[milters] Archive

Lists Index Date Thread Search

Article: 828
From: Scott Presnell
Date: 2006-02-21 11:53:21 -0500
Subject: milter-spiff, milter-sender, and mx forwarding

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Hi milter folks,
	I had an interesting interaction happen in milter land, and I'm
wondering if there's a better way to configure milters and sendmail to
manage the situation.  In short:

1) a friend with a msn.com account sends an e-mail to me:
	a) milter-spiff passes (valid spf records)
	b) milter-sender tempfails, as mx.hotmail.com is not answering.

This happens 3-4 times, and then hotmail.com must have forward the message
to a secondary mx host service I have contracted, but I don't have control
over; dnsmadeeasy.com.

2) mail comes from mx1.dnsmadeeasy.com, with an envelope from <friend@msn.com>
	a) milter-spiff fails as hotmail.com spf records don't match mx1.dnsmadeeasy.com
	connection.
	b) (milter-sender passes :-).

(log files are below if you want to look).

I understand that I should have set mx1.dnsmadeeasy.com as a RELAY in /etc/mail/access.
I have now done that. /etc/mail/access:

milter-spiff-Connect:dnsmadeeasy.com    RELAY

But, that would allow all mx fowarded mail to pass unchecked by milter-spiff.  I guess
ultimately that's what has to happen because we can't correctly perform an SPF check
against this connection?

I also understand that I am using SPF in a reject"ing" mode where I could use it
just
to tag. But the situation clearly demonstrates a limitation of SPF especially as pertains
to the greylisting functions of milter-sender and/or offsite MX hosting.

My question: is there a better way to handle/configure for this series of events?

	Thanks for any clues or help.

	- Scott


section 1):
>
Feb 20 12:58:40 high milter-spiff[3956]: 02242 k1KKweFk026712: filterMail(8067100,
80651a0) MAIL='<darlenef@msn.com>'
Feb 20 12:58:40 high milter-spiff[3956]: enter spfCheck(ba9ffd98, msn.com) ip=65.54.229.77
helo=hotmail.com mail=darlenef@msn.com
Feb 20 12:58:40 high milter-spiff[3956]: enter DnsOpen()
Feb 20 12:58:40 high milter-spiff[3956]: DnsSetTimeout(8066c00, 5000)
Feb 20 12:58:40 high milter-spiff[3956]: DnsSetRounds(8066c00, 4)
Feb 20 12:58:40 high milter-spiff[3956]: exit  DnsOpen() Dns=8066c00
Feb 20 12:58:40 high milter-spiff[3956]: enter DnsGet(8066c00, TXT=16, 1, msn.com)
Feb 20 12:58:40 high milter-spiff[3956]: exit  DnsGet(8066c00, TXT=16, 1, msn.com)
Vector=8067500 rc=0 error=
Feb 20 12:58:40 high milter-spiff[3956]: domain=msn.com TXT=v=spf1
include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com
include:spf-d.hotmail.com ~all
Feb 20 12:58:40 high milter-spiff[3956]: enter spfCheck(ba9ffd98, spf-a.hotmail.com)
