OS=CentOS-6.8 (Linux) postconf -d | grep mail_version # version mail_version = 2.11.1 milter_macro_v = $mail_name $mail_version
We are currently experiencing an outage at a remote site that happens to provide two of our four DNS services. We have also recently, I am tempted to write co-incidentally, begun to reject mail from many sites due to policyd-spf DNS timeout errors similar to the following: Mar 17 10:57:58 inet08 policyd-spf[12275]: Temperror; identity=helo; client-ip=208.33.203.70; helo=mgmx.mohawkglobal.com; envelope-from=usern...@mohawkglobalta.com; receiver=usern...@harte-lyne.ca Mar 17 10:58:18 inet08 policyd-spf[12275]: Temperror; identity=mailfrom; client-ip=208.33.203.70; helo=mgmx.mohawkglobal.com; envelope-from=usern...@mohawkglobalta.com; receiver=usern...@harte-lyne.ca When I test our policyd-spf.conf this is what I see: /usr/libexec/postfix/policyd-spf /etc/python-policyd-spf/policyd-spf.conf protocol_name=SMTP protocol_state=RCPT request=smtpd_access_policy client_address=208.33.203.70 client_name=mgmx.mohawkglobal.com helo_name=mgmx.mohawkglobal.com sender=usern...@mohawkglobalta.com recipient=usern...@harte-lyne.ca action=prepend Received-SPF: Temperror (SPF Temporary Error: DNS Timeout) identity=mailfrom; client-ip=208.33.203.70; helo=mgmx.mohawkglobal.com; envelope-from=usern...@mohawkglobalta.com; receiver=usern...@harte-lyne.ca However if I dig the sender's address from the same host then I see no delay: dig mohawkglobalta.com TXT ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> mohawkglobalta.com TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34357 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; QUESTION SECTION: ;mohawkglobalta.com. IN TXT ;; ANSWER SECTION: mohawkglobalta.com. 1476 IN TXT "v=spf1 include:spf.protection.outlook.com ip4:208.33.203.70/31 -all" mohawkglobalta.com. 1476 IN TXT "MS=ms37967191" ;; AUTHORITY SECTION: mohawkglobalta.com. 10552 IN NS ns1190.dns.dyn.com. mohawkglobalta.com. 10552 IN NS ns3159.dns.dyn.com. mohawkglobalta.com. 10552 IN NS ns2166.dns.dyn.com. mohawkglobalta.com. 10552 IN NS ns4181.dns.dyn.com. ;; ADDITIONAL SECTION: ns4181.dns.dyn.com. 1603 IN A 208.76.61.181 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Mar 17 11:12:20 2017 ;; MSG SIZE rcvd: 250 Suddenly began getting these Temperrors reports for multiple sites while there has been no changes made to our mail server or configuration for some time. This does not appear to be a problem with the senders but I cannot fathom what local issue could be causing the problem. To short-circuit the issue I have set defaultSeedOnly = 0 in /etc/python-policyd-spf/policyd-spf.conf. However, this is a temporary measure and I need to uncover and deal with the underlying issue quickly. Does anyone have a clue as to why this is happening and how to correct it? Configuration files follow: postconf -nf alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 15m disable_vrfy_command = yes header_checks = regexp:/etc/postfix/header_checks.regexp home_mailbox = Maildir/ html_directory = no ignore_mx_lookup_error = no inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca inet_protocols = all local_transport = smtp mail_spool_directory = /var/spool/mail mailman_destination_recipient_limit = 1 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20480000 milter_default_action = accept milter_protocol = 2 mydestination = mynetworks = 216.185.71.0/26, 216.185.71.64/27, 209.47.176.0/26, 192.168.216.0/24, 192.168.8.0/24, 192.168.7.0/24, 192.168.6.0/24, 127.0.0.0/8 newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters policyd-spf_time_limit = 3600 queue_minfree = 40960000 rbl_reply_maps = hash:/etc/postfix/rbl_reply readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES recipient_delimiter = + relay_clientcerts = hash:/etc/postfix/relay_clientcerts relay_domains = hash:/etc/postfix/relay_domains sample_directory = /usr/share/doc/postfix-2.11.1/samples sender_canonical_maps = hash:/etc/postfix/canonical sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_dns_support_level = dnssec smtp_host_lookup = dns smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2, RC5 smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_restrictions = permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit smtpd_milters = inet:127.0.0.1:8891 smtpd_proxy_timeout = 300s smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, check_policy_service unix:/var/spool/postfix/postgrey/socket, check_policy_service unix:private/policyd-spf, permit smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_mx_access hash:/etc/postfix/sender_mx_access, check_sender_ns_access hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_starttls_timeout = ${stress?10}${stress:120}s smtpd_timeout = ${stress?10}${stress:120}s smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_fingerprint_digest = sha1 smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual.regexp postconf -Mf smtp inet n - n - - smtpd -o smtpd_tls_security_level=may -o smtpd_proxy_filter=127.0.0.1:10024 -o smtpd_client_connection_count_limit=10 -o smtpd_proxy_options=speed_adjust -o syslog_name=postfix-p25 submission inet n - n - - smtpd -v -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination -o smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject -o milter_macro_daemon_name=ORIGINATING -o syslog_name=postfix-p587 smtps inet n - n - - smtpd -v -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination -o smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination -o milter_macro_daemon_name=ORIGINATING -o syslog_name=postfix-p465 pickup fifo n - n 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache mailman unix - n n - - pipe flags=FR user=mailman:mailman argv=/usr/lib/mailman/postfix/postfix-to-mailman.py ${nexthop} ${user} 127.0.0.1:2626 inet n - n - - smtpd -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o milter_macro_daemon_name=ORIGINATING -o syslog_name=postfix-p2626 policyd-spf unix y n n - - spawn user=nobody argv=/usr/libexec/postfix/policyd-spf smtp-amavis unix - - n - 6 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_header_rewrite_clients= -o local_recipient_maps= -o mynetworks=127.0.0.0/8 -o relay_recipient_maps= -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_delay_reject=no -o smtpd_milters= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3