@Scott
thanks for putting me into the right direction :-)
The answer for spf1.amazon.com TXT is indeed too big for UDP. So the
query was retried in TCP mode.
But the stupid admin (aka myself) forgot that he disabled tcp on the
mailservers local resolvers (unbound). After enabling tcp mode for
unbound the queries for spf1.amazon.com TXT were properly answered properly.
Amazon did not retry yet, but I'm sure that this solved the problem.
Thanks a iot
tobi
Am 06.05.2015 um 16:11 schrieb Scott Kitterman:
On Wednesday, May 06, 2015 09:58:57 AM James B. Byrne wrote:
On Wed, May 6, 2015 09:45, Tobi wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi list
I know it's technically not a postfix issue :-) But maybe someone else
here on this list has the same problem.
I'm using Postfix with postfix-policyd-spf-perl About 4 or 5 days ago
I started to get error messages from postfix for mails from Amazon.
The log shows
<<
May 6 15:33:12 mail1 postfix/policy-spf[10692]: Policy
action=DEFER_IF_PERMIT SPF-Result=marketplace.amazon.de ...
spf1.amazon.com: Unknown error on DNS 'TXT' lookup of
'spf1.amazon.com'
May 6 15:33:12 mail1 postfix/smtpd[10069]: NOQUEUE: reject: RCPT from
a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]: 450 4.7.1
: Recipient address rejected:
SPF-Result=marketplace.amazon.de ... spf1.amazon.com: Unknown error on
DNS 'TXT' lookup of 'spf1.amazon.com';
from=
to= proto=ESMTP
helo=
May 6 15:33:37 mail1 postfix/smtpd[10069]: disconnect from
a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]
I did not change anything on the server side. I tried to verify the
SPF records from Amazon with
http://www.kitterman.com/spf/validate.html but the tests were always
successfull.
Does anyone have this problem too with Amazon? Or does anyone have an
idea how to solve it?
Thanks
dig spf1.amazon.com TXT
;; ANSWER SECTION:
spf1.amazon.com.900 IN TXT "spf2.0/pra ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
spf1.amazon.com.900 IN TXT "v=spf1 ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
Amazon has screwed up their spf records. A DNS host can have only ONE
spf TXT RR and that must not contain or recursively resolve to more
than TEN tags.
You will have to contact the DNS maintainer for the amazon.com zone
;; AUTHORITY SECTION:
amazon.com. 60 IN SOA dns-external-master.amazon.com.
root.amazon.com. 2010112764 180 60 3024000 60
Who evidently is reached via r...@amazon.com. Good luck with that.
No. That's not it. One of those is a v=spf1 SPF record and the other is a
spf2.0 Sender ID record.
Much more likely the issue is the use of EDNS0. In the part of the dig output
you didn't include, you probably got:
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
and
;; MSG SIZE rcvd: 611
I would guess that they published a new record that pushed them outside the
size of a UDP packet, so it used EDNS0, and there's some incompatible box in
the middle (and there wasn't such a box similarly in between amazon and my SPF
validator).
Followups should probably go to:
https://answers.launchpad.net/postfix-policyd-spf-perl
Scott K
