[milters] Archive

Lists Index Date Thread Search

Article: 1375
From: Ben Spencer
Date: 2006-12-15 16:09:57 -0500
Subject: Trying to understand SPF a little better

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

As we have had issues with SPF checks and poorly configured domains, I
am trying to get a better handle on how SPF checks work and how the
milter-spiff milter handles certain circumstances.

I have masked the problem domain in order to protect the guilty. Only
pertinent lines are included below.

Line	Log Line
---------------
  1	NOQUEUE: connect from mail3.domain.com [a.b.c.d]
  2	NOQUEUE: filterOpen(aa103f48, 'mail3.domain.com', [a.b.c.d])
  3	NOQUEUE: filterHelo(aa103f48, 'S900PXEXCFEN02.domain.org')
  4	enter spfCheck(ac8f1800, s900pxexcfen02.domain.org, '(null)')
ip=a.b.c.d helo=unknown mail=postmaster@S900PXEXCFEN02.domain.org
  5	exit  DnsGet(9ae61b8, TXT=16, 1, s900pxexcfen02.domain.org)
Vector=0 	rc=2 error=DNS server failure
  6	exit  spfCheck(ac8f1800, s900pxexcfen02.domain.org, '(null)')
result=TempError error=DNS server failure
  7	enter spfCheck(ac8f1820, domain.com, '(null)') ip=a.b.c.d
helo=S900PXEXCFEN02.domain.org mail=someone@domain.com
  8	exit  DnsGet(9ae61b8, TXT=16, 1, domain.com) Vector=9b36968 rc=3
error=DNS undefined
  9	exit  spfCheck(ac8f1820, domain.com, '(null)') result=None
error=
	spfCheckResult(9af6dd0) spfHelo=TempError spfMail=None
 10	reply 451 4.4.3 HELO S900PXEXCFEN02.domain.org from a.b.c.d SPF
result 	TempError: DNS server failure
 11	milter=milter-spiff, action=rcpt, reject=451 4.4.3 HELO
S900PXEXCFEN02.domain.org from a.b.c.d SPF result TempError: DNS
server failure

I understand why it gave a temp error (look ups on domain.org do not
work and domain.com doesn't have a TXT record), however, I do not
understand why the message was rejected since spfMail=None. I was unable
to find in the RFC precedence information when MAIL FROM and HELO
results disagree with each other. It seems in places that the safest
option (Pass if either MAIL FROM or HELO says pass) option is chosen by
milter-spiff, except in this case.

Thanks for any insight into this and SPF.
Benji

(Hopefully that was understandable)
---
Benji Spencer
System Administrator
Ph: 312-329-2288


Lists Index Date Thread Search