postfix-policyd-spf-perl and troubles with Amazon?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix-policyd-spf-perl and troubles with Amazon?

Tobi
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi list

I know it's technically not a postfix issue :-) But maybe someone else
here on this list has the same problem.
I'm using Postfix with postfix-policyd-spf-perl About 4 or 5 days ago
I started to get error messages from postfix for mails from Amazon.
The log shows

<<
May  6 15:33:12 mail1 postfix/policy-spf[10692]: Policy
action=DEFER_IF_PERMIT SPF-Result=marketplace.amazon.de ...
spf1.amazon.com: Unknown error on DNS 'TXT' lookup of 'spf1.amazon.com'
May  6 15:33:12 mail1 postfix/smtpd[10069]: NOQUEUE: reject: RCPT from
a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]: 450 4.7.1
<[hidden email]>: Recipient address rejected:
SPF-Result=marketplace.amazon.de ... spf1.amazon.com: Unknown error on
DNS 'TXT' lookup of 'spf1.amazon.com';
from=<[hidden email]>
to=<[hidden email]> proto=ESMTP
helo=<a0-3.smtp-out.eu-west-1.amazonses.com>
May  6 15:33:37 mail1 postfix/smtpd[10069]: disconnect from
a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]
>>

I did not change anything on the server side. I tried to verify the
SPF records from Amazon with
http://www.kitterman.com/spf/validate.html but the tests were always
successfull.
Does anyone have this problem too with Amazon? Or does anyone have an
idea how to solve it?

Thanks

tobi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVShrmAAoJEDUc5iWoaKTkd7kP/RxLTO0uzrxcPg348cnm9yjG
l2fIodQqvyRG2BgloKd3ldseVhc5B1+f/Ee+xFiofjMI5KSMYf9UbiH2cmmbfBZq
/AyZesUwwDUsHWHw6vhY9DwXP/QjHLLpUOsiY0iyQsH2sesOneSYYp0W1ZHmDcOU
CRF07QgduCOHNsHueEsw8BF+RqluXIwklJ83hXZBziTBT0PR0QvF9ZW/TxI3n+Sg
Pkijo5e/l48efvykZffJjl6qMC22twS42hCHCnHbZujjg7vaSvyTGaVGzfuEGRUn
z3qCe0ISDKM2QyB2ljXmCITwWT5tt/2rdkA5UV/ENHpl5g66y0aMV7sJP9Hd7QBG
l2UeuLMtiq3IMy+Banc30ZiBq/Id0IdpkidHzn+3kgxP9SDf4VBvXJpSozz8i/BN
ASvggyeRno08tcqBBgysX7FXn+m1s3KGYfWNWrrWe4061Fh2gcLw3zgrE1CyO9OH
9uS3jeD5EiMQYfQ9vb5ZHhBWz7BbA1TC3KQg7wP7nuGIeKqAUL821PX38xKoMiva
lTVtx5IRqMfh8gDuVf6umO1BnUpx8ttc5hPd2HGPRyD5d+lZhP7FBrjaFPwf7UHe
w0wyAFQXVzo2vGImq2GReZE/Em88NNvHqNcbKgNcDWLe+35v/Rm1W+83PD+slumB
gSvSt8ODswf8UjbrWbbp
=2Xb7
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon?

James B. Byrne

On Wed, May 6, 2015 09:45, Tobi wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi list
>
> I know it's technically not a postfix issue :-) But maybe someone else
> here on this list has the same problem.
> I'm using Postfix with postfix-policyd-spf-perl About 4 or 5 days ago
> I started to get error messages from postfix for mails from Amazon.
> The log shows
>
> <<
> May  6 15:33:12 mail1 postfix/policy-spf[10692]: Policy
> action=DEFER_IF_PERMIT SPF-Result=marketplace.amazon.de ...
> spf1.amazon.com: Unknown error on DNS 'TXT' lookup of
> 'spf1.amazon.com'
> May  6 15:33:12 mail1 postfix/smtpd[10069]: NOQUEUE: reject: RCPT from
> a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]: 450 4.7.1
> <[hidden email]>: Recipient address rejected:
> SPF-Result=marketplace.amazon.de ... spf1.amazon.com: Unknown error on
> DNS 'TXT' lookup of 'spf1.amazon.com';
> from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP
> helo=<a0-3.smtp-out.eu-west-1.amazonses.com>
> May  6 15:33:37 mail1 postfix/smtpd[10069]: disconnect from
> a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]
>>>
>
> I did not change anything on the server side. I tried to verify the
> SPF records from Amazon with
> http://www.kitterman.com/spf/validate.html but the tests were always
> successfull.
> Does anyone have this problem too with Amazon? Or does anyone have an
> idea how to solve it?
>
> Thanks
>
dig spf1.amazon.com TXT

