[Pymilter] Issue with spfmilter?
Stuart Gathman
stuart at gathman.org
Fri Mar 9 08:03:06 EST 2018
On 03/09/2018 03:28 AM, Harald Hannelius wrote:
>
> sorry if I'm beeing rude and contacting you. I'm not used to github
> and don't know how to discuss problems I'm seeing with spfmilter.py.
> Please give me advice if this is the wrong way.
It would help more people if you used the mailing list. I am
subscribing you.
>
> I have a domain in sweden, that when sending e-mail a few e-mails pass
> the milter's SPF-check but then I get one sender that gets a Void
> lookup error.
That is almost certainly correct. The sender policy has a non-existent
domain. Per RFC7208, the default limit for void lookups is 2. However,
this is an optional test, and your other tools may not implement this or
may use a different limit.
RFC7208 4.6.4/7
As described at the end of Section 11.1, there may be cases where it
is useful to limit the number of "terms" for which DNS queries return
either a positive answer (RCODE 0) with an answer count of 0, or a
"Name Error" (RCODE 3) answer. These are sometimes collectively
referred to as "void lookups". SPF implementations SHOULD limit
"void lookups" to two. An implementation MAY choose to make such a
limit configurable. In this case, a default of two is RECOMMENDED.
Exceeding the limit produces a "permerror" result.
We cannot look at the sender policy in question to point out the null
lookup, because you did not mention the domain!
There is currently no config option for the void lookup limit (I should
add it, it would be simple). You can add a line to spfmilter.py
to change the "constant" after importing spf:
spf.MAX_VOID_LOOKUPS = 2 # default is 2 - make it bigger if you insist.
However, the sender should fix his policy. The void lookups are limited
to prevent DNS amplification attacks.
More information about the Pymilter
mailing list