ip=65.54.229.77 helo=hotmail.com mail=darlenef@msn.com
Feb 20 12:58:40 high milter-spiff[3956]: enter DnsOpen()
Feb 20 12:58:40 high milter-spiff[3956]: DnsSetTimeout(8077000, 5000)
Feb 20 12:58:40 high milter-spiff[3956]: DnsSetRounds(8077000, 4)
Feb 20 12:58:40 high milter-spiff[3956]: exit  DnsOpen() Dns=8077000
Feb 20 12:58:40 high milter-spiff[3956]: enter DnsGet(8077000, TXT=16, 1,
spf-a.hotmail.com)
Feb 20 12:58:40 high milter-spiff[3956]: exit  DnsGet(8077000, TXT=16, 1,
spf-a.hotmail.com) Vector=8067780 rc=0 error=
Feb 20 12:58:40 high milter-spiff[3956]: domain=spf-a.hotmail.com TXT=v=spf1
ip4:209.240.192.0/19 ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15
ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16 ip4:204.79.135.0/24
ip4:204.79.188.0/24 ip4:204.79.252.0/24 ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all
Feb 20 12:58:40 high milter-spiff[3956]: DnsClose(8077000)
Feb 20 12:58:40 high milter-spiff[3956]: exit  spfCheck(ba9ffd98, spf-a.hotmail.com)
result=Pass error=
Feb 20 12:58:40 high milter-spiff[3956]: DnsClose(8066c00)
Feb 20 12:58:40 high milter-spiff[3956]: exit  spfCheck(ba9ffd98, msn.com) result=Pass
error=
Feb 20 12:58:40 high milter-spiff[3956]: 02242 k1KKweFk026712: sender
<darlenef@msn.com> via 65.54.229.77 SPF result Pass; 
Feb 20 12:58:40 high milter-spiff[3956]: 02242 k1KKweFk026712: spfCheckResult(806d000)
spfHelo=Pass spfMail=Pass
Feb 20 12:58:40 high milter-spiff[3956]: spfAction(24, 0=Pass) rc=3
Feb 20 12:58:40 high milter-spiff[3956]: spfAction(44, 0=Pass) rc=3
Feb 20 12:58:40 high milter-sender[8393]: 00841 k1KKweFk026712:
MAIL='<darlenef@msn.com>' auth_authen='' mail_addr='darlenef@msn.com'
mail_host='msn.com.' mail_mailer='esmtp'
Feb 20 12:58:40 high milter-sender[8393]: 00841 k1KKweFk026712: enter mxCallBack()
Feb 20 13:02:26 high milter-sender[8393]: 00841 k1KKweFk026712: reply 450 4.7.1 MX 5
'mx3.hotmail.com.' [64.4.50.179] for <darlenef@msn.com> not answering
Feb 20 13:02:26 high milter-sender[8393]: 00841 k1KKweFk026712: exit mxCallBack() rc=4
Feb 20 13:02:26 high milter-report[24863]: 02543 k1KKweFk026712: filterAbort(8068200)
smfi_dsn='' smfi_last_msg=''
Feb 20 13:02:26 high milter-report[24863]: 02543 k1KKweFk026712: cacheGet(8070000,
postmaster, babffedc)
Feb 20 13:02:26 high sm-mta[26712]: k1KKweFk026712: Milter: from=<darlenef@msn.com>,
reject=450 4.7.1 MX 5 'mx3.hotmail.com.' [64.4.50.179] for <darlenef@msn.com> not
answering
Feb 20 13:02:26 high milter-report[24863]: 02543 k1KKweFk026712: rcpt=postmaster vuser=
report=Mon Feb 20 13:02:26 2006 k1KKweFk026712 <darlenef@msn.com>
(bay110-dav5.bay110.hotmail.com [65.54.229.77]);


