SPF issues

descendant_command · 11-05-2014, 03:10 PM

So I noticed my postfix servers returning "451 4.3.5 Server configuration problem" to some mails and rejecting them (4xx so they retry).
Associated log output says "warning: problem talking to server private/spfpolicy: Connection timed out"

Investigating the domains in question shows:

Code:

dig txt far.gxjfsm.com

; <<>> DiG 9.7.3 <<>> txt far.gxjfsm.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43812
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;far.gxjfsm.com.			IN	TXT

;; ANSWER SECTION:
far.gxjfsm.com.		574	IN	TXT	"v=spf1 include:far.gxjfsm.com ~all"

... a recursive include! (so the spf check times out).

Given the domain names involved, this seems intentional, maybe designed simply to put load on servers.

I didn't find much on this while searching (maybe it's a new thing) so thought I'd post here.

It doesn't seem to be much of an issue for us currently, but may be for busier sites, or if the volume of such mails is ramped up.

Any thoughts?
Mitigations?
Maybe a fail2ban filter to simply block domains that do this?

descendant_command · 11-16-2014, 03:00 PM

Further info.
Has now shifted to relaying via yahoo servers and, unfortunately, blocking them makes my phone ring.

Code:

Transcript of session follows.

 Out: 220 smtp.<mydomain> ESMTP
 In:  EHLO nm4.access.bullet.mail.gq1.yahoo.com
 Out: 250-smtp.<mydomain>
 Out: 250-PIPELINING
 Out: 250-SIZE 51200000
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-AUTH PLAIN LOGIN CRAM-MD5
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 220 2.0.0 Ready to start TLS
 In:  EHLO nm4.access.bullet.mail.gq1.yahoo.com
 Out: 250-smtp.<mydomain>
 Out: 250-PIPELINING
 Out: 250-SIZE 51200000
 Out: 250-ETRN
 Out: 250-AUTH PLAIN LOGIN CRAM-MD5
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM:<ha4m@yagia.ekruem.com>
 Out: 250 2.1.0 Ok
 In:  RCPT TO:<info@mydomain>
 Out: 451 4.3.5 Server configuration problem
 In:  RSET
 Out: 250 2.0.0 Ok
 In:  QUIT
 Out: 221 2.0.0 Bye

Code:

me@mine:~$ dig any yagia.ekruem.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> any yagia.ekruem.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28340
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yagia.ekruem.com.		IN	ANY

;; ANSWER SECTION:
yagia.ekruem.com.	599	IN	A	50.117.47.163
yagia.ekruem.com.	599	IN	MX	5 yagia.ekruem.com.
yagia.ekruem.com.	599	IN	TXT	"v=spf1 include:yagia.ekruem.com ~all"

;; Query time: 1260 msec

I'm using postfix-policyd-spf-perl on debian.
Going to try postfix-policyd-spf-python to see if that behaves any different, and maybe file a bug report.
Presumably there should be a check to abort immediately on recursive includes rather than timing out.

I found this in an old (2003) thread:

Quote:

Originally Posted by http://www.gossamer-threads.com/lists/spf/discuss/412

clients are expected to perform loop detection.

Not sure if my search-foo is failing or no-one else sees this as a problem or what - maybe timing out is the correct behaviour...