Re: policyd-spf and temperrors

Fri, 17 Mar 2017 09:09:33 -0700 

On Fri, March 17, 2017 11:41, Viktor Dukhovni wrote:
>
>> On Mar 17, 2017, at 11:31 AM, James B. Byrne <byrn...@harte-lyne.ca>
>> wrote:
>>
>> mohawkglobalta.com.     1476    IN      TXT     "v=spf1
>> include:spf.protection.outlook.com ip4:208.33.203.70/31 -all"
>
> Don't forget the lookups needed to process the "include:" clause, and
> the fact that DNS observations vary with time.
>
> $ dig +short -t txt spf.protection.outlook.com
> "v=spf1 ip4:207.46.101.128/26 ip4:207.46.100.0/24 ip4:207.46.163.0/24
> ip4:65.55.169.0/24 ip4:157.56.110.0/23 ip4:157.55.234.0/24
> ip4:213.199.154.0/24 ip4:213.199.180.0/24
> include:spfa.protection.outlook.com -all"
>
> $ dig +short -t txt spfa.protection.outlook.com
> "v=spf1 ip4:157.56.112.0/24 ip4:207.46.51.64/26 ip4:157.55.158.0/23
> ip4:64.4.22.64/26 ip4:40.92.0.0/14 ip4:40.107.0.0/17
> ip4:40.107.128.0/18 ip4:134.170.140.0/24
> include:spfb.protection.outlook.com -all"
>
> $ dig +short -t txt spfb.protection.outlook.com
> "v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23
> ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21
> ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.180.0/23
> ip4:94.245.120.64/26 -all"
>
> [ These have a 10 minute TTL ]
>

However, dig lookups performed on these exact domains return virtually
instantaneously on our MX server running spf.  I can set the spf
timeout higher than 20 seconds but I suspect that something else is at
work here.

This Temperror is also affecting these sites and many more:

Mar 17 11:39:47 inet08 policyd-spf[13505]: Temperror; identity=helo;
client-ip=69.89.30.42; helo=gproxy3-pub.mail.unifiedlayer.com;
envelope-from=p...@thecargosolutionscanada.com;
receiver=b...@harte-lyne.ca
. . .
Mar 17 11:42:52 inet08 policyd-spf[13032]: Temperror; identity=helo;
client-ip=168.100.1.4; helo=russian-caravan.cloud9.net;
envelope-from=owner-postfix-us...@postfix.org;
receiver=b...@harte-lyne.ca
. . .
Mar 17 11:51:36 inet08 policyd-spf[13709]: Temperror; identity=helo;
client-ip=66.135.215.173; helo=mxslcpool71.ebay.com;
envelope-from=e...@ebay.com; receiver=b...@harte-lyne.ca

They cannot all be suddenly affected by a DNS outage?

(P.S. thecargosolutionscanada.com would fail anyway due to too many
DNS lookups, but it does not get that far in the process.)


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply via email to