Ubuntu > Postfix > SPF Fail

Discussion in 'Server Operation' started by jdmckay, Sep 24, 2014.

  1. jdmckay

    jdmckay New Member

    Hello,

    First time poster here.

    Setup: Ubuntu: 14.04
    Postfix: 2.11.0
    Python: 2.7.6

    I'm "swiss army knife" guy for our non-profit, duty which includes setup/admin for our email server. This server has been running fairly well for 1+ yr: currently doing much to improve spam management.

    Problem: we have one email sender who is integral to our work, a Professor at UNM (University of NM, Albuquerque). Postfix began returning SPF reject for this individual (after no issues since server went online) about 10 days ago:

    mail13-151 postfix/mx/smtpd[25184]: NOQUEUE: reject: RCPT from mail-bl2lp0205.outbound.protection.outlook.com[207.46.163.205]: 550 5.7.1 <[email protected]>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=helo;i...k.com;ip=207.46.163.205;[email protected]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<na01-bl2-obe.outbound.protection.outlook.com>

    Postfix uses: python spf (our common choice in PF config file) to run SPF check. this returns a "soft fail" on the email server container.

    Reason I'm posting/asking here: we (several guys I'm doing developing with) have several Ubuntu servers around the country, each with multiple containers and each running same Ubuntu ver. On all but 1 (out of 6 tested) containers, this same file (python-spf) (from py lib: 2.0.7-3_all.deb or python-spf_2.0.8-2... checksum says both files identical) returns a Pass for the same rejected email address I posted above.

    I came from some yrs. working professional in MS "universe" (more coding then admin), took first dive into Linux when I began this non-profit work. Give my current level of Linux expertise, and spending all morning GOOGLING for a hint at explanation/solution to what I describe, I currently have no idea why we're getting such different SPF returns on the same OS running elsewhere.

    Of note... postfix logs show all other SPF rejections on this server completely appropriate, pleased/satisfied with performance except for this one issue.

    I won't be back online for 4-6 hrs, please don't take my lack of immediate response to mean I'm not checking responses here.

    Thanks in advance.
     
  2. royaladmin

    royaladmin New Member

    could DNS server be responding distinctly to SPF requests based on source IP?

    Hello,
    I am the platform administrator for the container described by jdmckay.

    My intuition is that because his IP address was recently the target of a spam relay robot,
    the IP is flagged by blacklist services. Of course, we fixed the situation, but as everyone reading this forum knows, it takes a minute for things to settle down and reputations to rebuild.

    So..., does Outlook have their DNS server responding differently to IP addresses on their inbound email blacklists? Sounds pretty fancy to me, but could be plausible.

    So here are the exact test results.
    Thanks to https://pypi.python.org/pypi/pyspf/.
    Thanks to http://www.wayforward.net/spf/.

    apt-get install python-spf

    Query result from most places I have tried (u can try at your location):

    $ /usr/lib/python2.7/dist-packages/spf.py 207.46.163.205 [email protected] na01-bl2-obe.outbound.protection.outlook.com
    (('pass', 250, 'sender SPF authorized'), 'include:eek:utlook.com')

    Query result from our "flagged" IP address:

    $ /usr/lib/python2.7/dist-packages/spf.py 207.46.163.205 [email protected] na01-bl2-obe.outbound.protection.outlook.com
    (('softfail', 250, 'domain owner discourages use of this host'), '~all')

    I am grateful in advance and very interested to see who can add some insight here.
     
  3. royaladmin

    royaladmin New Member

    I should say the spam robot that relayed through our IP address was due to an attack on another of our containers entirely distinct from the jdmckay mail container, so it was not his issue but mine. I have plugged the hole and addressed it for the future, but the reputation is temporarily affected, as you readers likely all know, since the IP address is shared.

    Regardless of the underlying cause, has anyone heard of SPF responses coming back differently to different source IP addresses?
     

Share This Page