;; ANSWER SECTION:
spf1.amazon.com. 900 IN TXT "spf2.0/pra ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
spf1.amazon.com. 900 IN TXT "v=spf1 ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"

Amazon has screwed up their spf records.  A DNS host can have only ONE
spf TXT RR and that must not contain or recursively resolve to more
than TEN tags.

You will have to contact the DNS maintainer for the amazon.com zone

;; AUTHORITY SECTION:
amazon.com. 60 IN SOA dns-external-master.amazon.com.
root.amazon.com. 2010112764 180 60 3024000 60

Who evidently is reached via [hidden email].  Good luck with that.


--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon?

Scott Kitterman-4
On Wednesday, May 06, 2015 09:58:57 AM James B. Byrne wrote:

> On Wed, May 6, 2015 09:45, Tobi wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Hi list
> >
> > I know it's technically not a postfix issue :-) But maybe someone else
> > here on this list has the same problem.
> > I'm using Postfix with postfix-policyd-spf-perl About 4 or 5 days ago
> > I started to get error messages from postfix for mails from Amazon.
> > The log shows
> >
> > <<
> > May  6 15:33:12 mail1 postfix/policy-spf[10692]: Policy
> > action=DEFER_IF_PERMIT SPF-Result=marketplace.amazon.de ...
> > spf1.amazon.com: Unknown error on DNS 'TXT' lookup of
> > 'spf1.amazon.com'
> > May  6 15:33:12 mail1 postfix/smtpd[10069]: NOQUEUE: reject: RCPT from
> > a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]: 450 4.7.1
> > <[hidden email]>: Recipient address rejected:
> > SPF-Result=marketplace.amazon.de ... spf1.amazon.com: Unknown error on
> > DNS 'TXT' lookup of 'spf1.amazon.com';
> > from=<[hidden email]>
> > to=<[hidden email]> proto=ESMTP
> > helo=<a0-3.smtp-out.eu-west-1.amazonses.com>
> > May  6 15:33:37 mail1 postfix/smtpd[10069]: disconnect from
> > a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]
> >
> >
> > I did not change anything on the server side. I tried to verify the
> > SPF records from Amazon with
> > http://www.kitterman.com/spf/validate.html but the tests were always
> > successfull.
> > Does anyone have this problem too with Amazon? Or does anyone have an
> > idea how to solve it?
> >
> > Thanks
>
> dig spf1.amazon.com TXT
>
> ;; ANSWER SECTION:
> spf1.amazon.com. 900 IN TXT "spf2.0/pra ip4:207.171.160.0/19
> ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
> ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
> ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
> spf1.amazon.com. 900 IN TXT "v=spf1 ip4:207.171.160.0/19
> ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
> ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
> ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
>
> Amazon has screwed up their spf records.  A DNS host can have only ONE
> spf TXT RR and that must not contain or recursively resolve to more
> than TEN tags.
>
> You will have to contact the DNS maintainer for the amazon.com zone
>
> ;; AUTHORITY SECTION:
> amazon.com. 60 IN SOA dns-external-master.amazon.com.
> root.amazon.com. 2010112764 180 60 3024000 60
>
> Who evidently is reached via [hidden email].  Good luck with that.

No.  That's not it.  One of those is a v=spf1 SPF record and the other is a
spf2.0 Sender ID record.

Much more likely the issue is the use of EDNS0.  In the part of the dig output
you didn't include, you probably got:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

and

;; MSG SIZE  rcvd: 611

I would guess that they published a new record that pushed them outside the
size of a UDP packet, so it used EDNS0, and there's some incompatible box in
the middle (and there wasn't such a box similarly in between amazon and my SPF
validator).

