pypolicyd-spf

Our server setting incorrect?

Asked by Yusuke Matsuoka

Our mail server rejected a mail by policy-spf.

setting
debugLevel = 1
defaultSeedOnly = 1
HELO_reject = SPF_Not_Pass
Mail_From_reject = Fail
PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

in log
policyd-spf: Fail; identity=helo; client-ip=xxx.xxx.xxx.xxx; helo=mailgw.example.com; <email address hidden>; <email address hidden>

But I think DNS record of example.com is correct.

example.com. 86400 IN SPF "v=spf1 +mx -all"
example.com. 86400 IN MX 10 mailgw.example.com.
mailgw.example.com. 86400 IN A xxx.xxx.xxx.xxx

Is this DNS record affected policyd-spf's decision?

mailgw.example.com. 86400 IN SPF "v=spf1 -all"

example.com's root said "your server is incorrect".
Should I change setting?

Question information

Language:
English Edit question
Status:
Solved
For:
pypolicyd-spf Edit question
Assignee:
No assignee Edit question
Solved by:
Yusuke Matsuoka
Solved:
Last query:
Last reply:
Revision history for this message
Scott Kitterman (kitterman) said : 		#1

There is no way to know without knowing the actual ip addresses and domains.

Revision history for this message
Yusuke Matsuoka (yusmat) said : 		#2

Scott,
Thanks for your comment.

adac.co.jp. 86400 IN MX 0 adacgw.adac.co.jp.
adacgw.adac.co.jp. 86400 IN A 202.241.233.2
adac.co.jp. 86400 IN SPF "v=spf1 +mx -all"
adacgw.adac.co.jp. 86400 IN SPF "v=spf1 -all"

FYI:
I checked spf setting by this site.
http://www.sendmail.co.jp/sa/spfcheck.html

SPF Query Result:
Received-SPF: pass (adac.co.jp: 202.241.233.2 is authorized to use '<email address hidden>' in 'mfrom' identity (mechanism 'mx' matched)) receiver=unknown; identity=mailfrom; <email address hidden>"; client-ip=202.241.233.2

Revision history for this message
Scott Kitterman (kitterman) said : 		#3

Yes. You do need to change something. As you can see from the original log entry, the rejection is not due to Mail From, it's due to HELO (identity=helo in the log entry). The HELO identity you used is adacgw.adac.co.jp and it's SPF record says that name sends no mail. If you change the SPF record for it to correctly reflect it's use in HELO, then your problem should be solved.

Change:

adacgw.adac.co.jp. 86400 IN TXT "v=spf1 -all"

to:

adacgw.adac.co.jp. 86400 IN TXT "v=spf1 a -all"

Also, in DNS your SPF records are of DNS type TXT, in the information in this question you describe them as DNS type SPF. RFC 4408 says to use either, but TXT is much more broadly supported and so make sure that's what you continue to publish.

Revision history for this message
Yusuke Matsuoka (yusmat) said : 		#4

I can understand your comment.
I cannot reconfig for adacgw.adac.co.jp, because I'm not adac.co.jp's staff.
Ago we said same opinion to adacgw's administrator. He said "will not change config".
But our staffs need their mails, so I appended adac.co.jp to whitelist.

Revision history for this message
Scott Kitterman (kitterman) said : 		#5

Yes. If you can't get that changed, the whitelisting is the best solution.