I have seen a couple of old threads on this but I believe that courier-mta still has this wrong.
There are numerous domains that have their SPF records mx entries configured incorrectly. That is, they have used the mx: mechanism to point at their smtp servers instead of the a: mechanism. This mistake is well documented in the common mistakes FAQ: http://www.openspf.org/FAQ/Common_mistakes in the section titled "Use "mx" with domain names, not mailserver names". This was discussed thoroughly on the SPF mail list as archived here: http://www.gossamer-threads.com/lists/engine?do=post_view_flat;post=30414;page=1;sb=post_latest_reply;so=ASC;mh=25;list=spf This thread is in fact where the text for that FAQ was ironed out and this post is where Scott Kitterman states that these configurations while useless are NOT errors: http://www.gossamer-threads.com/lists/spf/help/30446?do=post_view_threaded#30446 courier-mta errors out when this happens and the mail gets a 417 SPF error message. An example: $dig txt viziya.com ; <<>> DiG 9.5.0-P2 <<>> txt viziya.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13978 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;viziya.com. IN TXT ;; ANSWER SECTION: viziya.com. 14400 IN TXT "v=spf1 a mx ip4:74.52.124.2 mx:smtp3.intermedia.net include:intermedia.com include:websitewelcome.com ?all" $dig mx smtp3.intermedia.net ; <<>> DiG 9.5.0-P2 <<>> mx smtp3.intermedia.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7240 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 $dig txt intermedia.com ; <<>> DiG 9.5.0-P2 <<>> txt intermedia.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54149 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 $dig txt websitewelcome.com ; <<>> DiG 9.5.0-P2 <<>> txt websitewelcome.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56165 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;websitewelcome.com. IN TXT ;; ANSWER SECTION: websitewelcome.com. 1440 IN TXT "v=spf1 a mx ip4:64.5.0.0/16 ip4:67.18.0.0/16 ip4:69.41.0.0/16 ip4:69.56.0.0/16 ip4:69.93.0.0/16 ip4:70.85.0.0/16 ip4:74.52.0.0/16" And from my mail.err: Feb 4 15:27:15 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 15:37:16 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 15:47:21 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 15:57:26 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 16:07:29 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 16:17:33 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 16:27:38 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? Feb 4 16:37:43 xxxxx courieresmtpd: error,relay=::ffff:207.5.74.29,from=<xxxxx(at)viziya.com>: 417 SPF error xxxxx(at)viziya.com: DNS MX lookup failed.? spf.c contains the following snippet: rc=rfc1035_mxlist_create_x(&rfc1035_default_resolver, domain_spec, 0, &mxlist); free(domain_spec); if (rc) { rfc1035_mxlist_free(mxlist); set_err_msg(info->errmsg_buf, info->errmsg_buf_size, "DNS MX lookup failed.\n"); return SPF_ERROR; } So... ANY non-zero returned by rfc1035_mxlist_create_x() will cause this error message. This function actually returns a number of different errors. Not all of which are lookup failures. In rfc1035_mxlist_create_x() several function are nested but ultimately domxlistcreate() is called. At the end of domxlistcreate() is the following: if (*list) return (RFC1035_MX_OK); return (RFC1035_MX_HARDERR); } As you can see, an empty list is considered a HARD error. ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
