Re: [courier-users] No SPF reject during DNS outage. How come?

2015-11-13 Thread Alessandro Vesely 
Hi Mitch,

On Fri 13/Nov/2015 02:04:29 +0100 you wrote: 

> Hey Alessandro - did you receive any replies not cc'd to the list?

Nope.

> Just thinking out loud here... does courier cache lookups or is it possible 
> your local resolver did?
> Maybe something cached the lookup of your SPF for your domain - and then the 
> non-cached lookup of the IP failed...
> Could that result in the behaviour you see?
> Maybe you would have to have timed your test to occur during the cache 
> lifetime of the spf record?

I don't think I got cache hits, although that's a possibility.

There's something which works counter-intuitively in the SPF module, but that's
probably not even covered clearly by the RFC.  I'd have preferred a 417 reply
code in this case.

Thank you for your interest
Ale

> -Original Message-
> From: Alessandro Vesely [mailto:ves...@tana.it] 
> Sent: November-12-15 3:23 AM
> To: Courier Users
> Subject: [courier-users] No SPF reject during DNS outage. How come?
> 
> Hi!
> 
> I received a bunch of spam marked like this:
> 
> Return-Path: <zl...@tana.it>
> Received: from [210.205.1.118] (softdnserr [210.205.1.118])
>   by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100
>   id 005DC042.56445431.5BFC
> Received-SPF: error (Address does not pass the Sender Policy Framework)
>   SPF=MAILFROM;
>   sender=zl...@tana.it;
>   remoteip=210.205.1.118;
>   remotehost=softdnserr;
>   helo=[210.205.1.118];
>   receiver=wmail.tana.it;
> 
> The "softdnserr" presumably came from DNS outage.  The NS was disconnected 
> for quite some time, so only internal stuff was being resolved during 
> reception.
> Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP 
> for that Korean address.
> 
> However, I tried to reproduce that behavior to no avail.  At the console, I 
> always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS 
> again.  My Courier version is getting old, but this doesn't seem to be 
> related to the recent SPF fix, does it?
> 
> Any other idea?
> 
> TIA
> Ale
> 
> --
> ___
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
> 
> --
> ___
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
> 

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] No SPF reject during DNS outage. How come?

2015-11-13 Thread Mitch (BitBlock) 
417 is what I'm used to seeing ...

in my case the 417 was triggered by a lookup failure being negatively cached by 
a ms Windows DNS server.

Have you checked your configuration for spf? What version are you running and 
what does the config look like?

Cheers

Sent from my Samsung device


 Original message 
From: Alessandro Vesely <ves...@tana.it>
Date: 2015-11-13 03:23 (GMT-08:00)
To: "Mitch (BitBlock)" <mi...@bitblock.net>, Courier Users 
<courier-users@lists.sourceforge.net>
Subject: Re: [courier-users] No SPF reject during DNS outage. How come?

Hi Mitch,

On Fri 13/Nov/2015 02:04:29 +0100 you wrote:

> Hey Alessandro - did you receive any replies not cc'd to the list?

Nope.

> Just thinking out loud here... does courier cache lookups or is it possible 
> your local resolver did?
> Maybe something cached the lookup of your SPF for your domain - and then the 
> non-cached lookup of the IP failed...
> Could that result in the behaviour you see?
> Maybe you would have to have timed your test to occur during the cache 
> lifetime of the spf record?

I don't think I got cache hits, although that's a possibility.

There's something which works counter-intuitively in the SPF module, but that's
probably not even covered clearly by the RFC.  I'd have preferred a 417 reply
code in this case.

Thank you for your interest
Ale

> -Original Message-
> From: Alessandro Vesely [mailto:ves...@tana.it]
> Sent: November-12-15 3:23 AM
> To: Courier Users
> Subject: [courier-users] No SPF reject during DNS outage. How come?
>
> Hi!
>
> I received a bunch of spam marked like this:
>
> Return-Path: <zl...@tana.it>
> Received: from [210.205.1.118] (softdnserr [210.205.1.118])
>   by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100
>   id 005DC042.56445431.5BFC
> Received-SPF: error (Address does not pass the Sender Policy Framework)
>   SPF=MAILFROM;
>   sender=zl...@tana.it;
>   remoteip=210.205.1.118;
>   remotehost=softdnserr;
>   helo=[210.205.1.118];
>   receiver=wmail.tana.it;
>
> The "softdnserr" presumably came from DNS outage.  The NS was disconnected 
> for quite some time, so only internal stuff was being resolved during 
> reception.
> Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP 
> for that Korean address.
>
> However, I tried to reproduce that behavior to no avail.  At the console, I 
> always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS 
> again.  My Courier version is getting old, but this doesn't seem to be 
> related to the recent SPF fix, does it?
>
> Any other idea?
>
> TIA
> Ale
>
> --
> ___
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>
> --
> ___
> courier-users mailing list
> courier-users@lists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] No SPF reject during DNS outage. How come?

