OS=CentOS-6.8 (Linux)
postconf -d | grep mail_version # version
mail_version = 2.11.1
milter_macro_v = $mail_name $mail_version
We are currently experiencing an outage at a remote site that happens
to provide two of our four DNS services. We have also recently, I am
tempted to write co-incidentally, begun to reject mail from many sites
due to policyd-spf DNS timeout errors similar to the following:
Mar 17 10:57:58 inet08 policyd-spf[12275]: Temperror; identity=helo;
client-ip=208.33.203.70; helo=mgmx.mohawkglobal.com;
envelope-from=usern...@mohawkglobalta.com;
receiver=usern...@harte-lyne.ca
Mar 17 10:58:18 inet08 policyd-spf[12275]: Temperror;
identity=mailfrom; client-ip=208.33.203.70;
helo=mgmx.mohawkglobal.com; envelope-from=usern...@mohawkglobalta.com;
receiver=usern...@harte-lyne.ca
When I test our policyd-spf.conf this is what I see:
/usr/libexec/postfix/policyd-spf /etc/python-policyd-spf/policyd-spf.conf
protocol_name=SMTP
protocol_state=RCPT
request=smtpd_access_policy
client_address=208.33.203.70
client_name=mgmx.mohawkglobal.com
helo_name=mgmx.mohawkglobal.com
sender=usern...@mohawkglobalta.com
recipient=usern...@harte-lyne.ca
action=prepend Received-SPF: Temperror (SPF Temporary Error: DNS
Timeout) identity=mailfrom;
client-ip=208.33.203.70;
helo=mgmx.mohawkglobal.com;
envelope-from=usern...@mohawkglobalta.com;
receiver=usern...@harte-lyne.ca
However if I dig the sender's address from the same host then I see no
delay:
dig mohawkglobalta.com TXT
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>>
mohawkglobalta.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34357
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
;; QUESTION SECTION:
;mohawkglobalta.com. IN TXT
;; ANSWER SECTION:
mohawkglobalta.com. 1476 IN TXT "v=spf1
include:spf.protection.outlook.com ip4:208.33.203.70/31 -all"
mohawkglobalta.com. 1476 IN TXT "MS=ms37967191"
;; AUTHORITY SECTION:
mohawkglobalta.com. 10552 IN NS ns1190.dns.dyn.com.
mohawkglobalta.com. 10552 IN NS ns3159.dns.dyn.com.
mohawkglobalta.com. 10552 IN NS ns2166.dns.dyn.com.
mohawkglobalta.com. 10552 IN NS ns4181.dns.dyn.com.
;; ADDITIONAL SECTION:
ns4181.dns.dyn.com. 1603 IN A 208.76.61.181
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar 17 11:12:20 2017
;; MSG SIZE rcvd: 250
Suddenly began getting these Temperrors reports for multiple sites
while there has been no changes made to our mail server or
configuration for some time. This does not appear to be a problem
with the senders but I cannot fathom what local issue could be causing
the problem.
To short-circuit the issue I have set defaultSeedOnly = 0 in
/etc/python-policyd-spf/policyd-spf.conf. However, this is a
temporary measure and I need to uncover and deal with the underlying
issue quickly.
Does anyone have a clue as to why this is happening and how to correct
it?
Configuration files follow:
postconf -nf
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks.regexp
home_mailbox = Maildir/
html_directory = no
ignore_mx_lookup_error = no
inet_interfaces = localhost, inet08.hamilton.harte-lyne.ca
inet_protocols = all
local_transport = smtp
mail_spool_directory = /var/spool/mail
mailman_destination_recipient_limit = 1
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
milter_default_action = accept
milter_protocol = 2
mydestination =
mynetworks = 216.185.71.0/26, 216.185.71.64/27, 209.47.176.0/26,
192.168.216.0/24, 192.168.8.0/24, 192.168.7.0/24, 192.168.6.0/24,
127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
queue_minfree = 40960000
rbl_reply_maps = hash:/etc/postfix/rbl_reply
readme_directory = /usr/share/doc/postfix-2.11.1/README_FILES
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
relay_domains = hash:/etc/postfix/relay_domains
sample_directory = /usr/share/doc/postfix-2.11.1/samples
sender_canonical_maps = hash:/etc/postfix/canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_client_restrictions = permit
smtpd_data_restrictions = permit_mynetworks,
reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_proxy_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, check_policy_service
unix:/var/spool/postfix/postgrey/socket, check_policy_service
unix:private/policyd-spf, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_access, check_sender_mx_access
hash:/etc/postfix/sender_mx_access, check_sender_ns_access
hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated,
reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
soft_bounce = no
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual,
regexp:/etc/postfix/virtual.regexp
postconf -Mf
smtp inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_proxy_filter=127.0.0.1:10024
-o smtpd_client_connection_count_limit=10
-o smtpd_proxy_options=speed_adjust
-o syslog_name=postfix-p25
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
-o
smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-p587
smtps inet n - n - - smtpd -v
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
-o
smtpd_sender_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-p465
pickup fifo n - n 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
mailman unix - n n - - pipe flags=FR
user=mailman:mailman
argv=/usr/lib/mailman/postfix/postfix-to-mailman.py
${nexthop} ${user}
127.0.0.1:2626 inet n - n - - smtpd
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o syslog_name=postfix-p2626
policyd-spf unix y n n - - spawn
user=nobody
argv=/usr/libexec/postfix/policyd-spf
smtp-amavis unix - - n - 6 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_header_rewrite_clients=
-o local_recipient_maps=
-o mynetworks=127.0.0.0/8
-o relay_recipient_maps=
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_delay_reject=no
-o smtpd_milters=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
