From andre.esser at geneity.co.uk Wed Nov 26 09:32:42 2014 From: andre.esser at geneity.co.uk (Andre Esser) Date: Wed, 26 Nov 2014 14:32:42 +0000 Subject: [Pymilter] Failed SPF checks for _spf.google.com Message-ID: <5475E48A.4080000@geneity.co.uk> Hi, Apologies in advance if this isn't the right place for my problem. I'm seeing strange behaviour of the SPF module for Python. The issue is that an SPF lookup for _spf.google.com returns 'None': # python3 /usr/lib/python3/dist-packages/spf.py _spf.google.com None The equivalent query with dig on the same server however succeeds: # dig _spf.google.com txt +short "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com \ include:_netblocks3.google.com ~all" After some more testing, I found out that when switching the server to Google's DNS server 8.8.8.8, the first lookup also succeeds: # python3 /usr/lib/python3/dist-packages/spf.py _spf.google.com v=spf1 include:_netblocks.google.com include:_netblocks2.google.com \ include:_netblocks3.google.com ~all I then ran a tcpdump (filtered by port 53) on the server in question during the Python SPF checks. The output for "python3 /usr/lib/python3/dist-packages/spf.py _spf.google.com" (returning 'None'), ran against our own name server, was: 14:04:35.060613 IP 10.33.192.15.3732 > 10.33.192.21.53: 8569+ \ TXT? _spf.google.com. (33) 14:04:35.061556 IP 10.33.192.21.53 > 10.33.192.15.3732: 8569 \ 1/4/4 TXT "v=spf1 include:_netblocks.google.com \ include:_netblocks2.google.com include:_netblocks3.google.com \ ~all" (323) Running the same lookup using Google's 8.8.8.8 (returning the correct TXT/SPF record) yielded: 14:05:36.688605 IP 10.33.192.15.52896 > 8.8.8.8.53: 40951+ \ TXT? _spf.google.com. (33) 14:05:36.690980 IP 8.8.8.8.53 > 10.33.192.15.52896: 40951 \ 1/0/0 TXT "v=spf1 include:_netblocks.google.com \ include:_netblocks2.google.com include:_netblocks3.google.com \ ~all" (149) The only difference I can make out are the different flags (1/4/4 vs 1/0/0). Would this indicate a configuration problem on our name server, or a bug in pyspf, or perhaps something completely different? Environment: - Ubuntu 14.04 on x86_64 - python3-spf 2.0.10 - python3-dns 3.0.4 Thanks, Andre -- Andre Esser, IT Manager, Geneity Ltd 80 Hammersmith Road, London, W14 8UD Registered in England, No. 05676580 From stuart at bmsi.com Sat Nov 29 00:27:15 2014 From: stuart at bmsi.com (Stuart D Gathman) Date: Sat, 29 Nov 2014 00:27:15 -0500 (EST) Subject: [Pymilter] Failed SPF checks for _spf.google.com In-Reply-To: <5475E48A.4080000@geneity.co.uk> References: <5475E48A.4080000@geneity.co.uk> Message-ID: On Nov 26, Andre Esser transmitted in part: > I'm seeing strange behaviour of the SPF module for Python. The issue > is that an SPF lookup for _spf.google.com returns 'None': > > # python3 /usr/lib/python3/dist-packages/spf.py _spf.google.com > None > > The equivalent query with dig on the same server however succeeds: > > # dig _spf.google.com txt +short > "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com \ > include:_netblocks3.google.com ~all" Just back from Thanksgiving, but shooting from the hip - there is a known bug (that I need to release the fix for) where some caching nameservers case fold domains stored in their cache. This means that the initial query may have a different case than subsequent queries. The internal cache in pyspf needs to also case fold cache entries. Although I wonder if this workaround fails when the caching server folds to upper case instead of lower case. I cannot be certain that is what is happening in your case, but that kind of wierdness is typical of the presentation. I have not released the fix because I *really* want to have a good way of exercising it in the test suite. Which currently doesn't have a way to return a sequence of results for a given query in the test DNS data.