From: Ben Spencer
Date: 2006-12-15 16:09:57 -0500
Subject: Trying to understand SPF a little better
More information..: http://www.milter.info/#Support
As we have had issues with SPF checks and poorly configured domains, I
am trying to get a better handle on how SPF checks work and how the
milter-spiff milter handles certain circumstances.
I have masked the problem domain in order to protect the guilty. Only
pertinent lines are included below.
Line Log Line
1 NOQUEUE: connect from mail3.domain.com [a.b.c.d]
2 NOQUEUE: filterOpen(aa103f48, 'mail3.domain.com', [a.b.c.d])
3 NOQUEUE: filterHelo(aa103f48, 'S900PXEXCFEN02.domain.org')
4 enter spfCheck(ac8f1800, s900pxexcfen02.domain.org, '(null)')
ip=a.b.c.d helo=unknown mail=postmaster@S900PXEXCFEN02.domain.org
5 exit DnsGet(9ae61b8, TXT=16, 1, s900pxexcfen02.domain.org)
Vector=0 rc=2 error=DNS server failure
6 exit spfCheck(ac8f1800, s900pxexcfen02.domain.org, '(null)')
result=TempError error=DNS server failure
7 enter spfCheck(ac8f1820, domain.com, '(null)') ip=a.b.c.d
8 exit DnsGet(9ae61b8, TXT=16, 1, domain.com) Vector=9b36968 rc=3
9 exit spfCheck(ac8f1820, domain.com, '(null)') result=None
spfCheckResult(9af6dd0) spfHelo=TempError spfMail=None
10 reply 451 4.4.3 HELO S900PXEXCFEN02.domain.org from a.b.c.d SPF
result TempError: DNS server failure
11 milter=milter-spiff, action=rcpt, reject=451 4.4.3 HELO
S900PXEXCFEN02.domain.org from a.b.c.d SPF result TempError: DNS
I understand why it gave a temp error (look ups on domain.org do not
work and domain.com doesn't have a TXT record), however, I do not
understand why the message was rejected since spfMail=None. I was unable
to find in the RFC precedence information when MAIL FROM and HELO
results disagree with each other. It seems in places that the safest
option (Pass if either MAIL FROM or HELO says pass) option is chosen by
milter-spiff, except in this case.
Thanks for any insight into this and SPF.
(Hopefully that was understandable)
Copyright 2009, 2012 by SnertSoft. All rights reserved.