section 2):

>
Feb 20 19:14:38 high milter-report[24863]: 02653 NOQUEUE: filterOpen(8068200,
'mx1.dnsmadeeasy.com', [205.234.170.136])
Feb 20 19:14:38 high milter-spiff[3956]: 02352 NOQUEUE: filterOpen(8067100,
'mx1.dnsmadeeasy.com', [205.234.170.136])
Feb 20 19:14:38 high milter-sender[8393]: 00951 NOQUEUE: filterOpen(806f280,
'mx1.dnsmadeeasy.com', [205.234.170.136])
Feb 20 19:14:38 high milter-spiff[3956]: 02352 NOQUEUE: filterHelo(8067100,
'mx1.dnsmadeeasy.com')
Feb 20 19:14:38 high milter-spiff[3956]: enter spfCheck(bafffd88, mx1.dnsmadeeasy.com)
ip=205.234.170.136 helo=unknown mail=postmaster@mx1.dnsmadeeasy.com
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsOpen()
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetTimeout(8066c00, 5000)
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetRounds(8066c00, 4)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsOpen() Dns=8066c00
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8066c00, TXT=16, 1,
mx1.dnsmadeeasy.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8066c00, TXT=16, 1,
mx1.dnsmadeeasy.com) Vector=8067400 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: domain=mx1.dnsmadeeasy.com TXT=v=spf1 a -all
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8066c00, A=1, 1,
mx1.dnsmadeeasy.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8066c00, A=1, 1,
mx1.dnsmadeeasy.com) Vector=8067400 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: DnsClose(8066c00)
Feb 20 19:14:38 high milter-spiff[3956]: exit  spfCheck(bafffd88, mx1.dnsmadeeasy.com)
result=Pass error=
Feb 20 19:14:38 high milter-spiff[3956]: 02352 NOQUEUE: HELO mx1.dnsmadeeasy.com from
205.234.170.136 SPF result Pass; 
Feb 20 19:14:38 high milter-sender[8393]: 00951 NOQUEUE: enter filterHelo(806f280,
'mx1.dnsmadeeasy.com')
Feb 20 19:14:38 high milter-sender[8393]: 00951 NOQUEUE: HELO='mx1.dnsmadeeasy.com'
if_addr='192.168.38.59' tls_version=''
Feb 20 19:14:38 high milter-sender[8393]: 00951 NOQUEUE: client_name='mx1.dnsmadeeasy.com'
client_addr='205.234.170.136' client_resolve='OK' verify=''
Feb 20 19:14:38 high milter-sender[8393]: 00951 NOQUEUE: exit filterHelo(806f280,
'mx1.dnsmadeeasy.com')
Feb 20 19:14:38 high milter-report[24863]: 02653 k1L3EcPo017264: filterMail(8068200,
80661a0) MAIL='<darlenef@msn.com>'
Feb 20 19:14:38 high milter-spiff[3956]: 02352 k1L3EcPo017264: filterMail(8067100,
80651a0) MAIL='<darlenef@msn.com>'
Feb 20 19:14:38 high milter-spiff[3956]: enter spfCheck(bafffd98, msn.com)
ip=205.234.170.136 helo=mx1.dnsmadeeasy.com mail=darlenef@msn.com
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsOpen()
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetTimeout(8066c00, 5000)
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetRounds(8066c00, 4)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsOpen() Dns=8066c00
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8066c00, TXT=16, 1, msn.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8066c00, TXT=16, 1, msn.com)
Vector=8067500 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: domain=msn.com TXT=v=spf1
include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com
include:spf-d.hotmail.com ~all
Feb 20 19:14:38 high milter-spiff[3956]: enter spfCheck(bafffd98, spf-a.hotmail.com)
ip=205.234.170.136 helo=mx1.dnsmadeeasy.com mail=darlenef@msn.com
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsOpen()
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetTimeout(8077000, 5000)
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetRounds(8077000, 4)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsOpen() Dns=8077000
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8077000, TXT=16, 1,
spf-a.hotmail.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8077000, TXT=16, 1,
spf-a.hotmail.com) Vector=8067780 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: domain=spf-a.hotmail.com TXT=v=spf1
ip4:209.240.192.0/19 ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15
ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16 ip4:204.79.135.0/24
ip4:204.79.188.0/24 ip4:204.79.252.0/24 ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all
Feb 20 19:14:38 high milter-spiff[3956]: DnsClose(8077000)
Feb 20 19:14:38 high milter-spiff[3956]: exit  spfCheck(bafffd98, spf-a.hotmail.com)
result=SoftFail error=
Feb 20 19:14:38 high milter-spiff[3956]: enter spfCheck(bafffd98, spf-b.hotmail.com)
