Mark Constable writes:
I've got this SPF rejection and I'm still confused as to exactly what gets trigerred. Obviously the message is rejected before I get to see any headers that would give me a better clue. The envelope sender domain SPF does include this IP 64.74.157.52 but the From: domain does not so I think my question is, that with my bofh SPF rules, how come BOFHSPFMAILFROM didn't give me a pass?Feb 9 07:47:38 mail courieresmtpd: error,relay=::ffff:64.74.157.52, from=<SRS0=MnWw=VF=morningstar.com=help...@bounce2.pobox.com>: 517 SPF fail help...@morningstar.com: Address does not pass the Sender Policy Framework courier-mta 0.60.0 opt BOFHSPFHELO=pass,none,neutral,softfail,unknown,error opt BOFHSPFMAILFROM=pass,none,neutral,softfail,unknown,error opt BOFHSPFFROM=pass,none,neutral,softfail,unknown,error,mailfromok opt BOFHSPFTRUSTME=1 First the From: domain... ~ dig +short txt morningstar.com "v=spf1 a:spfmailer.morningstar.com -all" ~ dig +short a spfmailer.morningstar.com 66.35.231.16 66.35.231.15 216.228.234.30 216.228.233.9 216.228.233.10 216.228.228.165 216.228.228.164 216.228.228.163 216.228.228.162 216.228.228.161 216.228.228.160 216.228.224.50 216.228.224.34 216.228.224.33 216.228.224.32 210.193.131.12 12.43.226.3 66.35.231.18 66.35.231.17 No 64.74.157.52 above. Then the sender envelope domain... ~ dig +short txt bounce2.pobox.com "v=spf1 redirect=pobox.com" I presume the above means to now look at the TXT record for pobox.com ~ dig +short txt pobox.com "v=spf1 mx mx:fallback-relay.%{d} a:webmail.%{d} a:smtp.%{d} a:outgoing.smtp.%{d} a:discard-reports.%{d} a:discards.%{d}" ~ dig +short mx pobox.com 10 mx-3.pobox.com. 10 mx-2.pobox.com. 10 mx-6.pobox.com. 10 mx-1.pobox.com. 10 mx-4.pobox.com. 10 mx-5.pobox.com. 10 mx-7.pobox.com. 10 mx-all.pobox.com. And we have a winner!... ~ dig +short a mx-4.pobox.com 64.74.157.52 64.74.157.52 64.74.157.52 64.74.157.52 64.74.157.52 64.74.157.52 64.74.157.52 64.74.157.52
The only thing I can think of would be a transient DNS lookup failure for pobox.com. mailfromok is accepted only if the SPF lookup on the MAIL FROM resulted in pass.
A transient DNS lookup failure results in an SPF softfail result, rather. I think this is probably wrong; mailfromok should be accepted if the SPF lookup resulted in softfail, as well…
pgp9i5D6WX3Qi.pgp
Description: PGP signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users