Hockeychap
New Pleskian
Afternoon all,
Just for reference I've been through Forum Item 362649 to check to see if I've missed anything, but to no avail.
Current Setup (as of date of post)
Desc: Vanilla Server set up and managed by Plesk
Plesk Version: Plesk Obsidian Web Host Edition Version 18.0.41
Linux Version: Ubuntu 18.04.6 LTS
Host capacity: 20CPU , 8GB , 100GB storage
Bind Version: 9.11.3+dfsg-1ubuntu1.16 (maintainer ubuntu developers)
Postfix Version: 3.5.9-v.ubuntu.18.04+p18.0.41.0+t220113.1606 (maintainer plesk)
SPF Setting (current): Reject on Softfail
SPF Setting (desired): Reject on Fail
systemd-resolved.service : disabled
bind9.service: enabled
Current Resolv.conf:
Current State and Performance
A couple of examples from maillog are
The failure appears to only happen on first lookup / non-cached lookup. However I wouldn't expect SPF to class this as a failure when DNS resolution time that is consistently sub 80 - 100 ms .
Steps I've tried:
My questions:
1.) Given that this is a plesk managed installation, is there any further tuning of Bind9 I need to do ?
2) Can a temporary DNS failure be moved to a softfail rather than a hardfail in SPF ?
3) Can the SPF lookup timeout be extended to cope with sites that respond in the 50 - 100 ms mark ?
4) Any other general suggestions as I'd like to clobber more of the spam at SPF level
Some example domains that resolve TXT ok (using dig), but that flag errors on the first lookup:
eu.perfect-quotes.com
accountancytoday.co.uk
base.co
mail.patientaccess.com
Best Wishes,
Justin
Just for reference I've been through Forum Item 362649 to check to see if I've missed anything, but to no avail.
Current Setup (as of date of post)
Desc: Vanilla Server set up and managed by Plesk
Plesk Version: Plesk Obsidian Web Host Edition Version 18.0.41
Linux Version: Ubuntu 18.04.6 LTS
Host capacity: 20CPU , 8GB , 100GB storage
Bind Version: 9.11.3+dfsg-1ubuntu1.16 (maintainer ubuntu developers)
Postfix Version: 3.5.9-v.ubuntu.18.04+p18.0.41.0+t220113.1606 (maintainer plesk)
SPF Setting (current): Reject on Softfail
SPF Setting (desired): Reject on Fail
systemd-resolved.service : disabled
bind9.service: enabled
Current Resolv.conf:
nameserver 89.145.80.87
nameserver 89.145.80.93
search calax.co.uk
Current State and Performance
- System load generally below 0.2
- Bind9 TXT retrieval (uncached) ~ 30 - 60 ms , cached (0 -1 ms)
- Mail volumes: between 1000 and 2000 valid emails a day , additional 2000 removed by spam / spf filters
A couple of examples from maillog are
Time | Process | Message |
---|---|---|
Feb 3 11:00:4 | stormbringer spf[18840] | CF73B541F24: Error code: (26) DNS lookup failure |
Feb 3 11:00:4 | stormbringer spf[18840] | CF73B541F24: Failed to query MAIL-FROM: Temporary DNS failure for 'mail.patientaccess.com'. |
Feb 2 20:54:09 | stormbringer spf[29945] | 78924541EAC: Error code: (26) DNS lookup failure |
Feb 2 21:24:09 | stormbringer spf[29945] | 78924541EAC: Failed to query MAIL-FROM: Temporary DNS failure for 'jet2email.com'. |
The failure appears to only happen on first lookup / non-cached lookup. However I wouldn't expect SPF to class this as a failure when DNS resolution time that is consistently sub 80 - 100 ms .
Steps I've tried:
- Run Bind9 on IPV4 only
- Install Mail::SPF (spam assassin will use this rather than legacy)
- Update all existing perl modules (cpan-outdated -p | cpanm)
- Increase the CPU count for Bind9
My questions:
1.) Given that this is a plesk managed installation, is there any further tuning of Bind9 I need to do ?
2) Can a temporary DNS failure be moved to a softfail rather than a hardfail in SPF ?
3) Can the SPF lookup timeout be extended to cope with sites that respond in the 50 - 100 ms mark ?
4) Any other general suggestions as I'd like to clobber more of the spam at SPF level
Some example domains that resolve TXT ok (using dig), but that flag errors on the first lookup:
eu.perfect-quotes.com
accountancytoday.co.uk
base.co
mail.patientaccess.com
Best Wishes,
Justin