Mailing List Archive: SPF: Help

SPF (TXT) record not being seen by my own server

Index | Next | Previous | View Threaded

gcerullo at pixelpointstudios

Dec 5, 2008, 6:24 AM

Post #1 of 3 (1824 views)
Permalink

SPF (TXT) record not being seen by my own server

Hello everyone, I'm having a strange problem.

My own mail server does not see my own SPF policy. Here is a sample
header of mail I've been receiving lately that should be rejected,

Return-Path: <hostmaster [at] pixelpointstudios>
Received-SPF: none (webserver.pixelpointstudios.com: domain ofhostmaster [at] pixelpointstudios
does not designate permitted sender hosts)
Received: from alunos.utad.pt (unknown [190.245.48.122])
by mail.pixelpointstudios.com (Postfix) with SMTP id A73F25BAE81
for <hostmaster [at] pixelpointstudios>; Fri, 5 Dec 2008 06:04:53
-0500 (EST)

As you can see the server is checking for an SPF policy but claims not
to find one but every check I've performed with every test suite I
could find all point to a valid and working SPF policy for the domain
'pixelpointstudios.com'.

The mail server is working properly as I can find plenty of SPF FAILs
in the mail log as this recent sample shows,

Nov 28 18:01:44 webserver postfix/policy-spf[19067]: : SPF fail:
smtp_comment=Please see http://www.openspf.org/why.html?sender=shih_lieo%40gmx.net&ip=190.226.144.148&receiver=webserver.pixelpointstudios.com
, header_comment=webserver.pixelpointstudios.com: domain of shih_lieo [at] gmx
does not designate 190.226.144.148 as permitted sender

I've had an SPF policy for many years now and my server has had SPF
policy checking for almost as long without problem so I don't
understand where the problem can be as everything seems to be working
properly for every other domain except my own.

Also, this isn't hit and miss as though my DNS records aren't
available temporarily. According to my mail log, my server never
rejects mail claiming to be from my domain when it is obviously forged.

Any hints as to what my be going on would be greatly appreciated.

If it helps I'm running a standard install of Mac OS X Server 10.4.11
with the included Postfix MTA. Nothing has been updated or messed with.

--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

chris at harvington

Dec 5, 2008, 7:47 AM

Post #2 of 3 (1758 views)
Permalink

Re: SPF (TXT) record not being seen by my own server [In reply to]

Have you checked that your mail server can see the text record, e.g. by using:

nslookup -type=TXT pixelpointstudios.com

If it can't, and if your domain's DNS service is on the same server check any firewall settings. In p[.articular, if there is port mapping taking place using iptables, the externally-visible ports are not visible from the same machine. This is a well-known 'gotcha' when testing web servers and something like it could be happening here.

HTH

Chris

On Friday, December 5, 2008 at 2:24:46 PM, Gino Cerullo wrote:
> Hello everyone, I'm having a strange problem.

> My own mail server does not see my own SPF policy. Here is a sample
> header of mail I've been receiving lately that should be rejected,

> Return-Path: <hostmaster [at] pixelpointstudios>
> Received-SPF: none (webserver.pixelpointstudios.com: domain
> ofhostmaster [at] pixelpointstudios
> does not designate permitted sender hosts)
> Received: from alunos.utad.pt (unknown [190.245.48.122])
> by mail.pixelpointstudios.com (Postfix) with SMTP id A73F25BAE81
> for <hostmaster [at] pixelpointstudios>; Fri, 5 Dec 2008 06:04:53
> -0500 (EST)

> As you can see the server is checking for an SPF policy but claims not
> to find one but every check I've performed with every test suite I
> could find all point to a valid and working SPF policy for the domain
> 'pixelpointstudios.com'.

> The mail server is working properly as I can find plenty of SPF FAILs
> in the mail log as this recent sample shows,

> Nov 28 18:01:44 webserver postfix/policy-spf[19067]: : SPF fail:
> smtp_comment=Please see
> http://www.openspf.org/why.html?sender=shih_lieo%40gmx.net&ip=190.226.144.148&receiver=webserver.pixelpointstudios.com
> , header_comment=webserver.pixelpointstudios.com: domain of shih_lieo [at] gmx
> does not designate 190.226.144.148 as permitted sender

> I've had an SPF policy for many years now and my server has had SPF
> policy checking for almost as long without problem so I don't
> understand where the problem can be as everything seems to be working
> properly for every other domain except my own.