2015-11-13 Thread Alessandro Vesely 
On Thu 12/Nov/2015 17:04:29 +0100 Sam Varshavchik wrote: 
> Alessandro Vesely writes:
> 
>> I received a bunch of spam marked like this:
>>
>> Return-Path: 
>> Received: from [210.205.1.118] (softdnserr [210.205.1.118])
>>   by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100
>>   id 005DC042.56445431.5BFC
>> Received-SPF: error (Address does not pass the Sender Policy Framework)
>>   SPF=MAILFROM;
>>   sender=zl...@tana.it;
>>   remoteip=210.205.1.118;
>>   remotehost=softdnserr;
>>   helo=[210.205.1.118];
>>   receiver=wmail.tana.it;
>>
>> The "softdnserr" presumably came from DNS outage.  The NS was disconnected 
>> for
>> quite some time, so only internal stuff was being resolved during reception.
>> Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP
>> for that Korean address.
> 
> A failed SPF DNS lookup results in a status of "error".
> 
> Check your "error" status handling. If you have "error" included in the 
> BOFHSPF
> settings, it is considered a pass.

Yup, you nailed it.  I have:

opt BOFHSPFHELO=pass,none,neutral,softfail,unknown,error,fail
opt BOFHSPFMAILFROM=allowok,pass,none,neutral,softfail,unknown,error
opt BOFHSPFFROM=all

In fact, I could not reproduced it because I tried from the internal network,
which can be resolved locally even if the NS is disconnected.  Today I tried
from an external IP and obtained the same result as the spammer quoted above.

I'm still somewhat puzzled because my SPF record requires a further (external)
lookup which fails silently, while the reverse IP lookup doesn't seem to be
related to SPFMAILFROM at a first glance.  I'll look deeper after I upgrade
Courier...

Thank you for putting me on the right track
Ale



--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] No SPF reject during DNS outage. How come?

2015-11-12 Thread Mitch (BitBlock) 
Hey Alessandro - did you receive any replies not cc'd to the list?

Just thinking out loud here... does courier cache lookups or is it possible 
your local resolver did?
Maybe something cached the lookup of your SPF for your domain - and then the 
non-cached lookup of the IP failed...
Could that result in the behaviour you see?
Maybe you would have to have timed your test to occur during the cache lifetime 
of the spf record?

Mitch

-Original Message-
From: Alessandro Vesely [mailto:ves...@tana.it] 
Sent: November-12-15 3:23 AM
To: Courier Users
Subject: [courier-users] No SPF reject during DNS outage. How come?

Hi!

I received a bunch of spam marked like this:

Return-Path: <zl...@tana.it>
Received: from [210.205.1.118] (softdnserr [210.205.1.118])
  by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100
  id 005DC042.56445431.5BFC
Received-SPF: error (Address does not pass the Sender Policy Framework)
  SPF=MAILFROM;
  sender=zl...@tana.it;
  remoteip=210.205.1.118;
  remotehost=softdnserr;
  helo=[210.205.1.118];
  receiver=wmail.tana.it;

The "softdnserr" presumably came from DNS outage.  The NS was disconnected for 
quite some time, so only internal stuff was being resolved during reception.
Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP 
for that Korean address.

However, I tried to reproduce that behavior to no avail.  At the console, I 
always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS 
again.  My Courier version is getting old, but this doesn't seem to be related 
to the recent SPF fix, does it?

Any other idea?

TIA
Ale

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

[courier-users] No SPF reject during DNS outage. How come?

2015-11-12 Thread Alessandro Vesely 
Hi!

I received a bunch of spam marked like this:

Return-Path: 
Received: from [210.205.1.118] (softdnserr [210.205.1.118])
  by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100
  id 005DC042.56445431.5BFC
Received-SPF: error (Address does not pass the Sender Policy Framework)
  SPF=MAILFROM;
  sender=zl...@tana.it;
  remoteip=210.205.1.118;
  remotehost=softdnserr;
  helo=[210.205.1.118];
  receiver=wmail.tana.it;

The "softdnserr" presumably came from DNS outage.  The NS was disconnected for
quite some time, so only internal stuff was being resolved during reception.
Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP
for that Korean address.

However, I tried to reproduce that behavior to no avail.  At the console, I
always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS
again.  My Courier version is getting old, but this doesn't seem to be related
to the recent SPF fix, does it?

Any other idea?

TIA
Ale

--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] No SPF reject during DNS outage. How come?

2015-11-12 Thread Sam Varshavchik 

Alessandro Vesely writes:


Hi!

I received a bunch of spam marked like this:

Return-Path: 
Received: from [210.205.1.118] (softdnserr [210.205.1.118])
  by wmail.tana.it with ESMTP; Thu, 12 Nov 2015 09:55:57 +0100
  id 005DC042.56445431.5BFC
Received-SPF: error (Address does not pass the Sender Policy Framework)
  SPF=MAILFROM;
  sender=zl...@tana.it;
  remoteip=210.205.1.118;
  remotehost=softdnserr;
  helo=[210.205.1.118];
  receiver=wmail.tana.it;

The "softdnserr" presumably came from DNS outage.  The NS was disconnected  
for

quite some time, so only internal stuff was being resolved during reception.
Thus, Courier could get a -all SPF record for tana.it, but not the reverse IP
for that Korean address.

However, I tried to reproduce that behavior to no avail.  At the console, I
always got _517 SPF fail_ after MAIL FROM:, even if I disconnected the NS
again.  My Courier version is getting old, but this doesn't seem to be  
related

to the recent SPF fix, does it?

Any other idea?


A failed SPF DNS lookup results in a status of "error".

Check your "error" status handling. If you have "error" included in the  
BOFHSPF settings, it is considered a pass.





pgpIh7qEXCkYV.pgp
Description: PGP signature
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users