Bernd Wurst writes:
Hello.I configured courier MTA to check SPF for incoming mail. At the moment, we check only HELO-SPF. This worked for a couple of years without problems. This is the configuration in bofh opt BOFHSPFTRUSTME=1 opt BOFHSPFHELO=pass,neutral,unknown,none,error,softfail opt BOFHSPFFROM=off opt BOFHSPFMAILFROM=off opt BOFHSPFHARDERROR=fail Recently, a messages got rejected with this line in the log: Sep 9 19:50:36 zucker courieresmtpd: error,relay=2a03:4000:2:4f2::1,from=<xxxxx...@thelambda.de>: 517 SPF fail thelambda.de: Address does not pass the Sender Policy Framework # dig +short txt thelambda.de "v=spf1 mx -all" # dig +short mx thelambda.de 10 mail.thelambda.de. # dig +short aaaa mail.thelambda.de 2a03:4000:2:4f2::1 I have no clue why this SPF check fails. The connecting MTA has "thelambda.de" configured as HELO-hostname. Connections via IPv4 are working. Can anybody clarify this?
I think I finally tracked down these spurious SPF failures. It's a bug triggered by a combination of IPv6, DNS caching, a particular MX configuration, and probably certain DNS servers only. It's not going to fail every time, only when the domain is not already cached by the DNS server.
I'm going to test a small fix for this.
pgpoo_UPqytwM.pgp
Description: PGP signature
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
