Hi Jac, I don't really know about postfix or email, but 'signature crypto failed' means that the data did not match the signature. Thus SERVFAIL is the correct rcode.
It means that the contents of the TXT record have been altered, and the text in it does not match the RRSIG digital signature. If this was a spurious technical failure, it could be due to upper/lowercase somehow getting changed (inside the text record), or people editing the contents by hand without running the signer again. Best regards, Wouter On 24/01/17 16:44, Jac Backus via Unbound-users wrote: > > > Hello, > > > > I have a FreeBSD server with Unbound .1.5.7 as a resolver. > > > > I use Postfix for mail and postfix-policyd-spf-perl to check spf. > > My problem is, that mail from a certain domain is refused. > > > > When I test, I see this: > > > > # perl /usr/local/libexec/postfix-policyd-spf-perl > > request=smtpd_access_policy > > protocol_state=RCPT > > protocol_name=SMTP > > helo_name=mail.acme.com > > queue_id=8045F2AB23 > > [email protected] > > [email protected] > > client_address=1.1.1.1 > > client_name=mail.company.com > > > > action=DEFER_IF_PERMIT SPF-Result=mail.acme.com: 'SERVFAIL' error on DNS > 'TXT' lookup of 'mail.acme.com' > > > > This is in unbound.log: > > > > Reason for the SERVFAIL: > > Jan 24 13:44:25 unbound[487:0] info: response for mail.acme.com. TXT IN > > Jan 24 13:44:25 unbound[487:0] info: reply from <acme.com.> 2.2.2.2#53 > > Jan 24 13:44:25 unbound[487:0] info: query response was ANSWER > > Jan 24 13:44:25 unbound[487:0] info: Validate: message contains bad rrsets > > Jan 24 13:44:25 unbound[487:0] info: validation failure <mail.acme.com. > TXT IN>: signature crypto failed from 2.2.2.2 > > > > Is this a valid SERVFAIL? > > > > Could some help me? Thanks. > > > > > > With kind regards, > > > > Jac >
signature.asc
Description: OpenPGP digital signature