ip=205.234.170.136 helo=mx1.dnsmadeeasy.com mail=darlenef@msn.com
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsOpen()
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetTimeout(8077000, 5000)
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetRounds(8077000, 4)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsOpen() Dns=8077000
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8077000, TXT=16, 1,
spf-b.hotmail.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8077000, TXT=16, 1,
spf-b.hotmail.com) Vector=8067780 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: domain=spf-b.hotmail.com TXT=v=spf1
ip4:199.103.90.0/23 ip4:204.182.144.0/24 ip4:204.255.244.0/23 ip4:206.138.168.0/21
ip4:64.4.0.0/18 ip4:65.54.128.0/17 ip4:207.68.128.0/18 ip4:207.68.192.0/20
ip4:207.82.250.0/23 ip4:207.82.252.0/23 ip4:209.1.112.0/23 ~all
Feb 20 19:14:38 high milter-spiff[3956]: DnsClose(8077000)
Feb 20 19:14:38 high milter-spiff[3956]: exit  spfCheck(bafffd98, spf-b.hotmail.com)
result=SoftFail error=
Feb 20 19:14:38 high milter-spiff[3956]: enter spfCheck(bafffd98, spf-c.hotmail.com)
ip=205.234.170.136 helo=mx1.dnsmadeeasy.com mail=darlenef@msn.com
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsOpen()
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetTimeout(8077000, 5000)
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetRounds(8077000, 4)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsOpen() Dns=8077000
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8077000, TXT=16, 1,
spf-c.hotmail.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8077000, TXT=16, 1,
spf-c.hotmail.com) Vector=8067780 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: domain=spf-c.hotmail.com TXT=v=spf1
ip4:209.185.128.0/23 ip4:209.185.130.0/23 ip4:209.185.240.0/22 ip4:216.32.180.0/22
ip4:216.32.240.0/22 ip4:216.33.148.0/22 ip4:216.33.151.0/24 ip4:216.33.236.0/22
ip4:216.33.240.0/22 ip4:216.200.206.0/24 ip4:204.95.96.0/20 ~all
Feb 20 19:14:38 high milter-spiff[3956]: DnsClose(8077000)
Feb 20 19:14:38 high milter-spiff[3956]: exit  spfCheck(bafffd98, spf-c.hotmail.com)
result=SoftFail error=
Feb 20 19:14:38 high milter-spiff[3956]: enter spfCheck(bafffd98, spf-d.hotmail.com)
ip=205.234.170.136 helo=mx1.dnsmadeeasy.com mail=darlenef@msn.com
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsOpen()
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetTimeout(8077000, 5000)
Feb 20 19:14:38 high milter-spiff[3956]: DnsSetRounds(8077000, 4)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsOpen() Dns=8077000
Feb 20 19:14:38 high milter-spiff[3956]: enter DnsGet(8077000, TXT=16, 1,
spf-d.hotmail.com)
Feb 20 19:14:38 high milter-spiff[3956]: exit  DnsGet(8077000, TXT=16, 1,
spf-d.hotmail.com) Vector=8067780 rc=0 error=
Feb 20 19:14:38 high milter-spiff[3956]: domain=spf-d.hotmail.com TXT=v=spf1
ip4:65.59.232.0/23 ip4:65.59.234.0/24 ip4:209.1.15.0/24 ip4:64.41.193.0/24
ip4:216.34.51.0/24 ~all
Feb 20 19:14:38 high milter-spiff[3956]: DnsClose(8077000)
Feb 20 19:14:38 high milter-spiff[3956]: exit  spfCheck(bafffd98, spf-d.hotmail.com)
result=SoftFail error=
Feb 20 19:14:38 high milter-spiff[3956]: DnsClose(8066c00)
Feb 20 19:14:38 high milter-spiff[3956]: exit  spfCheck(bafffd98, msn.com) result=SoftFail
error=
Feb 20 19:14:38 high milter-spiff[3956]: 02352 k1L3EcPo017264: sender
<darlenef@msn.com> via 205.234.170.136 SPF result SoftFail; 
Feb 20 19:14:38 high milter-spiff[3956]: 02352 k1L3EcPo017264: spfCheckResult(806d000)
spfHelo=Pass spfMail=SoftFail
Feb 20 19:14:38 high milter-spiff[3956]: spfAction(24, 0=Pass) rc=3
Feb 20 19:14:38 high milter-spiff[3956]: spfSoftFailAction(44) rc=1
Feb 20 19:14:38 high milter-spiff[3956]: spfAction(44, 4=SoftFail) rc=1
Feb 20 19:14:38 high milter-spiff[3956]: 02352 k1L3EcPo017264: reply 550 5.7.1 sender
<darlenef@msn.com> via 205.234.170.136 SPF result SoftFail; 
Feb 20 19:14:38 high milter-report[24863]: 02653 k1L3EcPo017264: filterAbort(8068200)
smfi_dsn='' smfi_last_msg=''
Feb 20 19:14:38 high sm-mta[17264]: k1L3EcPo017264: in MILTER_REPLY "from"
state=121 response=550 5.7.1 sender <darlenef@msn.com> via 205.234.170.136 SPF
result SoftFail; 
Feb 20 19:14:38 high milter-report[24863]: 02653 k1L3EcPo017264: cacheGet(8070000,
postmaster, ba9ffedc)
Feb 20 19:14:38 high sm-mta[17264]: k1L3EcPo017264: Milter: from=<darlenef@msn.com>,
reject=550 5.7.1 sender <darlenef@msn.com> via 205.234.170.136 SPF result SoftFail; 

Lists Index Date Thread Search