Ubuntu

domain or hostname lookup?

Asked by Jac Backus

Dear reader,

We use postfix-policyd-spf-perl .

For one domain, mail does not arrive. The reason is this:

116 # perl /usr/local/libexec/postfix-policyd-spf-perl
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=mail.acme.com
queue_id=8045F2AB23
<email address hidden>
<email address hidden>
client_address=1.1.1.1
client_name=mail.company.com

action=DEFER_IF_PERMIT SPF-Result=mail.acme.com: 'SERVFAIL' error on DNS 'TXT' lookup of 'mail.acme.com'

There is no TXT record for mail.acme.com.
But the sender says, that could be true, but there is one for acme.com. And that is the one you should lookup, he says.

I run on FreeBSD 10.3 and I use Unbound as a resolver.

What to do?

With kind regards,

Jac Backus

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Scott Kitterman
Solved:
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

SPF can check two identities: the envelope Mail From and the HELO name. This policy server checks both. acme.com is the correct identity for Mail From and mail.acme.com is the correct identity for HELO. See https://tools.ietf.org/html/rfc7208#section-2.3 for details.

Any DNS server that is returning SERVFAIL for a TXT query is broken and should be fixed.

Revision history for this message
Jac Backus (buggy01) said : 		#2

Hello Scott,

Thanks for the reply!

Reason for the SERVFAIL:
Jan 24 13:44:25 unbound[487:0] info: response for mail.acme.com. TXT IN
Jan 24 13:44:25 unbound[487:0] info: reply from <acme.com.> 2.2.2.2#53
Jan 24 13:44:25 unbound[487:0] info: query response was ANSWER
Jan 24 13:44:25 unbound[487:0] info: Validate: message contains bad rrsets
Jan 24 13:44:25 unbound[487:0] info: validation failure <mail.acme.com. TXT IN>: signature crypto failed from 2.2.2.2

Is this a valid SERVFAIL?
But, in conformity with the RFC, he does not check the MAIL FROM identity after this.

With kind regards,

Jac

Revision history for this message
Best Scott Kitterman (kitterman) said : 		#3

"validation failure <mail.acme.com. TXT IN>: signature crypto failed from 2.2.2.2" looks like a DNSSEC validation issue. I don't think that should be a SERVFAIL, but I'm no expert on DNSSEC. Whatever it is, I'm confident it's not related to the SPF policy server.

Revision history for this message
Jac Backus (buggy01) said : 		#4

Dear Scott,

Thanks for the reply!
I am convinced their DNSSEC configuration is wrong. This was confirmed by some answers I got from the Unbound user list (Unbound is the resolver).
I thank you for the link to the RFC, this ties it together. This, because the maintainer of the domain insisted that my mail server was wrong in checking the hostname instead of the domain.

With kind regards,

Jac