Followups should probably go to:

https://answers.launchpad.net/postfix-policyd-spf-perl

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon?

James B. Byrne

On Wed, May 6, 2015 10:11, Scott Kitterman wrote:

> On Wednesday, May 06, 2015 09:58:57 AM James B. Byrne wrote:
>>
>> Amazon has screwed up their spf records.  A DNS host can have only
>> ONE spf TXT RR and that must not contain or recursively resolve to
>> more than TEN tags.
>
> No.  That's not it.  One of those is a v=spf1 SPF record and the other
> is a spf2.0 Sender ID record.
>
> Much more likely the issue is the use of EDNS0.  In the part of the
> dig output you didn't include, you probably got:
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
>
> and
>
> ;; MSG SIZE  rcvd: 611


Actually, no. I got this:

;; ANSWER SECTION:
spf1.amazon.com. 900 IN TXT "spf2.0/pra ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
spf1.amazon.com. 900 IN TXT "v=spf1 ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"

;; AUTHORITY SECTION:
amazon.com. 2751 IN NS ns3.p31.dynect.net.
amazon.com. 2751 IN NS ns1.p31.dynect.net.
amazon.com. 2751 IN NS ns4.p31.dynect.net.
amazon.com. 2751 IN NS ns2.p31.dynect.net.
amazon.com. 2751 IN NS pdns6.ultradns.co.uk.
amazon.com. 2751 IN NS pdns1.ultradns.net.

;; Query time: 1 msec
;; SERVER: 216.185.71.33#53(216.185.71.33)
;; WHEN: Wed May  6 09:54:00 2015
;; MSG SIZE  rcvd: 600

And thanks for the correction.  I had never run into MS's Sender ID in
the wild before and had no recollection of its existence until you
reminded me.  One more thing to look for.




--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon? [SOLVED]

Tobi
In reply to this post by Scott Kitterman-4
@Scott

thanks for putting me into the right direction :-)
The answer for spf1.amazon.com TXT is indeed too big for UDP. So the
query was retried in TCP mode.
But the stupid admin (aka myself) forgot that he disabled tcp on the
mailservers local resolvers (unbound). After enabling tcp mode for
unbound the queries for spf1.amazon.com TXT were properly answered properly.
Amazon did not retry yet, but I'm sure that this solved the problem.

Thanks a iot

tobi

Am 06.05.2015 um 16:11 schrieb Scott Kitterman:

