setup. I could use any
> thoughts on what I need to do to get the SPF record correct to match our
> setup.


"Relaying denied" is not an SPF error.

There are several errors in your SPF record:

1) fishers.hamcty.iquest.net does not exist
2) fishers2.hamcty.iquest.net does not exist
3) there is no MX record for the domain mail.fishers.in.us
4) there is no MX record for the domain mail2.fishers.in.us
5) there is no MX record for the domain mail3.fishers.in.us
5) there is no MX record for the domain mail4.fishers.in.us

Not errors, but things I question:
1) IP-64-255-243-147.nframe.net ...is that a static IP? Why not use "ip4:64.255.243.147"?
2) same for IP-64-255-243-150.nframe.net?

I suggest correcting these, and testing your record for validity again using the form based tools at:

http://www.openspf.org/Tools


-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- "My guitar is broken," Tom fretted.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: SPF record problems [ In reply to ]
At 14:08 04/03/2010 Thursday, Crowe, Isaac wrote:
>2 of our users have recently received the following error messages. We
>have a rather complicated setup and I have obviously missed something.
>Below the error messages I have listed our setup. I could use any
>thoughts on what I need to do to get the SPF record correct to match our
>setup.

all that steve said and additionally

<removed irrelevant bits> to the job at hand {1 get your SPF fixed}
we can look at {2 whether these errors are SPF related} later

>Our current SPF record is: "v=spf1 a mx a:fishers.hamcty.iquest.net
>a:fishers2.hamcty.iquest.net a:IP-64-255-243-147.nframe.net
>a:IP-64-255-243-150.nframe.net mx:mail4.fishers.in.us
>mx:mail3.fishers.in.us mx:mail2.fishers.in.us mx:mail.fishers.in.us
>~all"

well thats definitely gonna be the cause of many errors considering little of it works/makes sense
breaking it down
assuming:
the domain in question is fishers.in.us
that this is the envelope-sender spf record {as opposed to the HELO domain SPF record}
lines from your spf >
resultant ip's and commentry >

>"v=spf1
=correct
>a
=209.43.125.236= {a usually points to your webserver so is kinda pointless to add to SPF record but if it sends email for you sure but unlikely candidate for first entry in your list {also using A vs ip is silly for hosts in your own zone}
>mx
=209.43.92.11,208.40.242.35,209.43.92.27,208.40.242.61= this seems ok but if {as they seem to be, your mx's are under your control {not outsourced why not save people the 5 extra lookups and list the ip's directly?
>a:fishers.hamcty.iquest.net
=NXDOMAIN= MAJOR ERROR
>a:fishers2.hamcty.iquest.net
=NXDOMAIN= MAJOR ERROR
>a:IP-64-255-243-147.nframe.net
=64.255.243.147= {is this an ip that will move {the only reason for using a:name is if you know the name will stay the same but the ip will/may change irrelevant as it won't likely get past the previous two failures}
>mx:mail4.fishers.in.us mx:mail3.fishers.in.us mx:mail2.fishers.in.us mx:mail.fishers.in.us
=NXDOMAIN= none of the above have MX records and thus its a big error
>- all
=ok

now just removing all errors and rationalising the above gives
"v=spf1 ip4:209.43.125.236 ip4:209.43.92.11 ip4:208.40.242.35 ip4:209.43.92.27 ip4:208.40.242.61 ip4:64.255.243.147 -all"

saving clients the additional and unnecessary 7 successful DNS requests and 6 failing ones

>Our setup is: We have one exchange server. We have 2 firewalls, each
>with a connection to 2 ISP's.

yup multi homing can be difficult and messy but not really relevant to discussion
{we only need to know the IPS you connect out using {not your MX'x or incomming} some people may use the same ip's for both but its not a safe assumption to make}

>Public IP's for mail server: 208.40.242.35 mail2.fishers.in.us
>
> 208.40.242.61 mail3.fishers.in.us
>
> 209.43.92.27 mail.fishers.in.us
>
> 209.43.92.11 mail4.fishers.in.us

you claimed above to have only one server?? but these are ips it uses to talk outbound?

