[Pymilter] Issue with spfmilter?
Harald Hannelius
harald at iki.fi
Fri Mar 9 08:14:00 EST 2018
On Fri, 9 Mar 2018, Stuart Gathman wrote:
> On 03/09/2018 03:28 AM, Harald Hannelius wrote:
>>
>> sorry if I'm beeing rude and contacting you. I'm not used to github
>> and don't know how to discuss problems I'm seeing with spfmilter.py.
>> Please give me advice if this is the wrong way.
> It would help more people if you used the mailing list. I am
> subscribing you.
Thank You, and hello all.
>> I have a domain in sweden, that when sending e-mail a few e-mails pass
>> the milter's SPF-check but then I get one sender that gets a Void
>> lookup error.
> That is almost certainly correct. The sender policy has a non-existent
> domain. Per RFC7208, the default limit for void lookups is 2. However,
> this is an optional test, and your other tools may not implement this or
> may use a different limit.
Sorry, the domain is mdh.se and they have an SPF-record. It validates OK
on both mxtoolbox and kitterman.com tests.
I then noted that if I telnet the IPv6-address of my SMTP-gateway, and
pretend to send from mdh.se I get the "Void lookup" error every time. If I
telnet the IPv4-address, the test succeeds.
Also, please consider this log-excerpt;
Mar 9 09:59:37 gateway sm-mta[12962]: w297xYG3012962: Milter:
from=<some.one at mdh.se>, reject=550-5.5.2 SPF Permanent Error: Void lookup
limit of 2 exceeded\r\n550-5.5.2 There is a fatal syntax error in the SPF
record for mdh.se\r\n550 5.5.2 We cannot accept mail from mdh.se until
this is corrected.
Mar 9 09:59:37 gateway sm-mta[12962]: w297xYG3012962:
from=<some.one at mdh.se>, size=94241, class=0, nrcpts=0, proto=ESMTPS,
daemon=MTA, relay=mail-ve1eur01on0728.outbound.protection.outlook.com
[IPv6:2a01:111:f400:fe1f:0:0:0:728]
The first try to deliver failed.
Mar 9 10:00:59 gateway sm-mta[13277]: w2980uun013277:
from=<some.one at mdh.se>, size=86456, class=0, nrcpts=1,
msgid=<C241EFC4-7415-44BF-8EEA-622E83BAF21D at mdh.se>, proto=ESMTPS,
daemon=MTA, relay=mail-eopbgr50092.outbound.protection.outlook.com
[40.107.5.92]
Mar 9 10:01:00 gateway sm-mta[13277]: w2980uun013277: Milter insert (0):
header: Received-SPF: Pass (gateway.arcada.fi: domain of mdh.se designates
40.107.5.92 as permitted sender) client-ip=40.107.5.92;
envelope-from="some.one at mdh.se";
helo=EUR03-VE1-obe.outbound.protection.outlook.com;
receiver=gateway.arcada.fi;
mechanism="include:spf.protection.outlook.com"; identity=mailfrom
One and a half minute later, the SPF-record validates and the mail is
delivered. The difference I see is that the first connections was over
IPv6, and the second over IPv4.
There seems to be an issue with IPv6. I also posted a bug-report for
Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892477
>
> RFC7208 4.6.4/7
>
> As described at the end of Section 11.1, there may be cases where it
> is useful to limit the number of "terms" for which DNS queries return
> either a positive answer (RCODE 0) with an answer count of 0, or a
> "Name Error" (RCODE 3) answer. These are sometimes collectively
> referred to as "void lookups". SPF implementations SHOULD limit
> "void lookups" to two. An implementation MAY choose to make such a
> limit configurable. In this case, a default of two is RECOMMENDED.
> Exceeding the limit produces a "permerror" result.
>
>
> We cannot look at the sender policy in question to point out the null
> lookup, because you did not mention the domain!
My bad, that is mdh.se.
> There is currently no config option for the void lookup limit (I should
> add it, it would be simple). You can add a line to spfmilter.py
> to change the "constant" after importing spf:
>
> spf.MAX_VOID_LOOKUPS = 2 # default is 2 - make it bigger if you insist.
>
> However, the sender should fix his policy. The void lookups are limited
> to prevent DNS amplification attacks.
I think the void-limit is a good thing, and I'd rather not change that. I
hope I can fix the reason why the milter is dropping the mail.
--
Harald Hannelius | harald at iki.fi | +358505941020
More information about the Pymilter
mailing list