[TAG] Please update your account information.

Rick Moen rick at linuxmafia.com
Mon Nov 21 18:55:51 MSK 2005 

Quoting Kapil Hari Paranjape (kapil at imsc.res.in):

> > I wish I could turn on SPF-checking.  (I might be able to, at this
> > point.)  That would eliminate these things entirely.
> 
> You could enable SPF-checking in spamassassin rather than in exim. This will
> add to the overall spamassassin score.

The problem was not where those RRs got checked; the problem was that
the checking heuristics were (at least, at that time) buggy.  

Following my most recent full system rebuild, I set up the Perl-based
spfd from CPAN, and enabled SPF-checking in my MTA.  Immediately, Bad
Things began to happen:


Date: Wed, 2 Feb 2005 19:01:55 -0800
From: David Wolfskill <david at catwhisker.org>
To: TAG <tag at lists.linuxgazette.net>
To: rick at linuxmafia.com
Subject: [MAILER-DAEMON at baylisa.org: Returned mail: see transcript for
details]

Not sure there's a whole lot I can do about this:

----- Forwarded message from Mail Delivery Subsystem <MAILER-DAEMON at baylisa.org>
 -----

Date: Wed, 2 Feb 2005 18:46:41 -0800 (PST)
From: Mail Delivery Subsystem <MAILER-DAEMON at baylisa.org>
To: TAG <tag at lists.linuxgazette.net>
To: owner-blw at baylisa.org
Subject: Returned mail: see transcript for details

The original message was received at Wed, 2 Feb 2005 18:44:44 -0800 (PST)
from localhost [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
rick at linuxmafia.com
    (reason: 550-SPF verification failed:  star at starshine.org (Heather
Stern))
    (expanded from: :include:/etc/mail/majordomo/lists/blw)

   ----- Transcript of session follows -----
Message delivered to mailing list <blw-outgoing at www.baylisa.org>
... while talking to linuxmafia.com.:
>>> DATA
<<< 550-SPF verification failed:  star at starshine.org (Heather Stern)
<<< 550-.
<<< 550-[EximConfig-2.0-linuxmafia.com-Sender-Verify-SPF-From]
<<< 550-.
<<< 550-Verify:  verified-rick at linuxmafia.com
<<< 550-Contact:  postmaster at linuxmafia.com
<<< 550-.
<<< 550-Host:  205.217.155.154
<<< 550-Domain:  starshine.org
<<< 550-.
<<< 550-Reason:  linuxmafia.com: domain of star at starshine.org does not designate
<<< 550-205.217.155.154 as permitted sender
<<< 550-.
<<< 550-Sorry, your message has been rejected because
<<< 550-you are attempting to send from a host that is
<<< 550-not authorised to send outgoing mail for the
<<< 550-above domain.
<<< 550-.
<<< 550-The owners of the domain are using SPF (Sender
<<< 550-Policy Framework, see http://spf.pobox.com/) to
<<< 550-publish a list of hosts that are authorised to
<<< 550-send mail using their domain.
<<< 550-.
<<< 550-The host that you are sending from (see above) is
<<< 550-not one of these authorised hosts.
<<< 550-.
<<< 550-Please ensure that the sender and/or reply
<<< 550-to address that you use when sending e-mail
<<< 550-is a valid address that belongs to you with a
<<< 550-domain name that exists and can be successfully
<<< 550-looked up in the public Internet DNS.
<<< 550-.
<<< 550-We apologise if you have sent a legitimate
<<< 550-message and it has been blocked.  If this is
<<< 550-the case, please re-send adding verified- to
<<< 550-the beginning of the e-mail address of each
<<< 550-recipient.  If you do this, your message will
<<< 550-get through these restrictions.
<<< 550-.
<<< 550-If your message has been incorrectly blocked,
<<< 550-please let us know at the above contact address.
<<< 550-.
<<< 550-Please contact your IT department or Internet
<<< 550-Service Provider (ISP) for assistance.
<<< 550 .
554 5.0.0 Service unavailable

Reporting-MTA: dns; www.baylisa.org
Received-From-MTA: DNS; localhost
Arrival-Date: Wed, 2 Feb 2005 18:44:44 -0800 (PST)

