Am 19.11.25 um 18:29 schrieb Sebastian Nielsen via Unbound-users:
Here is a example:
goteborg.se
It has this weird "exists:%{i}.spf.hc2437-76.eu.iphmx.com" which for a valid
connection translates to 127.0.0.2
Try with for example, 23.90.102.86.spf.hc2437-76.eu.iphmx.com
You can see here:
https://mxtoolbox.com/SuperTool.aspx?action=a%3a23.90.102.86.spf.hc2437-76.eu.iphmx.com&run=toolpage
This 127.0.0.2 gets caugt in the DNS rebinding filter, and then the SPF
validation fails.
Now I understand your setup.
man (5) unbound.conf say
private-address:
... We consider to enable this for the RFC1918 private IP address space by
default in later releases ...
I assume, "private-address" setting is not set by default for good reasons and
the unbound developer
didn't changed that default till today.
I see the value of rebind protection a systems, used by humans.
But a mail server is an other use-case.
One way to solve your issue is to run two resolver instances. One for servers
and one for end-user systems,
only the later configured with "private-address".
Andreas