> Also, this isn't hit and miss as though my DNS records aren't
> available temporarily. According to my mail log, my server never
> rejects mail claiming to be from my domain when it is obviously forged.

> Any hints as to what my be going on would be greatly appreciated.

> If it helps I'm running a standard install of Mac OS X Server 10.4.11
> with the included Postfix MTA. Nothing has been updated or messed with.

> --
> Gino Cerullo

> Pixel Point Studios
> 21 Chesham Drive
> Toronto, ON M3M 1W6

> 416-247-7740

> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

gcerullo at pixelpointstudios

Dec 5, 2008, 9:20 AM

Post #3 of 3 (1757 views)
Permalink

Re: SPF (TXT) record not being seen by my own server [In reply to]

On 5-Dec-08, at 10:47 AM, Chris Haynes wrote:

> Have you checked that your mail server can see the text record, e.g.
> by using:
>
> nslookup -type=TXT pixelpointstudios.com
>
> If it can't, and if your domain's DNS service is on the same server
> check any firewall settings. In p[.articular, if there is port
> mapping taking place using iptables, the externally-visible ports
> are not visible from the same machine. This is a well-known 'gotcha'
> when testing web servers and something like it could be happening
> here.
>
> HTH
>
> Chris
>
>
>
> On Friday, December 5, 2008 at 2:24:46 PM, Gino Cerullo wrote:
>> Hello everyone, I'm having a strange problem.
>
>> My own mail server does not see my own SPF policy. Here is a sample
>> header of mail I've been receiving lately that should be rejected,
>
>> Return-Path: <hostmaster [at] pixelpointstudios>
>> Received-SPF: none (webserver.pixelpointstudios.com: domain
>> ofhostmaster [at] pixelpointstudios
>> does not designate permitted sender hosts)
>> Received: from alunos.utad.pt (unknown [190.245.48.122])
>> by mail.pixelpointstudios.com (Postfix) with SMTP id
>> A73F25BAE81
>> for <hostmaster [at] pixelpointstudios>; Fri, 5 Dec 2008
>> 06:04:53
>> -0500 (EST)
>
>> As you can see the server is checking for an SPF policy but claims
>> not
>> to find one but every check I've performed with every test suite I
>> could find all point to a valid and working SPF policy for the domain
>> 'pixelpointstudios.com'.
>
>> The mail server is working properly as I can find plenty of SPF FAILs
>> in the mail log as this recent sample shows,
>
>> Nov 28 18:01:44 webserver postfix/policy-spf[19067]: : SPF fail:
>> smtp_comment=Please see
>> http://www.openspf.org/why.html?sender=shih_lieo%40gmx.net&ip=190.226.144.148&receiver=webserver.pixelpointstudios.com
>> , header_comment=webserver.pixelpointstudios.com: domain of shih_lieo [at] gmx
>> does not designate 190.226.144.148 as permitted sender
>
>> I've had an SPF policy for many years now and my server has had SPF
>> policy checking for almost as long without problem so I don't
>> understand where the problem can be as everything seems to be working
>> properly for every other domain except my own.
>
>> Also, this isn't hit and miss as though my DNS records aren't
>> available temporarily. According to my mail log, my server never
>> rejects mail claiming to be from my domain when it is obviously
>> forged.
>
>> Any hints as to what my be going on would be greatly appreciated.
>
>> If it helps I'm running a standard install of Mac OS X Server 10.4.11
>> with the included Postfix MTA. Nothing has been updated or messed
>> with.

Chris, I think you've nailed it! Results below.

Results of nslookup for my domain 'pixelpointstudios.com'

webserver:~ administrator$ nslookup -type=TXT pixelpointstudios.com
Server: 10.161.225.2
Address: 10.161.225.2#53

*** Can't find pixelpointstudios.com: No answer

DNS for the domain is hosted externally but I do have the DNS service
enable and configured on the server for 'pixelpointstudios.com' but it
didn't have the required TXT record.

I've just added it and nslookup now sees the TXT record.

webserver:~ administrator$ nslookup -type=TXT pixelpointstudios.com
Server: 10.161.225.2
Address: 10.161.225.2#53

pixelpointstudios.com text = "v=spf1 ip4:64.201.186.16 -all"

The server has only been sitting at the data centre for a little over
a year, previously I had it located at my office and DNS was
configured differently. I guess no one had sent me forged email with
my own domain in all that time so the missing TXT record was a non-
issue.

Thanks
--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads