Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th April 2011, 21:41
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
Default The Perfect SpamSnake - Ubuntu Jeos 10.10 - SPF DNS Error

Rocky,

It seems that I am still having a few issues with the whitelist on the SpamSnake.

I have a sender trying to get through to a recipient behind the spamsnake but the DNS lookup for the SPF portion of the filter is failing:

Code:
Apr 13 11:43:17 curve postfix/smtpd[1161]: NOQUEUE: reject: RCPT from unknown[99.88.95.18]: 450 4.7.16 <someuser@protecteddomain.net>: Recipient address rejected: SPF-Result=mail.senderdomain.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'mail.senderdomain.com'; from=<someuser@senderdomain.com> to=<someuser@protecteddomain.net> proto=ESMTP helo=<mail.senderdomain.com>
It appears that a DNS lookup for type "txt" is being done on the "helo" hostname. Since there is no SPF record for "mail.senderdomain.com", SPF lookup is having a cow.

So I added the sender's IP 99.88.95.18 to my Barawa whitelist (from "Lists -> Add to List, added 99.88.95.0,) but the spamsnake is still trying to process this SPF


Here is a log excerpt from my local BIND9 server showing the lookup:

Code:
Apr 13 13:06:57 vector named[554]: client 192.168.66.13#43386: query: mail.senderdomain.com IN SPF + (192.168.66.14)
Do I need to do something else to eliminate the SPF processing on whitelisted IP addresses?


Respectfully,

Dave,
Deconn Technical Services.

Last edited by mintydave; 13th April 2011 at 22:11. Reason: added BIND9 log entry
Reply With Quote
Sponsored Links
  #2  
Old 14th April 2011, 19:08
Rocky Rocky is offline
Senior Member
 
Join Date: Oct 2005
Posts: 553
Thanks: 14
Thanked 49 Times in 48 Posts
Default

What do you have in your main.cf for whitelist_policy?
__________________
Home of the SpamSnake
Reply With Quote
  #3  
Old 14th April 2011, 20:12
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Rocky,

Thanks for the reply.

Code:
whitelist_policy = check_client_access mysql:/etc/postfix/mysql-global_whitelist.cf, check_sender_access mysql:/etc/postfix/mysql-global_whitelist.cf
Code:
root@curve:/etc/postfix# cat mysql-global_whitelist.cf
#mysql-global_whitelist
user = baruwa
password = XXXXXX
dbname = baruwa
query = select concat('PERMIT') 'action' from lists where from_address='%s' AND list_type='1';
hosts = 127.0.0.1

Dave.
Reply With Quote
  #4  
Old 15th April 2011, 17:05
Rocky Rocky is offline
Senior Member
 
Join Date: Oct 2005
Posts: 553
Thanks: 14
Thanked 49 Times in 48 Posts
Default

Hey,

Try adding the following to your helo_restrictions and let me know what happens.

smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks, check_helo_accessmysql:/etc/postfix/mysql-global_whitelist.cf, permit

This will lookup the global whitelist for your domain entries and should bypass helo checks.

Remember to reload postfix after you've made the changes.

Rocky
__________________
Home of the SpamSnake
Reply With Quote
  #5  
Old 15th April 2011, 17:31
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Rocky,

I have made the change and will report back with results when they are available.

Do you have any idea why the SPF module is requesting a DNS lookup for the "helo" instead of the domain for the MAIL FROM: ? Is this really the root cause here?

The sender's domain in this incident does not have a TXT or a SPF record in thier zone, so the SPF should just ignore checks in the first place.


Best,

Dave.
Deconn Technical Services
Reply With Quote
  #6  
Old 16th April 2011, 01:18
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Rocky,

I am still getting

Code:
Apr 15 16:11:55 curve postfix/smtpd[15610]: NOQUEUE: reject: RCPT from unknown[99.88.95.18]: 450 4.7.1 <someuser@recipientdomain.com>: Recipient address rejected: SPF-Result=mail.senderdomain.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'mail.senderdomain.com'; from=<someuser@senderdomain.com> to=<someuser@recipientdomain.com> proto=ESMTP helo=<mail.senderdomain.com>
Any other suggestions?


Gratefully,

Dave.
Deconn Technical Services
Reply With Quote
  #7  
Old 16th April 2011, 02:04
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Rocky View Post
smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks, check_helo_accessmysql:/etc/postfix/mysql-global_whitelist.cf, permit
Update:
I added a space after "check_helo_access"

Earlier today I just pasted what you typed into my main.cf and postfix hickuped on me, so I put a "," after check_helo_access. After examining the syntax of the other entries in the main.cf, I realized that maybe it was supposed to be a space.

Reloaded postfix and am waiting for my "tail -f" to give me results from the offending sender.