> On Wednesday, May 06, 2015 09:58:57 AM James B. Byrne wrote:
>> On Wed, May 6, 2015 09:45, Tobi wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hi list
>>>
>>> I know it's technically not a postfix issue :-) But maybe someone else
>>> here on this list has the same problem.
>>> I'm using Postfix with postfix-policyd-spf-perl About 4 or 5 days ago
>>> I started to get error messages from postfix for mails from Amazon.
>>> The log shows
>>>
>>> <<
>>> May  6 15:33:12 mail1 postfix/policy-spf[10692]: Policy
>>> action=DEFER_IF_PERMIT SPF-Result=marketplace.amazon.de ...
>>> spf1.amazon.com: Unknown error on DNS 'TXT' lookup of
>>> 'spf1.amazon.com'
>>> May  6 15:33:12 mail1 postfix/smtpd[10069]: NOQUEUE: reject: RCPT from
>>> a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]: 450 4.7.1
>>> <[hidden email]>: Recipient address rejected:
>>> SPF-Result=marketplace.amazon.de ... spf1.amazon.com: Unknown error on
>>> DNS 'TXT' lookup of 'spf1.amazon.com';
>>> from=<[hidden email]>
>>> to=<[hidden email]> proto=ESMTP
>>> helo=<a0-3.smtp-out.eu-west-1.amazonses.com>
>>> May  6 15:33:37 mail1 postfix/smtpd[10069]: disconnect from
>>> a0-3.smtp-out.eu-west-1.amazonses.com[54.240.0.3]
>>>
>>>
>>> I did not change anything on the server side. I tried to verify the
>>> SPF records from Amazon with
>>> http://www.kitterman.com/spf/validate.html but the tests were always
>>> successfull.
>>> Does anyone have this problem too with Amazon? Or does anyone have an
>>> idea how to solve it?
>>>
>>> Thanks
>> dig spf1.amazon.com TXT
>>
>> ;; ANSWER SECTION:
>> spf1.amazon.com. 900 IN TXT "spf2.0/pra ip4:207.171.160.0/19
>> ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
>> ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
>> ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
>> spf1.amazon.com. 900 IN TXT "v=spf1 ip4:207.171.160.0/19
>> ip4:87.238.80.0/21 ip4:72.21.192.0/19 ip4:194.154.193.192/27
>> ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24
>> ip4:72.21.212.0/25 ip4:178.236.10.128/26 -all"
>>
>> Amazon has screwed up their spf records.  A DNS host can have only ONE
>> spf TXT RR and that must not contain or recursively resolve to more
>> than TEN tags.
>>
>> You will have to contact the DNS maintainer for the amazon.com zone
>>
>> ;; AUTHORITY SECTION:
>> amazon.com. 60 IN SOA dns-external-master.amazon.com.
>> root.amazon.com. 2010112764 180 60 3024000 60
>>
>> Who evidently is reached via [hidden email].  Good luck with that.
> No.  That's not it.  One of those is a v=spf1 SPF record and the other is a
> spf2.0 Sender ID record.
>
> Much more likely the issue is the use of EDNS0.  In the part of the dig output
> you didn't include, you probably got:
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
>
> and
>
> ;; MSG SIZE  rcvd: 611
>
> I would guess that they published a new record that pushed them outside the
> size of a UDP packet, so it used EDNS0, and there's some incompatible box in
> the middle (and there wasn't such a box similarly in between amazon and my SPF
> validator).
>
> Followups should probably go to:
>
> https://answers.launchpad.net/postfix-policyd-spf-perl
>
> Scott K

Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon? [SOLVED]

Scott Kitterman-4
On Wednesday, May 06, 2015 05:17:12 PM Tobi wrote:

> @Scott
>
> thanks for putting me into the right direction :-)
> The answer for spf1.amazon.com TXT is indeed too big for UDP. So the
> query was retried in TCP mode.
> But the stupid admin (aka myself) forgot that he disabled tcp on the
> mailservers local resolvers (unbound). After enabling tcp mode for
> unbound the queries for spf1.amazon.com TXT were properly answered properly.
> Amazon did not retry yet, but I'm sure that this solved the problem.
>
Great.  Feel free to throw RFC 7208 Section 3.4 (Record Size) at them.  The
SHOULD fit in a UDP packet is there for a reason.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon? [SOLVED]

Postfix User-2
On Wed, 06 May 2015 13:59:44 -0400, Scott Kitterman stated:

> Great.  Feel free to throw RFC 7208 Section 3.4 (Record Size) at them.  The
> SHOULD fit in a UDP packet is there for a reason.

SHOULD ≠ MUST

--
Jerry
Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon? [SOLVED]

Chris Adams-2
In reply to this post by Scott Kitterman-4
Once upon a time, Scott Kitterman <[hidden email]> said:
> Great.  Feel free to throw RFC 7208 Section 3.4 (Record Size) at them.  The
> SHOULD fit in a UDP packet is there for a reason.

I see your RFC and raise you RFC 6891.  "[f]it in a UDP packet" does not
mean 512 bytes.
--
Chris Adams <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: postfix-policyd-spf-perl and troubles with Amazon? [SOLVED]

Scott Kitterman-4
On Wednesday, May 06, 2015 02:12:04 PM Chris Adams wrote:
> Once upon a time, Scott Kitterman <[hidden email]> said:
> > Great.  Feel free to throw RFC 7208 Section 3.4 (Record Size) at them.
> > The
> > SHOULD fit in a UDP packet is there for a reason.
>
> I see your RFC and raise you RFC 6891.  "[f]it in a UDP packet" does not
> mean 512 bytes.

RFC 7208 is more precise in it's language them my mail here.  Bottom line is
if your reply goes over 512 and it breaks, you get to keep both halves.

Scott K