Re: [courier-users] SPF error (should be fail)

2016-03-03 Thread Sam Varshavchik 

Christopher Rüprich writes:


I just received a junk-mail with the following Received-SPF header:

Received-SPF: error (DNS MX lookup failed.?)
  SPF=MAILFROM;
  sender=ase...@gabelgelb.xyz;
  remoteip=:::185.132.126.23;
  remotehost=;
  helo=gabelgelb.xyz;
  receiver=mail.con-data.net;


The domain gabelgelb.xyz has no mx-record and the following spf-record:
gabelgelb.xyz.  71  IN  TXT "v=spf1 a mx ptr -all"

I believe the SPF-check should return 'fail' instead of 'error' in this
case.


The SPF check returns "error" to indicate the fact that the DNS lookup has  
failed. If you'd like, you can configure the "error" status as a mail  
rejection status. It's entirely up to you, how you want to handle DNS lookup  
failures.


But, of course, you understand that every DNS lookup failure will result in  
rejected mail. Even from IP addresses whose SPF check would otherwise pass,  
and from domains with no SPF records at all.




pgpWESk8l1NPc.pgp
Description: PGP signature
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] SPF error (should be fail)

2016-03-04 Thread Christopher Rüprich 

> The SPF check returns "error" to indicate the fact that the DNS lookup
> has failed. If you'd like, you can configure the "error" status as a
> mail rejection status. It's entirely up to you, how you want to handle
> DNS lookup failures.
>
> But, of course, you understand that every DNS lookup failure will
> result in rejected mail. Even from IP addresses whose SPF check would
> otherwise pass, and from domains with no SPF records at all.
That makes the SPF-check entirely useless for domains like that. If I
reject error status, I would reject all mails from such a domain, even
when the sender matches one of the other rules (a, ptr).

RFC4408 Section 5.4.  only
states:
> If the  has no MX records, check_host() MUST NOT pretend
> the target is its single MX, and MUST NOT default to an A lookup on
> the  directly.
Note that it doesn't say the SPF-check should return an error, but only
that it must not default to an A lookup.

RFC4408 Section 5.0.  states:
> If the server returns "domain does not exist" (RCODE 3), then
> evaluation of the mechanism continues as if the server returned no
> error (RCODE 0) and zero answer records.
I read that as: if there is no MX record, the SPF-check should ignore
the mx-directive.
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] SPF error (should be fail)

2016-03-04 Thread Sam Varshavchik 

Christopher Rüprich writes:

If the  has no MX records, check_host() MUST NOT pretend the  
target is its single MX, and MUST NOT default to an A lookup on the  
 directly.
Note that it doesn't say the SPF-check should return an error, but only that  
it must not default to an A lookup.


That's fine, but this is neither here, nor there. If the DNS lookup failed,  
you don't know whether the domain has MX records, or not.




pgpDRit3UOqfz.pgp
Description: PGP signature
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] SPF error (should be fail)

2016-03-04 Thread Christopher Rüprich 

> That's fine, but this is neither here, nor there. If the DNS lookup
> failed, you don't know whether the domain has MX records, or not.
There is a difference between a failed DNS-lookup and an empty result.
I'm pretty sure, in this case the DNS lookup did not fail, but return an
empty result:

$ host -t mx gabelgelb.xyz
gabelgelb.xyz has no MX record


An example for a failed DNS-lookup (I disabled the network adapter for
this) would be:

$ host -t mx gabelgelb.xyz
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached


I can also reproduce this with my own (sub-)domain test.con-data.net:


$ host -t txt test.con-data.net
test.con-data.net descriptive text "v=spf1 a mx -all"

$ host -t mx test.con-data.net
test.con-data.net has no MX record

$ host -t a test.con-data.net
test.con-data.net has address 192.168.0.1

$ telnet 193.164.131.61 25
Trying 193.164.131.61...
Connected to 193.164.131.61.
Escape character is '^]'.
220 mail.con-data.net ESMTP
ehlo test.con-data.net
250-mail.con-data.net Ok.
250-AUTH LOGIN PLAIN
250-STARTTLS
250-XVERP=Courier
250-XEXDATA
250-XSECURITY=NONE,STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE
250 DSN
mail from: 
250 Ok.
rcpt to: 
250 Ok.
data
354 Ok.
From: 
To: 
Subject: test

test
.
250 Ok. 56D99488.76E6
quit
221 Bye.
Connection closed by foreign host.


> Delivered-To: d...@didi-site.de
> Return-Path: 
> Received: from test.con-data.net ([:::79.203.85.47])
>   by mail.con-data.net with ESMTP; Fri, 04 Mar 2016 14:58:05 +0100
>   id 6006DF8C.56D99488.76E6
> Authentication-Results: mail.con-data.net;
> dnswl=pass dns.zone=pbl.spamhaus.org
> policy.ip=127.0.0.10
> policy.txt="https://www.spamhaus.org/query/ip/79.203.85.47";
> Received-SPF: error (DNS MX lookup failed.?)
>   SPF=HELO;
>   sender=test.con-data.net;
>   remoteip=:::79.203.85.47;
>   remotehost=;
>   helo=test.con-data.net;
>   receiver=mail.con-data.net;
> Received-SPF: error (DNS MX lookup failed.?)
>   SPF=MAILFROM;
>   sender=i...@test.con-data.net;
>   remoteip=:::79.203.85.47;
>   remotehost=;
>   helo=test.con-data.net;
>   receiver=mail.con-data.net;
> From: i...@test.con-data.net
> To: d...@didi-site.de
> Subject: test
>
> test


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Re: [courier-users] SPF error (should be fail)

2016-03-05 Thread Sam Varshavchik 

Christopher Rüprich writes:



> That's fine, but this is neither here, nor there. If the DNS lookup
> failed, you don't know whether the domain has MX records, or not.
There is a difference between a failed DNS-lookup and an empty result.


I know that.


I'm pretty sure, in this case the DNS lookup did not fail, but return an
empty result:


How do you know that, for a fact?

Searching my trash folder, with about 800 messages in them, I found six  
instances where one of the three SPF lookups done for each message failed,  
and the two others worked, over the course of last 30 days.


Transient DNS lookup failures are a fact of life.




pgp_VSenzE5mF.pgp
Description: PGP signature
--
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users