Dave.
Deconn Technical Services
Reply With Quote
  #8  
Old 16th April 2011, 02:35
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Rocky View Post
Try adding the following to your helo_restrictions and let me know what happens.

smtpd_helo_restrictions = permit_sasl_authenticated,permit_mynetworks, check_helo_access mysql:/etc/postfix/mysql-global_whitelist.cf, permit


Code:
Apr 15 17:29:07 curve postfix/policy-spf[19419]: : Policy action=DEFER_IF_PERMIT SPF-Result=mail.senderdomain.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'mail.senderdomain.com'
Apr 15 17:29:07 curve postfix/smtpd[15802]: NOQUEUE: reject: RCPT from unknown[99.88.95.18]: 450 4.7.1 <someuser@recipientdomain.com>: Recipient address rejected: SPF-Result=mail.senderdomain.com: 'SERVFAIL' error on DNS 'SPF' lookup of 'mail.senderdomain.com'; from=<someuser@senderdomain.com> to=<someuser@recipientdomain.com> proto=ESMTP helo=<mail.senderdomain.com>
No go on the suggested change to the main.cf


Dave.
Deconn Technical Services
Reply With Quote
  #9  
Old 16th April 2011, 04:29
Rocky Rocky is offline
Senior Member
 
Join Date: Oct 2005
Posts: 553
Thanks: 14
Thanked 49 Times in 48 Posts
Default

Yes, sorry, after thinking about it, the helo restriction would make no sense since spf checks would still be done. Please undo the changes made.

Please add both the domain and ip to your baruwa whitelist and check it out. It should completely bypass checks and go straight through to postfix for delivery.
__________________
Home of the SpamSnake
Reply With Quote
  #10  
Old 16th April 2011, 06:44
mintydave mintydave is offline
Junior Member
 
Join Date: Dec 2010
Posts: 23
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by Rocky View Post
Please add both the domain and ip to your baruwa whitelist
Done.

As you predicted:
Code:
Apr 15 21:22:36 curve postfix/smtpd[2530]: warning: 99.88.95.18: address not listed for hostname mail.senderdomain.com
Apr 15 21:22:36 curve postfix/cleanup[10216]: 40A2B5E68D: hold: header Received: from mail.senderdomain.com (unknown [99.88.95.18])??by curve.domainservicehost.com (Postfix) with ESMTP id 40A2B5E68D??for <administrator@recipientdomain.net>; Fri, 15 Apr 2011 21:22:36 -0 from unknown[99.88.95.18]; from=<someuser@senderdomain.com> to=<administrator@recipientdomain.net> proto=ESMTP helo=<mail.senderdomain.com>
Apr 15 21:22:38 curve postfix/qmgr[15279]: 349705E6C8: from=<someuser@senderdomain.com>, size=12154, nrcpt=1 (queue active)

May I ask a related question?

It appears to me that the SPF lookup of the "helo" hostname is a problem here. Why would the SPF lookup the helo? Why not a DNS TXT/SPF lookup of the MAIL FROM:?

In this particular case, the sender's email is coming from a hosted account on godaddy, and the mail.senderdomain resolves to a CNAME, and that CNAME resolves to another CNAME, which finally resolves to an A record.
Code:
root@vector:~# dig @ns40.domaincontrol.com mail.senderdomain.com TXT

; <<>> DiG 9.7.0-P1 <<>> @ns40.domaincontrol.com mail.senderdomain.com TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26012
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.senderdomain.com.                IN      TXT

;; ANSWER SECTION:
mail.senderdomain.com. 3600    IN      CNAME   pop.secureserver.net.

;; AUTHORITY SECTION:
senderdomain.com.      3600    IN      NS      ns39.domaincontrol.com.
senderdomain.com.      3600    IN      NS      ns40.domaincontrol.com.

;; Query time: 47 msec
;; SERVER: 208.109.255.20#53(208.109.255.20)
;; WHEN: Fri Apr 15 21:34:56 2011
;; MSG SIZE  rcvd: 126
I get a fully recursed response which clearly shows there is no TXT record for this domain (which is actually a hostname.)

However, if I do the same dig without the "@" (using my locally configured name server) I get a SRVFAIL:

Code:
root@vector:~# dig mail.senderdomain.com TXT

; <<>> DiG 9.7.0-P1 <<>> mail.senderdomain.com TXT
;; global options: +cmd
;; connection timed out; no servers could be reached

So firstly, thank you YET AGAIN for helping me resolve a problem... however, it seems to me there may still be some type of inconsistency with how SPF parses the SMTP conversation for processing the DNS query.


Dave.
Deconn Technical Services
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
CP210x USB to UART Bridge Linux VCP Drivers(SILICON Labs) perfectpol7 Kernel Questions 13 9th November 2010 07:30
mod_layout and php gd branov Installation/Configuration 8 2nd September 2009 15:51
How to install OpenOficeOrg 3.0.0 in Ubuntu 8.04 ernesthagger HOWTO-Related Questions 43 23rd December 2008 14:42
Howtoforge the perfect Server(links) rini90 Installation/Configuration 0 14th December 2008 10:58
Google Apps dayjahone General 19 29th March 2008 17:25


All times are GMT +2. The time now is 21:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.