[Pymilter] Issue with spfmilter?

Fri Mar 9 08:14:00 EST 2018

On Fri, 9 Mar 2018, Stuart Gathman wrote:
> On 03/09/2018 03:28 AM, Harald Hannelius wrote:
>>
>> sorry if I'm beeing rude and contacting you. I'm not used to github
>> and don't know how to discuss problems I'm seeing with spfmilter.py.
>> Please give me advice if this is the wrong way.
> It would help more people if you used the mailing list.  I am
> subscribing you. 

Thank You, and hello all.

>> I have a domain in sweden, that when sending e-mail a few e-mails pass
>> the milter's SPF-check but then I get one sender that gets a Void
>> lookup error.
> That is almost certainly correct.  The sender policy has a non-existent
> domain.  Per RFC7208, the default limit for void lookups is 2.  However,
> this is an optional test, and your other tools may not implement this or
> may use a different limit.

Sorry, the domain is mdh.se and they have an SPF-record. It validates OK 
on both mxtoolbox and kitterman.com tests.

I then noted that if I telnet the IPv6-address of my SMTP-gateway, and 
pretend to send from mdh.se I get the "Void lookup" error every time. If I 
telnet the IPv4-address, the test succeeds.

Also, please consider this log-excerpt;

Mar  9 09:59:37 gateway sm-mta[12962]: w297xYG3012962: Milter: 
from=<some.one at mdh.se>, reject=550-5.5.2 SPF Permanent Error: Void lookup 
limit of 2 exceeded\r\n550-5.5.2 There is a fatal syntax error in the SPF 
record for mdh.se\r\n550 5.5.2 We cannot accept mail from mdh.se until 
this is corrected.
Mar  9 09:59:37 gateway sm-mta[12962]: w297xYG3012962: 
from=<some.one at mdh.se>, size=94241, class=0, nrcpts=0, proto=ESMTPS, 
daemon=MTA, relay=mail-ve1eur01on0728.outbound.protection.outlook.com 
[IPv6:2a01:111:f400:fe1f:0:0:0:728]

The first try to deliver failed.

Mar  9 10:00:59 gateway sm-mta[13277]: w2980uun013277: 
from=<some.one at mdh.se>, size=86456, class=0, nrcpts=1, 
msgid=<C241EFC4-7415-44BF-8EEA-622E83BAF21D at mdh.se>, proto=ESMTPS, 
daemon=MTA, relay=mail-eopbgr50092.outbound.protection.outlook.com 
[40.107.5.92]
Mar  9 10:01:00 gateway sm-mta[13277]: w2980uun013277: Milter insert (0): 
header: Received-SPF: Pass (gateway.arcada.fi: domain of mdh.se designates 
40.107.5.92 as permitted sender) client-ip=40.107.5.92; 
envelope-from="some.one at mdh.se"; 
helo=EUR03-VE1-obe.outbound.protection.outlook.com; 
receiver=gateway.arcada.fi; 
mechanism="include:spf.protection.outlook.com"; identity=mailfrom

One and a half minute later, the SPF-record validates and the mail is 
delivered. The difference I see is that the first connections was over 
IPv6, and the second over IPv4.

There seems to be an issue with IPv6. I also posted a bug-report for 
Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892477

>
> RFC7208 4.6.4/7
>
>   As described at the end of Section 11.1, there may be cases where it
>   is useful to limit the number of "terms" for which DNS queries return
>   either a positive answer (RCODE 0) with an answer count of 0, or a
>   "Name Error" (RCODE 3) answer.  These are sometimes collectively
>   referred to as "void lookups".  SPF implementations SHOULD limit
>   "void lookups" to two.  An implementation MAY choose to make such a
>   limit configurable.  In this case, a default of two is RECOMMENDED.
>   Exceeding the limit produces a "permerror" result.
>
>
> We cannot look at the sender policy in question to point  out the null
> lookup, because you did not mention the domain!

My bad, that is mdh.se.

> There is currently no config option for the void lookup limit (I should
> add it, it would be simple).  You can add a line to spfmilter.py
> to change the "constant"  after importing spf:
>
>   spf.MAX_VOID_LOOKUPS = 2  # default is 2 - make it bigger if you insist. 
>
> However, the sender should fix his policy.  The void lookups are limited
> to prevent DNS amplification attacks.

I think the void-limit is a good thing, and I'd rather not change that. I 
hope I can fix the reason why the milter is dropping the mail.

-- 
Harald Hannelius | harald at iki.fi | +358505941020