>Mail3 and Mail4 are on the secondary firewall and will only work if the
>primary is down. ( this is not a problem, only stated for information
>purposes )

seems you need a better firewall/routing setup as Ive setup many multi-site nets and all ips should be serviced by live/standby firewalls seamlessly {but again irrelevant}

>When mail is translated out through the firewall it is usually tagged as
>coming from one of our 4 firewall address.

ok so none of the above ips is used for outgoing? or they are sometimes??

>Firewall addresses: 209.43.47.195
>
> 64.255.243.150
>
> 209.43.47.194
>
> 64.255.243.147

these though are used for outgoing
then the spf record should be

v=spf1 ip4:209.43.47.195 ip4:64.255.243.150 ip4:209.43.47.194 ip4:64.255.243.147 -all
or if the others are also used occasionally for outgoing connections

v=spf1 ip4:209.43.47.195 ip4:64.255.243.150 ip4:209.43.47.194 ip4:64.255.243.147 ip4:208.40.242.35 ip4:208.40.242.61 ip4:209.43.92.27 ip4:209.43.92.11 -all

>At first we had problems with other mail servers performing reverse dns
>lookups since they saw the firewall IP's and not the public IP's of the
>mail server. We fixed this issue by having our IPS and domain owner
>place pointer records for the firewall ip's to the public IP's.

yes any IP connecting to a mail server needs to have a PTR that points to an A that points to the same IP {FQRDNS}
thats just standard for any network nothing to do with spf or your/anyones domain

>To add to this, we also are looking to use Symantec Brightmail Gateway.
>I am currently testing it my translating the mail2.fishers.in.us mx
>record (208.40.242.35) to the internal ip of the gateway.

utterly irrelevant and mail2.fishers.in.us has no mx record
you mean "by translating the mail2.fishers.in.us IP address (208.40.242.35) to the internal ip of the gateway."

please do not confuse things by mis-using the language


-------------------------
now once you have a correctly working envelope-sender SPF record for your domain {using one of the two I have supplied above

we need to look at fixinf the major issue with your HELO domains and PTR records

{from your mail to the list
Received: from mail.fishers.in.us (unknown [64.255.243.147]) by ......

the ptr for 64.255.243.147 claims its name is mail.fishers.in.us
the A record for mail.fishers.in.us
claims its IP is 209.43.92.27

thus as far as receivers are concerned YOU state the PTR record to be a FORGERY
and your HELO greeting also is claimed to be a forgery
this is likely why your email is being refused by sensible mail servers {mine wouldn't let it get passed RCPT}

quickest fix {short of re-vamping your whole PTR<>A "system" which would be the best long term plan}
first the name mail.fishers.in.us is used in your HELO greeting so we will leave that one be {as i assume the mailserver cannot be easily modified}

so first setup 2 new names say
mx10.fishers.in.us set its A record to be 209.43.92.27
and
reverse1.mxout.fishers.in.us set its A record to be 64.255.243.147
{they can be anything but some old craziy systems award extra brownie points for .mxout. in sending system ptr so why not add it}

wait 24 hours till all dns servers have new records
then get PTR for 64.255.243.147 changed to reverse1.mxout.fishers.in.us

so now PTR > name > IP so you succeed in ptr checks {stage 1 passed}

next
fix mx records for fishers.in.us
so that instead of the line referancing
mail.fishers.in.us use mx10.fishers.in.us

wait 24 hours..

then update record for mail.fishers.in.us to include all ips it connects and greets from {so HELO verification checks succeed stage2 passed}

alternativly read the rationale here http://www.alandoherty.net/info/mailservers/

or contact me directly SKYPE/MSN whatever {mail will NOT work with your current setup} and i can go through all the other ways we can fix the huge mess that is your current setup




>
>
>
>
>Here is a link with more information.
>
>http://www.dnsstuff.com/tools/dnsreport?domain=www.fishers.in.us&format=
>raw&loadresults=true&token=20e1dbb3e23239dc16e2310916d0e017
>
>
>
>Thank you,
>
>
>
>
>
>
>
>Isaac Crowe
>
>Sr. Systems Administrator
>
>Town of Fishers
>
>317-595-3478
>
>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com