Final-Recipient: RFC822; blw-outgoing at www.baylisa.org
X-Actual-Recipient: RFC822; rick at linuxmafia.com
Action: failed
Status: 5.2.0
Remote-MTA: DNS; linuxmafia.com
Diagnostic-Code: SMTP; 550-SPF verification failed:  star at starshine.org (Heather
 Stern)
Last-Attempt-Date: Wed, 2 Feb 2005 18:46:16 -0800 (PST)

Return-Path: <owner-blw>
Received: from www.baylisa.org (localhost [127.0.0.1])
        by www.baylisa.org (8.13.1/8.13.1) with ESMTP id j132ii96004200
        for <blw-outgoing at www.baylisa.org>; Wed, 2 Feb 2005 18:44:44 -0800 (PST)
Received: (from majordom at localhost)
        by www.baylisa.org (8.13.1/8.13.1/Submit) id j132iiqG004199
        for blw-outgoing; Wed, 2 Feb 2005 18:44:44 -0800 (PST)
Received: from gemini.starshine.org (gemini.starshine.org [216.240.40.169])
        by www.baylisa.org (8.13.1/8.13.1) with ESMTP id j132ifd5004194
        for <blw at baylisa.org>; Wed, 2 Feb 2005 18:44:41 -0800 (PST)
Received: by gemini.starshine.org (Postfix, from userid 1000)
        id 40F6695077F; Wed,  2 Feb 2005 18:37:51 -0800 (PST)
Date: Wed, 2 Feb 2005 18:37:51 -0800
To: Jennifer Davis <iennae at gmail.com>
Cc: BayLISA Wheels <blw at baylisa.org>
Subject: Re: Updated Speaker Pipeline
Message-ID: <20050203023751.GA10532 at starshine.org>
References: <e3bf36f105011111245aad2b17 at mail.gmail.com>
<e3bf36f105011113436e505
148 at mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <e3bf36f105011113436e505148 at mail.gmail.com>
User-Agent: Mutt/1.5.6+20040907i
From: Heather Stern <star at starshine.org>
To: TAG <tag at lists.linuxgazette.net>
Sender: owner-blw at baylisa.org
Precedence: bulk


----- End forwarded message -----

Peace,
david         (current hat: postmaster at baylisa.org)
-- 
David H. Wolfskill                              david at catwhisker.org
There always has been more to "Open Source" than just GNU/Linux.

See http://www.catwhisker.org/~david/publickey.gpg for public key.




Heather had sent a mailing list post via the Majordomo setup at
baylisa.org aka www.baylisa.org to the "blw" (BayLISA Wheels) mailing
list.  baylisa.org had duly attempted to delivery a copy to me as a
blw member -- only to be refused delivery by my MTA on the spurious and
irrelevant grounds of its IP address (205.217.155.154) not being listed
in the SPF records as an authorised sender (an MX) for domain
starshine.org.

(For the benefit of people to whom SPF is unfamiliar, it's essentially 
a "reverse MX" reference record in your domain's DNS, in which you
declare to the public which specific IP addresses, if any, should be
regarded as authoritative mail exchangers aka MXes for one's domain.
Thus, by implication, MTAs elsewhere are encouraged to reject as
fraudulent all mail claiming to be from your domain that arrived from
any _other_ IP addresses.)

What was _supposed_ to happen was that spfd should have checked the
delivering IP addresss against the domain indicated in the _envelope_ 
sender line (the "From " line), which I believe in this case was 
"blw-outgoing at www.baylisa.org".  However, what _appears_ to have
happened is that my MTA attempted to validate the internal "From:" 
sender line's sender, "star at starshine.org".

I had already noticed, and was trying to diagnose, what turned out to be
a related anomaly:  I wasn't receiving any of my own posts to mailing
lists.  This turned out to be because my MTA was (erroneously) refusing
mail from, say, the IP address of mail.svlug.org because that IP was not
listed in the SPF records for the domain of "From:" sender
"rick at linuxmafia.com".

So, some of the SPF-handling plumbing was acting in an extremely
brain-dead manner:  "Eximconfig" author J.P. Boggis speculated to me
that the fault lay in spfd performing the check on the wrong header,
which seemed plausible.  In any event, this debaccle was embarrassing me
in front of my peers, and I really had no alternative but to switch off
that check, rather than attempt further diagnosis.

So, in short, I have to be concerned about that brain damage possibly
still being present in spfd, irrespective of which program calls it.

More information about the TAG mailing list